So nginx has a stream proxy module that you can use for transparent SSL/TLS relaying/forwarding, however, it is only capable of reading the SNI hostname upon the initial handshake of the connection. In addition, the destination IP address is replaced because of the firewall redirect pointing to the proxy server. I wrote a small modification that can be compiled into nginx which allows you to run a script that can pull the missing destination IP address from a given state connection table in a firewall, for example pfctl or iptables.
echo 'test' | nc 188.8.131.52 443
[error]: no host in upstream ":443", client: 192.168.X.Y, server: 0.0.0.0:3129, …
This code mod above will allow you to run a shell script of your choosing if nginx cannot get the hostname or address of a connection requesting to be proxied. You can then look up the destination IP address based on source IP + port combo from the connection state mapping table of the firewall. The result is a much more stable proxying experience for HTTPS connections without needing to wait for the SNI or hostname of the initial handshake!
One thought on “Firewall Redirect Connection State Hook Mod for NGINX Stream Proxy Server”
[…] Firewall Redirect Connection State Hook Mod for NGINX Stream Proxy Server – Jon’s FOSS Blog […]