proxy protocol over a plain tcp with ssl

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

proxy protocol over a plain tcp with ssl

sonpg
I'm trying to configure nginx which is behind an haproxy to pass the proxy
protocol over a plain tcp connection. It works well.
When I add ssl to the equation it fails. Below is the nginx configuration
block I'm using.
Is it a configuration issue or might be that it's not at all possible for
nginx to pass proxy protocol with ssl if the connection is not strictly
https?


stream {
    upstream some_backend {
         server some_host:18010;
    }

    server {
        listen                8010;
        listen                8012 ssl;
        proxy_pass            some_backend;
        proxy_protocol        on;

        ssl_certificate           /etc/ssl/server.crt;
        ssl_certificate_key   /etc/ssl/server.key;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSLTCP:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;
    }
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278113,278113#msg-278113

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: proxy protocol over a plain tcp with ssl

Roman Arutyunyan
Hi,

On Thu, Jan 11, 2018 at 08:22:47AM -0500, nir wrote:
> I'm trying to configure nginx which is behind an haproxy to pass the proxy
> protocol over a plain tcp connection. It works well.
> When I add ssl to the equation it fails. Below is the nginx configuration
> block I'm using.
> Is it a configuration issue or might be that it's not at all possible for
> nginx to pass proxy protocol with ssl if the connection is not strictly
> https?

It's not clear what exactly is not working, can you elaborate on that?

Just in case, PROXY protocol header is always sent (and expected) by nginx
prior to anything else.  For SSL connections, PROXY protocol header is sent
prior to SSL handshake and is not encrypted.

> stream {
>     upstream some_backend {
>          server some_host:18010;
>     }
>
>     server {
>         listen                8010;
>         listen                8012 ssl;
>         proxy_pass            some_backend;
>         proxy_protocol        on;
>
>         ssl_certificate           /etc/ssl/server.crt;
>         ssl_certificate_key   /etc/ssl/server.key;
>         ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
>         ssl_ciphers           HIGH:!aNULL:!MD5;
>         ssl_session_cache     shared:SSLTCP:20m;
>         ssl_session_timeout   4h;
>         ssl_handshake_timeout 30s;
>     }
> }
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278113,278113#msg-278113
>
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

--
Roman Arutyunyan
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: proxy protocol over a plain tcp with ssl

sonpg
Hi Roman,
I'm trying to pass the proxy protocol to my backend through Nginx when the
traffic is encrypted

This configuration block
listen 8012;
proxy_pass backend;
proxy_protocol on;

allows me to pass a non encrypted traffic and the proxy protocol

This configuration block:
listen 8012 proxy_protocol ssl;
proxy_pass backend;

allows me to pass encrypted traffic to my backend but the proxy protocol is
not passed

This configuration block:
listen 8012 ssl;
proxy_pass backend;
proxy_protocol on;

fails on SSL handshake


The last configuration block was my first attempt and I expected it to
work.
The first two are debug attempts.
If you can tell my why the last one doesn't work and how can it be fixed it
will help a lot

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278113,278124#msg-278124

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: proxy protocol over a plain tcp with ssl

sonpg
In reply to this post by sonpg
Well, seems that you need to read the manual with the right perspective...
https://stackoverflow.com/questions/48211083/proxy-protocol-and-ssl

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278113,278128#msg-278128

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: proxy protocol over a plain tcp with ssl

Yaroslav Zhuravlev

On 12 Jan 2018, at 03:22, nir <[hidden email]> wrote:

> Well, seems that you need to read the manual with the right perspective...
> https://stackoverflow.com/questions/48211083/proxy-protocol-and-ssl

Hi!

The chapter about the PROXY protocol in the Admin Guide has been updated recently:
https://www.nginx.com/resources/admin-guide/proxy-protocol/

Best regards,
yar

[...]

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx