nixos/nginx: first-class PROXY protocol support #213510
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ofborg
bot
requested review from
ajs124,
emilazy,
thoughtpolice,
lblasc,
fpletz,
7c6f434c and
globin
pkgs/servers/http/nginx/0001-Support-mixed-addr-configuration-for-PROXY-protocol-.patch
Outdated
Show resolved
Hide resolved
RaitoBezarius
force-pushed
the
nginx-proxyprotocol
branch
2 times, most recently
from
7c49ac9
to
28ab4a4
Compare
PROXY protocol disable normal HTTP requests, the only broken scenario I see is ACME retrieval of certificates. If you have only PROXY listeners and you ask for a ACME certificate, it will fail. |
RaitoBezarius
force-pushed
the
nginx-proxyprotocol
branch
from
28ab4a4
to
07a7957
Compare
RaitoBezarius
force-pushed
the
nginx-proxyprotocol
branch
from
07a7957
to
ca473e7
Compare
RaitoBezarius
force-pushed
the
nginx-proxyprotocol
branch
from
ca473e7
to
0e13885
Compare
|
I guess I should rebase on a recent revision of master, I'm running all the NixOS tests for NGINX at the moment, once this is good, I will rebase and it will be review time :). |
RaitoBezarius
force-pushed
the
nginx-proxyprotocol
branch
from
0e13885
to
85472a7
Compare
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/1968 |
RaitoBezarius
force-pushed
the
nginx-proxyprotocol
branch
2 times, most recently
from
2e181d5
to
b97f026
Compare
RaitoBezarius
force-pushed
the
nginx-proxyprotocol
branch
2 times, most recently
from
f68624b
to
8cb42af
Compare
Izorkin
reviewed
Mar 27, 2023
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/2089 |
RaitoBezarius
added
the
significant
RaitoBezarius
force-pushed
the
nginx-proxyprotocol
branch
2 times, most recently
from
c25a944
to
4488e1d
Compare
|
We missed the deadline for a change in 23.05, I wish we can merge this post-branch off though. |
fpletz
approved these changes
May 26, 2023
RaitoBezarius
force-pushed
the
nginx-proxyprotocol
branch
from
4488e1d
to
af9b774
Compare
PROXY protocol is a convenient way to carry information about the originating address/port of a TCP connection across multiple layers of proxies/NAT, etc. Currently, it is possible to make use of it in NGINX's NixOS module, but is painful when we want to enable it "globally". Technically, this is achieved by reworking the defaultListen options and the objective is to have a coherent way to specify default listeners in the current API design. See `mkDefaultListenVhost` and `defaultListen` for the details. It adds a safeguard against running a NGINX with no HTTP listeners (e.g. only PROXY listeners) while asking for ACME certificates over HTTP-01. An interesting usecase of PROXY protocol is to enable seamless IPv4 to IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is demonstrated how to achieve this in the tests, using sniproxy. Finally, the tests covers: - NGINX `defaultListen` mechanisms are not broken by these changes; - NGINX PROXY protocol listeners are working in a final usecase (sniproxy); - uses snakeoil TLS certs from ACME setup with wildcard certificates; In the future, it is desirable to spoof-attack NGINX in this scenario to ascertain that `set_real_ip_from` and all the layers are working as intended and preventing any user from setting their origin IP address to any arbitrary, opening up the NixOS module to bad™ vulnerabilities. For now, it is quite hard to achieve while being minimalistic about the tests dependencies.
RaitoBezarius
force-pushed
the
nginx-proxyprotocol
branch
from
af9b774
to
69bb0f9
Compare
|
@ofborg test nginx-proxyprotocol |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes
This PR enables you to use PROXY protocol with maximum flexibility, as shown in the test.
An example of use-case is when you want to offer your legacy IP clients a way to connect to your IPv6-only server, but you want to have proper logs, so you will put up some TLS-SNI thing above NGINX (can be ngx_stream itself.)
While preventing anyone to spoof their IP address.
See https://www.mythic-beasts.com/support/topics/proxy for a compelling introduction of why this is interesting.
Please read the commit message for a summary.
I am running this PR in production on multiple servers at the moment to smoke out any problem.
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes