How to transfer real IP to the backend

Question

How to transfer real IP to the backend

GouGoGoal opened this issue 5 years ago · 5 comments

I use sniproxy to listen :443,and use caddy backend,and i only can see 127.0.0.1 connet the backend server,How can I transfer real IP through sniproxy.
i notice the config "source client" ,but i don't konw how to use it,can you list a detailed examples.

Answer 1 · 2020-05-02T05:37:12.000Z

I encountered the same problem, did you solve it?

Answer 2 · 2020-05-07T08:43:56.000Z

我放弃了 I gave up

Answer 3 · 2020-05-07T09:27:09.000Z

我放弃了 I gave up

我也放弃了，SNIProxy 它是4层代理，它根本无法传递header参数到后端，要传递header参数还是得靠nginx & haproxy 这些服务代理

Answer 4 · 2020-05-07T14:15:09.000Z

Unfortunately this is not possible.

SNIProxy is not using a standard proxy protocol and is not decrypting the streams, so there is no standard for the destination webserver to get the source ip address passed to it.

SNIP is just sniffing one piece of unencrypted data on the connection headers (the domain given in the SNI request) to route the connection, with the rest of the connection going over SSL encrypted from destination server to client.

In the mention of nginx/haproxy, they're doing a standard reverse proxy, in which any encryption ends at the server with nginx/haproxy (ie. nginx is configured with ssl certificates that match the domain assigned). In that case the server is able to read the entire stream of traffic unencrypted and inserts the X-Forwarded-For header which designates the original ip address.

SNIP on the other hand does not need access to the ssl certificates for the domain to proxy the connection because it doesn't touch the encryption itself. For example, SNIP can proxy https://google.com while nginx/haproxy can not (unless you work for google at a pretty high level and have access to google's SSL certs).

Hopefully that clears some things up

Answer 5 · 2020-05-07T15:59:39.000Z

This is possible using the PROXY protocol, but your backend must support it. From the manpage sniproxy.conf.5:

The optional proxy_protocol option will prepend a HAProxy PROXY v1 protocol
header to the proxied connection allowing supporting webservers to obtain the
source and destination IP and port of the original incoming TCP connection.

I am not familiar with Caddy, so I don't know if it will support the PROXY v1 protocol.