Add option to enable IP_TRANSPARENT

[Stijn Tintel]

For Nginx to be able to respond to packets redirected with the Linux netfilter TPROXY target, the IP_TRANSPARENT option should be enabled. It would be nice to have this in Nginx as an additional parameter to the listen directive.

I have a patch that implements this for http, and will attach it to this ticket. The patch is made against 1.2.6, but also applies on 1.3.11.

[devicenull@…]

Any chance we'll see this patch integrated soon? We're preparing to use nginx as a transparent proxy, and having IP_TRANSPARENT support is pretty critical to us.

[Maxim Dounin]

Unlikely, nginx is not designed to be used as a transparent proxy, and not even as a forward proxy. Introducing such an option would confuse users.

[Stijn Tintel]

The reason for adding this feature was never to use nginx as forward or transparent proxy, but to intercept traffic matching certain criteria and redirect them to another nginx vhost on a different port, using the iptables TPROXY target.

[stintel@…]

Updated patch that applies cleanly against nginx 1.12.1

[shankerwangmiao@…]

Based on patch @stintel posted, I make some modification to ngx_event_accept so that we can read the original IP Address and port the client connects to from $server_addr and $server_port.

[James Callahan]

I just spent today writing almost this same patch :(

I would also love to have this patch merged, my version is essentially (I didn't quite handle the non-linux case as well as this patch) the same but I also added the option to the stream module.