Hey together, I would like to follow up on the Thread from October 2023 with the subject "proxy_protocol send incorrect header".[0]
TL;DR: are there any plans to make it possible that the realip module can also change the destination address and not just the source address? Or to just not touch anything at all so that proxy_protocol stuff can traverse multiple layers with changing IP versions? I have the following Setup: IPv4: User --> 4to6 Proxy (Alpine Linux / nginx 1.24.x) --> SNI Proxy (Debian Bookworm / nginx 1.22.x) --> Mixed Downstream with Traefik or nginx IPv6: User --> SNI Proxy (Debian Bookworm / nginx 1.22.x) --> Mixed Downstream with Traefik or nginx So basically IPv6 is going directly to the Proxy and for v4 there is a quite simple configured nginx as 4to6 Proxy. Use case is to have IPv4 just at the edge on as few servers as possible. 4to6 and SNI Proxy both use the stream module(s) and just at the third layer the http logic kicks in. // My Problem exists just for the IPv4 way and is that the second layer SNI nginx, sends proxy-protocol stuff with v4 source and v6 destination address even though the INET Protocol is set to TCP4. Thats not a problem for nginx as it parses everything fine in the last/third layer. But for Traefik its a problem as it says it cannot parse the header and so the connection will be closed again. Also Wireshark says the packets are broken. One non feasible workaround could be to completely disable any logic in the second layer Proxy, like described in a blog[1] in section "Untrusted Redirector 2". So don't listen on proxy_protocol and don't send it. Problem with that is that it seems I'm not able to use ssl_preread anymore so there must be static proxy_passing. // Just as additional note, the point when it breaks is if "set_real_ip_from $TRUSTED_IP;" is set. Then the source address is replaced with the v4 address, but the destination address stays the v6 address between first and second layer proxy. So what to do? Quote from the linked thread[2]: > Currently the realip module only changes the client address > (c->sockaddr) and leaves the server address (c->local_sockaddr) > unchanged. > The behavior is the same for Stream and HTTP and is explained by the > fact that initially the module only supported HTTP fields like > X-Real-IP and X-Forwarded-For, which carry only client address. there seems to be no solution. Is there any plan for the future? And for the time beeing is there any other TCP Proxy where it is possible to transport the client and serveraddress through multiple layers with changing IP versions? Gordon (: [0]https://mailman.nginx.org/pipermail/nginx/2023-October/GYTVUIBJ65RJ3X4KDEPNVGXZ2S4STIVT.html [1]https://0xda.de/blog/2020/02/red-team-proxy-protocol-nginx/ [2]https://mailman.nginx.org/pipermail/nginx/2023-October/CKEFWBSQL46HJTHDOJVX6CNUYETKBE53.html _______________________________________________ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
