0

I use the stream module in order to passthrough tls traffic where I cannot reverse proxy, e.g. because I dont have the certificate (local 3CX install) or it breaks stuff (ssl vpn with client cert). I then forward the "rest" to a different IP on the same host (127.0.0.1) for reverse proxying. The problem was the the remote_addr was not always 127.0.0.1 and there seemes to be no way to set the "real" remote address. To circumvent this I enabled the proxy_protocol and used $proxy_protocol_addr.

However this breaks all passthrough websites and I have not found a way to conditionally enable the proxy_protocol only for the "default"

I do all this so I can match on sni and use a single IP for all websites.

I am not hung up on doing it exactly this way, if anyone has an idea how to achieve this in a different/better way, I am all ears.

stream {
  map $ssl_preread_server_name $targetBackend {
    3cx.example.com  192.168.1.2:443;
    vpn.example.com  192.168.1.3:443;
    default  127.0.0.1:443;
  }
  server {
    listen 192.168.1.100:443;
    proxy_connect_timeout 1;
    proxy_timeout 3s;
    resolver 192.168.1.1;
    proxy_protocol on;
    proxy_pass $targetBackend;
    ssl_preread on;
  }

so... how to make the proxy_protocol conditional (afaik if just does not work in stream context) or solve it another way?

Questi
  • 13
  • 5

1 Answers1

0

It seems you need to install a frontend for 3cx and vpn that decodes PROXY protocol and converts it to HTTP requests for the actual webserver.

Another option is to have separate nginx instances for web services and proxied protocols.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • No, this does not work, I tried this but it seems to take it literal and wont resolve the variable :-( – Questi Feb 16 '22 at 18:22
  • Then I guess you need to install a compatible proxy in front of `3cx` and `vpn`, which decodes the PROXY protocol and forwards requests to the websites. – Tero Kilkanen Feb 16 '22 at 19:31
  • so basically one stream proxy with proxy_protocol on which then forwards to another stream proxy which listens to proxy_protocol and then forwards without proxy_protocol? Would that work? Is this the easiest solution? sounds kind of workaroundish – Questi Feb 17 '22 at 13:19
  • Yes, that is workaroundish, but since conditional `proxy_protocol` doesn't seem to be possible, then it is one way. Another way is to have run two separate nginx instances, the other one handling websites and other one the proxying. – Tero Kilkanen Feb 17 '22 at 16:19
  • ok, thanks. it looks like although this is workaroundish it is the only solution? if anyone knows a better solution feel free to post, until then I will mark this as the solution. thanks again Actually... I noticed the "answer" is in the comments not the answer... Maybe you can post a new answer or edit your current one? – Questi Feb 18 '22 at 13:37
  • I updated the answer. – Tero Kilkanen Feb 18 '22 at 19:45