ngx_http_proxy_connect_module icon indicating copy to clipboard operation
ngx_http_proxy_connect_module copied to clipboard

Published 20 hours ago verified publisher icon chobits

Can it also support proxy_connect in context mail.server?

Open K890 opened this issue 3 years ago • 2 comments

Hi team, I followed this article thinking it would let me reach an email server via a web proxy but it does not. When I try to configure proxy_connect under main.mail.server context then it fails saying directive is not allowed here. It works if I put it under http.server. Since the documentation also does not say anything about email, I am assuming it does not work for mail. But it possible to support that?

Dockerfile I use to build nginx from source:

FROM centos:centos7

RUN yum install -y wget unzip patch
RUN yum install -y gcc gcc-c++ openssl openssl-devel

COPY ./files/nginx-1.21.4.tar.gz /opt/nginx-1.21.4.tar.gz
COPY ./files/ngx_http_proxy_connect_module-0.0.3.zip /opt/ngx_http_proxy_connect_module-0.0.3.zip
COPY ./files/pcre-8.45.zip /opt/pcre-8.45.zip

WORKDIR /opt

RUN unzip pcre-8.45.zip \
    && tar -xzf nginx-1.21.4.tar.gz \
    && unzip ngx_http_proxy_connect_module-0.0.3.zip

WORKDIR /opt/pcre-8.45
RUN ./configure --prefix=/usr/local/pcre
RUN make && make install

WORKDIR /opt/nginx-1.21.4
RUN patch -p 1 < /opt/ngx_http_proxy_connect_module-0.0.3/patch/proxy_connect_rewrite_102101.patch
RUN ./configure --prefix=/etc/nginx1.21.4 --with-debug --with-http_ssl_module --with-pcre=/opt/pcre-8.45 --add-module=/opt/ngx_http_proxy_connect_module-0.0.3  --pid-path=/run/nginx.pid  --with-mail --with-stream
RUN make && make install


EXPOSE 80
EXPOSE 443
# Add nginx user
RUN adduser -c "Nginx user" nginx && \
    setcap cap_net_bind_service=ep /etc/nginx1.21.4/sbin/nginx
RUN touch /run/nginx.pid && mkdir /var/log/nginx && mkdir /usr/share/nginx

RUN ls /etc/nginx1.21.4/sbin
RUN chown -R nginx:nginx /etc/nginx1.21.4 /etc/nginx1.21.4/conf/nginx.conf /var/log/nginx /usr/share/nginx /run/nginx.pid

USER nginx
CMD ["/etc/nginx1.21.4/sbin/nginx", "-g", "daemon off;"]

Nginx configuration I am using:

http {
      server_tokens off;
      server {
        listen    80;
        location ~ ^/mail-auth {
          return 200 "OK";
          add_header  Auth-Status OK;
          add_header  Auth-Server 10.100.60.175;
          add_header  Auth-Port 25;
        }
      }
    }
    mail {
      xclient                   off;
      server_name               maildev;
      auth_http                 localhost:80/mail-auth;
      proxy_pass_error_message  on;
      server {
        listen     25;
        protocol   smtp;
        smtp_auth  none login plain;
        # proxy_connect                localhost:9090; #Does not work
      }
    }

K890 avatar Sep 26 '22 11:09 K890

Hi, this module only works as proxy agent for HTTP tunnel. So it added CONNECT method support for HTTP server of nginx. In my experience, HTTP tunnel is not associated with the mail protocol.

More details about HTTP tunnel, you can check https://en.wikipedia.org/wiki/HTTP_tunnel.

For CONNECT method, see https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.6

chobits avatar Oct 01 '22 07:10 chobits

BTW this module can proxy any data flow when the tunnel is established.

So if you want to proxy SMTP protocal data, you can put this nginx (this module ) before the backend STMP server. This module will not parse or inject the data flow under the tunnel (established connection ).

But I have not tried that. I only tested this module with SSL flow (using curl -x)

chobits avatar Oct 01 '22 07:10 chobits