Use ngx_stream_ssl_preread_module but also log client ip in access.log for https requests

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Use ngx_stream_ssl_preread_module but also log client ip in access.log for https requests

Thomas Glanzmann
Hello,
I would like to use ngx_stream_ssl_preread_module to multiplex a web
server, openvpn, and squid to one ip address and port. However I would
also like to keep the real client ip address in my http logs, is that
possible, if so how?

Cheers,
        Thomas

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Use ngx_stream_ssl_preread_module but also log client ip in access.log for https requests

Roman Arutyunyan
Hi Thomas,

On Wed, Oct 12, 2016 at 07:50:06PM +0200, Thomas Glanzmann wrote:
> Hello,
> I would like to use ngx_stream_ssl_preread_module to multiplex a web
> server, openvpn, and squid to one ip address and port. However I would
> also like to keep the real client ip address in my http logs, is that
> possible, if so how?

You can enable the PROXY protocol for upstream connections.
But your backends must support it.

http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_protocol

--
Roman Arutyunyan

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Use ngx_stream_ssl_preread_module but also log client ip in access.log for https requests

Thomas Glanzmann
Hello Roman,

* Roman Arutyunyan <[hidden email]> [2016-10-12 20:07]:
> On Wed, Oct 12, 2016 at 07:50:06PM +0200, Thomas Glanzmann wrote:
> > I would like to use ngx_stream_ssl_preread_module to multiplex a web
> > server, openvpn, and squid to one ip address and port. However I would
> > also like to keep the real client ip address in my http logs, is that
> > possible, if so how?

> You can enable the PROXY protocol for upstream connections.
> But your backends must support it.

> http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_protocol

thanks a lot for the hint. It works like a charm. For others want to do
the same, I did the following:

        - configured nginx with --with-stream --with-stream_ssl_preread_module

        - For https listened on stream:

stream {
        proxy_protocol on;

        upstream webserver {
                server 127.0.0.1:443;
        }

        map $ssl_preread_server_name $name {
                default webserver;
        }

        server {
                listen <ip>:443;

                proxy_pass  $name;
                ssl_preread on;
        }
}

        - In my http context, I added:

                set_real_ip_from 127.0.0.1;
                real_ip_header proxy_protocol;

        - And in my https listen directives I put:

                listen 127.0.0.1:443 ssl http2 proxy_protocol;

I didn't even had to modify the access_log logformat because apparently
'real_ip_header proxy_protocol' takes care of that.

Cheers,
        Thomas

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Use ngx_stream_ssl_preread_module but also log client ip in access.log for https requests

ilikeweb
This post has NOT been accepted by the mailing list yet.
Hi thanks for sharing the config.  My question is how were you still able to connect to your Open VPN server that was sitting behind nginx after enabling proxy_protocol?  After enabling this and trying to connect to openvpn I get a Transport error NETWORK_EOF_ERROR and EVENT: TRANSPORT_ERROR