9

I have a set of applications behind a proxy server which forwards request appropriately and uses the proxy protocol to preserve the request's origin data. The apps also make requests amongst each other so I want them to accept requests with and without the proxy protocol. Is it possible to configure Nginx to do this in some way without using a different server_name or port?

Calum Halpin
  • 207
  • 1
  • 8

2 Answers2

6

Without using a different server block, the only way to do this is with different listen directives. This means the server running nginx must have different IP addresses for connecting to the server from the external proxy and from the internal server farm.

For example, you might have an internal network 10.87.239.0/24 for your internal apps, and the server running nginx is on 10.87.239.3. Then you have an external network 10.87.238.0/24 which your external proxy server uses to reach nginx, and the server has address 10.87.238.3. In this case you can configure nginx as:

server {
    # PROXY protocol connections
    listen 10.87.238.3:443 ssl http2 proxy_protocol;
    set_real_ip_from 10.87.238.2;  # The address(es) of the proxies
    real_ip_header proxy_protocol;

    # Direct connections
    listen 10.87.239.3:443 ssl http2;
    listen [::]:443 ssl http2;

    # everything else for this block
}

On a related note, you should have already deployed IPv6 within your organization, even without global IPv6 connectivity. You can use that for your internal communications if you haven't got a separate internal IPv4 network.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Should `set_real_ip_from 10.87.238.2;` have a `3` at the end? "and the [external proxy] server has address 10.87.238.3." – lcnittl May 31 '21 at 00:34
  • @lcnittl It is correct as written, at least insofar as an example can be correct. This IP address represents the external proxy that connects to nginx using the PROXY protocol. See the comment and the nginx documentation. – Michael Hampton May 31 '21 at 13:26
  • Ah okay - seems I misread that the external proxy's IP addr is 10.87.238.3 (which is the server's addr as I now saw in the listen directive). Thanks for your reply! – lcnittl May 31 '21 at 18:03
6

The proxy protocol specification at Proxy protocol explicitly calls out the risk, of running a listener which attempts to guess if Proxy protocol is used on the same address and port.

The receiver MUST be configured to only receive the protocol described in this
specification and MUST not try to guess whether the protocol header is present
or not. This means that the protocol explicitly prevents port sharing between
public and private access. Otherwise it would open a major security breach by
allowing untrusted parties to spoof their connection addresses. The receiver
SHOULD ensure proper access filtering so that only trusted proxies are allowed
to use this protocol.

So attempting to accept requests with both with and without Proxy protocol will be a risk.

Koushik Narayanan
  • 61
  • 1
  • 2