NGINX 透明 TCP 代理 [英] NGINX transparent TCP proxy
问题描述
我有一个 ELK 堆栈.在两个 Logstash 主机前面,我设置了两个 NGINX 负载均衡器作为透明代理.UDP 流量正在发挥作用.TCP 与配置一起工作:
I have an ELK stack. In front of both Logstash hosts, I set up two NGINX loadbalancers as transparent proxies. UDP traffic is working as a charm. TCP works with the config:
stream {
upstream syslog {
server sapvmlogstash01.sa.projectplace.com:514;
server sapvmlogstash02.sa.projectplace.com:514;
}
server {
listen 514;
proxy_pass syslog;
}
}
但是我得到了 LB 而不是输入服务器的 IP 作为 source_ip 和 source_host.
But I get as source_ip and source_host the LB instead of the input server's IP.
设置相同的添加 proxy_bind $remote_addr transparent; 不起作用,抛出超时.
Setting the same adding proxy_bind $remote_addr transparent; doesn't work, throwing a timeout.
*1 upstream timed out (110: Connection timed out) while connecting to upstream, client: $SOURCEHOST_IP, server: 0.0.0.0:514, upstream: "$LOGSTASH_IP:514", bytes from/to client:0/0, bytes from/to upstream:0/0
我尝试从这里设置 TPROXY:https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/
I tried setting up TPROXY from here: https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/
Logstash 主机:
Logstash host:
route add default gw $NGINX_IP
route del default gw $DEFAULT_GW
NGINX 主机:
# Following nginx how-to
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p udp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -s $LOGSTASH_IP/24 --sport 514 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 0
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
# Enabling Upstream Servers to Reach External Servers
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
但仍然像以前一样因超时而失败.
But still failing like before with the Timeout.
获得透明 TCP 主机缺少什么?
What is missing to get a transparent TCP host?
推荐答案
官方文档说:proxy_bind $remote_addr 透明;
The official doc said: proxy_bind $remote_addr transparent;
为了使该参数起作用,通常需要以超级用户权限运行 nginx 工作进程.在 Linux 上不需要(1.13.8),就像指定了透明参数一样,工作进程从主进程继承了 CAP_NET_RAW 功能.还需要配置内核路由表来拦截来自代理服务器的网络流量.
In order for this parameter to work, it is usually necessary to run nginx worker processes with the superuser privileges. On Linux it is not required (1.13.8) as if the transparent parameter is specified, worker processes inherit the CAP_NET_RAW capability from the master process. It is also necessary to configure kernel routing table to intercept network traffic from the proxied server.
仅供参考:https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/
这篇关于NGINX 透明 TCP 代理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
