Establish TCP connection to upstream when client connection made to listener

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Establish TCP connection to upstream when client connection made to listener

Phillip Odam
Hi

I'm looking for when a client establishes a TCP connection to an IP and
port, that NGINX is listening on, that NGINX, without waiting on data
being transmitted from the client to NGINX, would establish a TCP
connection to the upstream.

If such a capability were to exist I'd have thought it'd be documented
either at http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html 
or http://nginx.org/en/docs/stream/ngx_stream_core_module.html. So from
what I gather the capability does not exist in NGINX and it's quite
likely considered a good thing, NGINX won't establish a backend
connection (tying up resources) simply based on an in bound connection.

Trouble with this though, NGINX then can't fully support reverse
proxying protocols where the server provides a response upon TCP
connection eg. SSH2, MySQL. You're instead dependent on the client
handling the lack of initial server response and that after the client
sends its first lot of data it'll then receive the server's initial
response.

I've checked the way HAProxy works and it either by default establishes
the backend TCP connection upon connection to the frontend or there's
some switch I unknowingly flipped.

Presumably this isn't anything new, so please feel free to point me
towards whatever I've failed to find myself and I'm interested in
hearing others thoughts and experience with this aspect of NGINX if you
have time to share.

Cheers

Phillip

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Establish TCP connection to upstream when client connection made to listener

Francis Daly
On Fri, Mar 20, 2020 at 09:57:40AM -0400, Phillip Odam wrote:

Hi there,

> I'm looking for when a client establishes a TCP connection to an IP and
> port, that NGINX is listening on, that NGINX, without waiting on data being
> transmitted from the client to NGINX, would establish a TCP connection to
> the upstream.

What happened when you tried it?

A quick test here of "nc -l 9005", plus nginx.conf with

==
stream {
  server {
    listen 9001;
    proxy_pass 127.0.0.3:9005;
  }
}
==

and "tcpdump -nn -i any -X -s 0 port 9005 or port 9001", seems to show
that "nc localhost 9001" leads to a tcp handshake involving port 9001
(from the client to nginx) and a tcp handshake involving port 9005
(from nginx to the upstream).

> Trouble with this though, NGINX then can't fully support reverse proxying
> protocols where the server provides a response upon TCP connection eg. SSH2,
> MySQL. You're instead dependent on the client handling the lack of initial
> server response and that after the client sends its first lot of data it'll
> then receive the server's initial response.

Do you have a specific test case that shows this problem?

==
stream {
  server {
    listen 9001;
    proxy_pass 127.0.0.3:22;
  }
}
==

and "ssh -v -p 9001 localhost" would seem to indicate that it Just Works.

Perhaps my testing is wrong?

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Establish TCP connection to upstream when client connection made to listener

Phillip Odam
Hi Francis

Thanks for the detail. And you're quite right the issue had nothing to
do with NGINX, it was the loadbalancer out in front of NGINX.

Cheers

Phillip

On 3/20/20 10:43 AM, Francis Daly wrote:

> On Fri, Mar 20, 2020 at 09:57:40AM -0400, Phillip Odam wrote:
>
> Hi there,
>
>> I'm looking for when a client establishes a TCP connection to an IP and
>> port, that NGINX is listening on, that NGINX, without waiting on data being
>> transmitted from the client to NGINX, would establish a TCP connection to
>> the upstream.
> What happened when you tried it?
>
> A quick test here of "nc -l 9005", plus nginx.conf with
>
> ==
> stream {
>    server {
>      listen 9001;
>      proxy_pass 127.0.0.3:9005;
>    }
> }
> ==
>
> and "tcpdump -nn -i any -X -s 0 port 9005 or port 9001", seems to show
> that "nc localhost 9001" leads to a tcp handshake involving port 9001
> (from the client to nginx) and a tcp handshake involving port 9005
> (from nginx to the upstream).
>
>> Trouble with this though, NGINX then can't fully support reverse proxying
>> protocols where the server provides a response upon TCP connection eg. SSH2,
>> MySQL. You're instead dependent on the client handling the lack of initial
>> server response and that after the client sends its first lot of data it'll
>> then receive the server's initial response.
> Do you have a specific test case that shows this problem?
>
> ==
> stream {
>    server {
>      listen 9001;
>      proxy_pass 127.0.0.3:22;
>    }
> }
> ==
>
> and "ssh -v -p 9001 localhost" would seem to indicate that it Just Works.
>
> Perhaps my testing is wrong?
>
> f
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx