Join Log in
Score:0
Questi avatar Server

nginx Reverse-Proxy: using stream module for passthrough and reverse proxy

in flag
Questi

I use the stream module in order to passthrough tls traffic where I cannot reverse proxy, e.g. because I dont have the certificate (local 3CX install) or it breaks stuff (ssl vpn with client cert). I then forward the "rest" to a different IP on the same host (127.0.0.1) for reverse proxying. The problem was the the remote_addr was not always 127.0.0.1 and there seemes to be no way to set the "real" remote address. To circumvent this I enabled the proxy_protocol and used $proxy_protocol_addr.

However this breaks all passthrough websites and I have not found a way to conditionally enable the proxy_protocol only for the "default"

I do all this so I can match on sni and use a single IP for all websites.

I am not hung up on doing it exactly this way, if anyone has an idea how to achieve this in a different/better way, I am all ears.

stream {
  map $ssl_preread_server_name $targetBackend {
    3cx.example.com  192.168.1.2:443;
    vpn.example.com  192.168.1.3:443;
    default  127.0.0.1:443;
  }
  server {
    listen 192.168.1.100:443;
    proxy_connect_timeout 1;
    proxy_timeout 3s;
    resolver 192.168.1.1;
    proxy_protocol on;
    proxy_pass $targetBackend;
    ssl_preread on;
  }

so... how to make the proxy_protocol conditional (afaik if just does not work in stream context) or solve it another way?

159
0 + 0
Score:0
avatar Server
us flag
Tero Kilkanen

It seems you need to install a frontend for 3cx and vpn that decodes PROXY protocol and converts it to HTTP requests for the actual webserver.

Another option is to have separate nginx instances for web services and proxied protocols.

0 + 0
Questi avatar
in flag
Questi
No, this does not work, I tried this but it seems to take it literal and wont resolve the variable :-(
0
Reply
us flag
Tero Kilkanen
Then I guess you need to install a compatible proxy in front of `3cx` and `vpn`, which decodes the PROXY protocol and forwards requests to the websites.
0
Reply
Questi avatar
in flag
Questi
so basically one stream proxy with proxy_protocol on which then forwards to another stream proxy which listens to proxy_protocol and then forwards without proxy_protocol? Would that work? Is this the easiest solution? sounds kind of workaroundish
0
Reply
us flag
Tero Kilkanen
Yes, that is workaroundish, but since conditional `proxy_protocol` doesn't seem to be possible, then it is one way. Another way is to have run two separate nginx instances, the other one handling websites and other one the proxying.
0
Reply
Questi avatar
in flag
Questi
ok, thanks. it looks like although this is workaroundish it is the only solution? if anyone knows a better solution feel free to post, until then I will mark this as the solution. thanks again Actually... I noticed the "answer" is in the comments not the answer... Maybe you can post a new answer or edit your current one?
0
Reply
us flag
Tero Kilkanen
I updated the answer.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.