Add advanced option to streams

[hellow554]

I really tried to do this myself, but I'm not familiar with this whole javascript ecosystem and there's no easy entry document to look into, so I'm very sorry :/

My setup is the following:
I have a server hosted somewhere in the cloud™.
That server forwards the request by using the proxy-protocol to my npm server via a wireguard tunnel.
Now nginx must know that the proxy-protocol is used by specifying the proxy_protocol attribute on the listen line.

The reason why I can't/won't use the LISTEN_PROXY_PROTOCOL env variable is, because in my home network I still want to use "normal" http, so I have two choices now.

1. Have a stream listen on 80/443 ready to accept normal http and forward that all to my proxy hosts which have the proxy_protocol attribute by using the LISTEN_PROXY_PROTOCOL env set.
2. Have a stream listen on 8888 (just an example) accepting a proxy protocol stream and forwarding that to all my proxy hosts.

I think the easiest solution would be 2) here, but for that to work I would need to have an advanced tab in the stream settings.
Another (I think more complicated) solution would be a toggle button, that says "expect proxy_protocol" or similar.

What do you think of this?! I know that you're working on the php rewrite which means I could contribute, but it's not ready yet.

[Zoey2936]

2. would be add proxy_protocol as stream upstream #619. right?

[Zoey2936]

so with 2. you mean the stream should expose as proxy protocol and connect to tcp upstreams without proxy protocol?

[hellow554]

How did I miss #619 ? Sorry....

And yeah, I mean that with my second option.

[Zoey2936]

I still want to ask, since this are different things, do you want that npmplus connects to a tcp upstream and exposes as tcp or do you want that npmplus connects to a tcp upstream and exposes as proxy protocol?

[hellow554]

I want, that npmplus accepts a proxy protocol and forwards that to a normal http stream.

Flow is for outside of my network: web -> cloud -- wireguard --> npm (proxy) -> npm (http)
Flow for inside my network: web -> npm (http)

web is a normal web request (via a browser)
cloud is my server in the cloud, which runs haproxy to intercept the ssl and inspect the SNI. Then forwards it via the proxy protocol over a wireguard tunnel to the npm instance
npm (proxy) accepts that proxy protocol stream and forwards it to the same npm instance, but on the real port (443)
npm (http) is the normal npm configuration which has a lot of virtual hosts.

[Zoey2936]

is there a reason you can't use http between haproxy and npmplus?
because if you do haproxy =(proxy protocol> npmplus =(tcp)> npmplus, then the ip could get lost between "npmplus stream" and "npmplus http(s)", since it is a plain tcp connection

[hellow554]

I think so?
I need to inspect the SNI to forward it to different backends and can't terminate the ssl connection there.
That's why I'm using this setup.

As far as I understand, the ip gets send via the proxy protocol and you can query it via $proxy_protocol_addr, see https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/

[Zoey2936]

As far as I understand, the ip gets send via the proxy protocol and you can query it via $proxy_protocol_addr, see https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/

this works when using LISTEN_PROXY_PROTOCOL, but not in your case since the stream would transform the proxy protocol into a plain tcp request which does not contain this data

[Zoey2936]

I need to inspect the SNI to forward it to different backends and can't terminate the ssl connection there.
That's why I'm using this setup.

can I see your haproxy config maybe, since I think even then this should be possible

[hellow554]

Sure enough:

frontend http
        bind [::]:80
        mode http
        http-request redirect scheme https unless { ssl_fc }

frontend ft_ssl
        mode tcp
        option tcplog
        bind [::]:443
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }
        use_backend c_back if { req_ssl_sni -i -m end example.com }

backend c_back
        mode tcp
        server home 10.0.1.5:83 check send-proxy

On port 83 i currently have a npm "dead host" with the following advanced config

listen 83 ssl proxy_protocol;
location / {
  proxy_pass https://$http_host$uri$is_args$args;
  proxy_set_header    X-Forwarded-For $proxy_protocol_addr;
  proxy_set_header    X-Real-IP        $proxy_protocol_addr;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
}

I was hoping that I could replace the dead host with a stream, but it seems that that's not the case?
I haven't tried it, but that is what i would expect

[Zoey2936]

as said, with a stream you would lose the ip and other information.
So you haproxy checks if the domain matches and only in this case proxies to npmplus?

[hellow554]

Yes. It checks if it any domain under example.com, so all subdomains are getting proxied.

[hellow554]

In that case I think I'll stay with the dead end + advanced config.

Thank you very much for your deep understanding of the topic and willing to help me.

[Zoey2936]

Would two NPMplus maybe be a solution for you? One running http(s) for your lan and one running proxy protocol for your vpn tunnel

[hellow554]

I thought of that too, but didn't want to spin up another Docker Container 😅
Maybe I'll go that route.

[Zoey2936]

if you create two npmplus you could also install one local and the other one the server so you don't need the proxy protocol/haproxy at all, maybe thats also an idea for your