From: volth To: NixOS/nixpkgs Cc: Subscribed Date: Wed, 22 Jan 2020 11:15:13 -0800 [ multipart/alternative ] [ text/plain ] The problem is: if there is an HTTP server behind the NAT whose port is forwarded, then the HTTP server always sees NAT gateway's IP as $REMOTE_ADDR. The real client IP is lost. You can view, comment on, or merge this pull request online at: https://github.com/NixOS/nixpkgs/pull/78315 -- Commit Summary -- * nat reflection: do not always rewrite source ip with loopbackip -- File Changes -- M nixos/modules/services/networking/nat.nix (20) -- Patch Links -- https://github.com/NixOS/nixpkgs/pull/78315.patch https://github.com/NixOS/nixpkgs/pull/78315.diff [ 4-line signature. Click/Enter to show. ] -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/NixOS/nixpkgs/pull/78315 [ text/html (hidden) ] From: Michele Guerini Rocco Subject: Re: [NixOS/nixpkgs] nat reflection: do not always rewrite source ip with loopbackip (#78315) To: NixOS/nixpkgs Cc: Subscribed Date: Thu, 16 Apr 2020 03:38:23 -0700 [ multipart/alternative ] [ text/plain ] Hi, I haven't forgot about this PR but I have been busy. Unless I'm misunderstanding this somehow it doesn't seem to solve the problem. To check your claim I added a subtest to `nixosTests.nat` in which I set up a nginx server, behind the NAT, that echoes the `$remote_addr`. I've put what the value of the `$remote_address` in a table: | | before eafe25 | after eafe25 |---------------|----------------|--------------------- | from outside | router address | real source address | from inside | router address | router address Here's a git request-pull for the test, if you want to try it out. ``` The following changes since commit eafe2509a4b792a0395dca331ff09e16388eae88: nat reflection: do not always rewrite source ip with loopbackip (2020-01-22 19:14:52 +0000) are available in the Git repository at: git@github.com:rnhmjoj/nixpkgs.git nat for you to fetch changes up to c161488b47ecfe127d608bee52056b8123228b24: nixosTests.nat: test port forwarding and NAT loopback (2020-04-16 11:30:18 +0200) ---------------------------------------------------------------- rnhmjoj (1): nixosTests.nat: test port forwarding and NAT loopback nixos/tests/nat.nix | 160 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------------- 1 file changed, 108 insertions(+), 52 deletions(-) ``` [ 4-line signature. Click/Enter to show. ] -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/NixOS/nixpkgs/pull/78315#issuecomment-614567392 [ text/html (hidden) ] From: Michele Guerini Rocco Subject: Re: [NixOS/nixpkgs] nat reflection: do not always rewrite source ip with loopbackip (#78315) To: NixOS/nixpkgs Cc: Subscribed Date: Sun, 14 Jun 2020 13:59:25 -0700 [ multipart/alternative ] [ text/plain ] ping [ 4-line signature. Click/Enter to show. ] -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/NixOS/nixpkgs/pull/78315#issuecomment-643821355 [ text/html (hidden) ]