Join Log in
Score:0
killmasta93 avatar Server

NGINX passthough TLS real IP?

cn flag
killmasta93

I was wondering if someone could shed some light on the issue im having,

Currently im testing out to TLS pass though to my zimbra server as the SSL has to be in the zimbra server and another wordpress site which also has the SSL

the setup would this this

INTERNET--------NGINX PROXY-------ZIMBRA and ------WORDPRESS SITE

I successfully configured the nginx proxy to TLS passthough but i checked the logs and it seems that not passing the real IP to zimbra or to wordpress

But couldn't figure it out because it wont let me send the proxy headers because im using the TLS passthough

     root@bunker:~# cat /etc/nginx/modules-enabled/passtru.conf
       stream {

        map $ssl_preread_server_name $name {

       wordpress.domain.com wordpress;
        mail.domain.com zimbra;
        default https_default_backend;
    }

    upstream wordpress {
        server 192.168.7.35:443;
    }

    upstream zimbra {
        server 192.168.7.245:443;
    }
log_format basic '$remote_addr [$time_local] '
             '$protocol $status $bytes_sent $bytes_received '
             '$session_time "$upstream_addr" '
             '"$upstream_bytes_sent" "$upstream_bytes_received"
              "$upstream_connect_time"';

access_log /var/log/nginx/access.log basic;
error_log  /var/log/nginx/error.log;

    server {
        listen 443;
        proxy_pass $name;
        proxy_next_upstream on;
        ssl_preread on;
    }
}
35
0 + 0
Score:1
avatar Server
us flag
Tero Kilkanen

You cannot pass through the IP address when you are passing through TLS.

With TLS passthrough, the TCP connection is terminated at the TLS passthrough proxy. This means that the TCP connection is between client and proxy. To reach the destination server, the proxy opens a TCP connection to the actual destination. In this connection, the source IP address is the proxy's IP address.

With HTTP, it is possible to add the original IP address in an HTTP header field. TLS doesn't have any such field. Therefore the only information available for actual destination is the TCP connection's source IP address, which is the proxy server.

Some options to get the IP address:

  1. Remove the TLS passthrough proxy and use a separate IP address for each service.
  2. Terminate TLS at the proxy server and add HTTP headers with the origin IP address
  3. You might be able to use PROXY protocol between this nginx instance and the upstream servers. https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ has information related to that.
0 + 0
killmasta93 avatar
cn flag
killmasta93
Thank you for the reply, so it wont work as the same as HAproxy as im able to get the real IP using the same setup, for option 2 when you say terminate the TLS not sure what you mean
0
Reply
us flag
Tero Kilkanen
I have no experience with HAProxy, but the article I linked explained that HAProxy uses the PROXY protocol. That is, you might be able to use option 3. By terminating TLS I mean that the proxy server has all the certificates & keys for all domains that it proxies, and then it creates separate HTTP/HTTPS connections to upstream server.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.