0

I have set up a NGINX reverse proxy with the following configuration using Stream context and also enabled the transparent mode so that I can log the client IP addresses at the upstream servers.

user root

stream
{
    upstream stream_backend
    {
            server x.x.x.x:1234;

    }
    server{
            listen 443;
            proxy_bind $remote_addr transparent;
            proxy_pass stream_backend;

    }

}

When the transparent mode is enabled, the incoming packets are not received at the server (packet captures) and the packet capture on the reverse proxy just reveals a TCP SYN and retransmissions for the same. When the transparent mode is disabled, the packets are received at the server.

I made sure that nginx is running as root, firewall is disabled and tried connecting on 2 different sockets since transparent mode works by binding the sockets underneath.

Is there something I am missing with respect to the configuration, modules? How can I get this to work?

PS: Facing a similar issue using proxy protocol

Ken White
  • 123,280
  • 14
  • 225
  • 444
Atom
  • 25
  • 1
  • 10
  • if you just want to be able to log the client IP addresses at the upstream servers, you need `nginx` `realip` module, details: http://nginx.org/en/docs/http/ngx_http_realip_module.html –  May 11 '22 at 21:58
  • For my use case, it is not possible to use the HTTP header since it is not accessible. Also, I am able to see the ip address (reverse proxy tcpdump) being replaced in the packets to the client IP, but for some reason they are not being sent to the upstream server – Atom May 11 '22 at 22:48
  • sorry, but can't you use nginx variables in your `nginx.conf`? Why HTTP header is not accessible for you? –  May 12 '22 at 08:58
  • I am trying to log the client IP in case of TLS handshake failures too, if the client IP is provided as part of HTTP headers and if there is a TLS handshake fail, I wont be able to access the client IP. I was investigating the above packets and I see the client IP being replaced, is there some configuration in Ubuntu that should be enabled for transparent proxy or proxy protocol to work so that the packets are forwarded? – Atom May 23 '22 at 17:40

0 Answers0