Opened 8 years ago

Last modified 2 years ago

#287 new enhancement

Add option to enable IP_TRANSPARENT

Reported by: Stijn Tintel Owned by:
Priority: minor Milestone:
Component: nginx-core Version:
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.2.6

Description

For Nginx to be able to respond to packets redirected with the Linux netfilter TPROXY target, the IP_TRANSPARENT option should be enabled. It would be nice to have this in Nginx as an additional parameter to the listen directive.

I have a patch that implements this for http, and will attach it to this ticket. The patch is made against 1.2.6, but also applies on 1.3.11.

Attachments (4)

nginx-ip_transparent.patch (4.0 KB ) - added by Stijn Tintel 8 years ago.
nginx-1.12.1-ip_transparent.patch (3.0 KB ) - added by stintel@… 3 years ago.
Updated patch that applies cleanly against nginx 1.12.1
0001-Add-IP_TRANSPARENT-support.patch (5.1 KB ) - added by shankerwangmiao@… 2 years ago.
nginx-1.13.6.2-listen-transparent.patch (9.3 KB ) - added by James Callahan 2 years ago.

Download all attachments as: .zip

Change History (9)

by Stijn Tintel, 8 years ago

Attachment: nginx-ip_transparent.patch added

comment:1 by devicenull@…, 4 years ago

Any chance we'll see this patch integrated soon? We're preparing to use nginx as a transparent proxy, and having IP_TRANSPARENT support is pretty critical to us.

comment:2 by Maxim Dounin, 4 years ago

Unlikely, nginx is not designed to be used as a transparent proxy, and not even as a forward proxy. Introducing such an option would confuse users.

comment:3 by Stijn Tintel, 4 years ago

The reason for adding this feature was never to use nginx as forward or transparent proxy, but to intercept traffic matching certain criteria and redirect them to another nginx vhost on a different port, using the iptables TPROXY target.

by stintel@…, 3 years ago

Updated patch that applies cleanly against nginx 1.12.1

by shankerwangmiao@…, 2 years ago

comment:4 by shankerwangmiao@…, 2 years ago

Based on patch @stintel posted, I make some modification to ngx_event_accept so that we can read the original IP Address and port the client connects to from $server_addr and $server_port.

comment:5 by James Callahan, 2 years ago

I just spent today writing almost this same patch :(

I would also love to have this patch merged, my version is essentially (I didn't quite handle the non-linux case as well as this patch) the same but I also added the option to the stream module.

by James Callahan, 2 years ago

Note: See TracTickets for help on using tickets.