Firewall Redirect Connection State Hook Mod for NGINX Stream Proxy Server

So nginx has a stream proxy module that you can use for transparent SSL/TLS relaying/forwarding, however, it is only capable of reading the SNI hostname upon the initial handshake of the connection. In addition, the destination IP address is replaced because of the firewall redirect pointing to the proxy server. I wrote a small modification that can be compiled into nginx which allows you to run a script that can pull the missing destination IP address from a given state connection table in a firewall, for example pfctl or iptables.

Source: https://github.com/stoops/nginx

Reproduction Test:

echo 'test' | nc 8.8.4.4 443

Error Log:

[error]: no host in upstream ":443", client: 192.168.X.Y, server: 0.0.0.0:3129, …

Hook Mod:

 

This code mod above will allow you to run a shell script of your choosing if nginx cannot get the hostname or address of a connection requesting to be proxied. You can then look up the destination IP address based on source IP + port combo from the connection state mapping table of the firewall. The result is a much more stable proxying experience for HTTPS connections without needing to wait for the SNI or hostname of the initial handshake!

~

Advertisement
Firewall Redirect Connection State Hook Mod for NGINX Stream Proxy Server

One thought on “Firewall Redirect Connection State Hook Mod for NGINX Stream Proxy Server

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s