Issue with NGINX passthough TLS

killmasta93

Hi

I was wondering if someone could shed some light on the issue im having,

Currently im testing out to TLS pass though to my zimbra server as the SSL has to be in the zimbra server and another wordpress site which also has the SSL

the setup would this this

INTERNET--------NGINX PROXY-------ZIMBRA and ------WORDPRESS SITE

I successfully configured the nginx proxy to TLS passthough but i checked the logs and it seems that not passing the real IP to zimbra or to wordpress

But couldn't figure it out because it wont let me send the proxy headers because im using the TLS passthough

this is the config

root@bunker:~# cat /etc/nginx/modules-enabled/passtru.conf
stream {

        map $ssl_preread_server_name $name {

       wordpress.domain.co wordpress;
        mail.domain.co zimbra;
        default https_default_backend;
    }

    upstream wordpress {
        server 192.168.7.35:443;
    }

    upstream zimbra {
        server 192.168.7.245:443;
    }
log_format basic '$remote_addr [$time_local] '
             '$protocol $status $bytes_sent $bytes_received '
             '$session_time "$upstream_addr" '
             '"$upstream_bytes_sent" "$upstream_bytes_received"
              "$upstream_connect_time"';

access_log /var/log/nginx/access.log basic;
error_log  /var/log/nginx/error.log;

    server {
        listen 443;
        proxy_pass $name;
        proxy_bind $name transparent;
        ssl_preread on;
    }
}

scottalanmiller

If you are just passing through, what is the point of Nginx? Just use HA-Proxy and set to TCP mode and TLS will pass through flawlessly.

Nginx' purpose is to tear the connection apart and inspect it, breaking TLS pass through.

Dashrender

@scottalanmiller said in Issue with NGINX passthough TLS:

If you are just passing through, what is the point of Nginx? Just use HA-Proxy and set to TCP mode and TLS will pass through flawlessly.

Nginx' purpose is to tear the connection apart and inspect it, breaking TLS pass through.

I didn't know that.

scottalanmiller

@dashrender said in Issue with NGINX passthough TLS:

@scottalanmiller said in Issue with NGINX passthough TLS:

If you are just passing through, what is the point of Nginx? Just use HA-Proxy and set to TCP mode and TLS will pass through flawlessly.

Nginx' purpose is to tear the connection apart and inspect it, breaking TLS pass through.

I didn't know that.

At its core, Nginx is a web server. If you do TCP pass through, you are bypassing the core functionality.

Nginx has TCP pass through capability, so you CAN do this. But it is really intended to be a piece of a bigger picture. WHereas with HA-Proxy, this is its bread and butter and is way simpler.

https://fedingo.com/how-to-configure-ssl-tls-passthrough-in-nginx/

killmasta93

@scottalanmiller
Thanks for the reply, correct i was using before HAproxy on pfSense to do the TLS passthough but moving to NGINX as this server is later on going to manage all the SSL but because i need to migrate exactly the same way i have it currently as HAproxy

but i have configured to pass though but not passing the real IP

scottalanmiller

@killmasta93 said in Issue with NGINX passthough TLS:

@scottalanmiller
Thanks for the reply, correct i was using before HAproxy on pfSense to do the TLS passthough but moving to NGINX as this server is later on going to manage all the SSL but because i need to migrate exactly the same way i have it currently as HAproxy

but i have configured to pass though but not passing the real IP

If you have to mix workloads on a single IP/Port combo, then yeah, Nginx would be the way to go. HA-Proxy can do it, too, but Nginx is more robust for the other workloads.

killmasta93

@scottalanmiller
so in my case how would i solve this issue so the backend can see the real IP?

1337

@killmasta93 said in Issue with NGINX passthough TLS:

@scottalanmiller
so in my case how would i solve this issue so the backend can see the real IP?

Backend can't see the real IP because the request comes from IP of the proxy.

But the proxy can put the IP address of the client (originating) into the http headers. For example using the Forwarded header. Look at proxy_set_header on nginx.

The backend must then have support for looking at the http headers to determine the actual originating IP address.

But if you passthrough TLS then I don't believe you can insert any headers and it's not possible to see the originating IP from the headers. But why does the backend need to see the originating IP?

killmasta93

@pete-s
correct, whats odd is that it works perfectly fine on HA proxy on pfSense its just that i want to move better to a virtual machine and not depend on pfSense
Im not sure howcome it works on HA proxy and not on NGINX

1337

@killmasta93 said in Issue with NGINX passthough TLS:

@pete-s
correct, whats odd is that it works perfectly fine on HA proxy on pfSense its just that i want to move better to a virtual machine and not depend on pfSense
Im not sure howcome it works on HA proxy and not on NGINX

I don't know but why not install HAproxy instead of nginx in your VM?
You could access pfsense over ssh and look at the HAproxy config files directly for inspiration.

BTW, it's quite possible that haproxy uses the tcp session just as a router would. Not looking at it as a series of http requests but as a series of packets. That means the backend will get the IP.

Since haproxy is a load balancer it makes sense that it can work on the router layer (L4) while nginx works at the application layer (L7).

killmasta93

@pete-s yeah i guess im going to have to do that, it just bugs me that NGINX wont pass though the real IP