Opened 7 years ago

Last modified 12 months ago

#287 new enhancement

Add option to enable IP_TRANSPARENT

Reported by: stijn.tintel@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version:
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.2.6

Description

For Nginx to be able to respond to packets redirected with the Linux netfilter TPROXY target, the IP_TRANSPARENT option should be enabled. It would be nice to have this in Nginx as an additional parameter to the listen directive.

I have a patch that implements this for http, and will attach it to this ticket. The patch is made against 1.2.6, but also applies on 1.3.11.

Attachments (4)

nginx-ip_transparent.patch (4.0 KB) - added by stijn.tintel@… 7 years ago.
nginx-1.12.1-ip_transparent.patch (3.0 KB) - added by stintel@… 2 years ago.
Updated patch that applies cleanly against nginx 1.12.1
0001-Add-IP_TRANSPARENT-support.patch (5.1 KB) - added by shankerwangmiao@… 12 months ago.
nginx-1.13.6.2-listen-transparent.patch (9.3 KB) - added by james-callahan@… 12 months ago.

Download all attachments as: .zip

Change History (9)

Changed 7 years ago by stijn.tintel@…

comment:1 Changed 3 years ago by devicenull@…

Any chance we'll see this patch integrated soon? We're preparing to use nginx as a transparent proxy, and having IP_TRANSPARENT support is pretty critical to us.

comment:2 Changed 3 years ago by mdounin

Unlikely, nginx is not designed to be used as a transparent proxy, and not even as a forward proxy. Introducing such an option would confuse users.

comment:3 Changed 3 years ago by stijn.tintel@…

The reason for adding this feature was never to use nginx as forward or transparent proxy, but to intercept traffic matching certain criteria and redirect them to another nginx vhost on a different port, using the iptables TPROXY target.

Changed 2 years ago by stintel@…

Updated patch that applies cleanly against nginx 1.12.1

Changed 12 months ago by shankerwangmiao@…

comment:4 Changed 12 months ago by shankerwangmiao@…

Based on patch @stintel posted, I make some modification to ngx_event_accept so that we can read the original IP Address and port the client connects to from $server_addr and $server_port.

comment:5 Changed 12 months ago by james-callahan@…

I just spent today writing almost this same patch :(

I would also love to have this patch merged, my version is essentially (I didn't quite handle the non-linux case as well as this patch) the same but I also added the option to the stream module.

Changed 12 months ago by james-callahan@…

Note: See TracTickets for help on using tickets.