Installing nginx 1.14 / openssl 1.1.1 on Debian 9
Debian is really nice in case a newer version (than what’s in repo) of software is need. Although nginx / openssl provided in their stable repo is somewhat old, it’sContinue reading
Debian is really nice in case a newer version (than what’s in repo) of software is need. Although nginx / openssl provided in their stable repo is somewhat old, it’sContinue reading
TLS 1.3 is now enabled. However, as a side effect, now ssllabs only gives 90 pct. to cipher strength of my TLS configuration. This is unfortunate, as currently there’s (seemingly)Continue reading
Preparing for enabling TLS 1.3. CentOS 7 (RHEL 7) does not come with an out-of-box nginx that supports TLS 1.3. To be fair, this is not a fault of nginx.Continue reading
IPv6/UDP does not work yet, though.. Not sure if it’s an issue in the rules, xt_TPROXY.ko or the proxy software itself. Glad to embrace IPv6.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | #!/usr/bin/env bash set -e # Let's explain this. # # 1. We use a dedicated table (happen to be 123 here) inside which we treat all # IPs (including those who are generally treated as public / private IPs such # as 1.2.3.4) as loopback IP, by routing them all to the loopback device. # # 2. Then we routing all packets with a specific mark (happen to be 12345 here) # to that table. # # 3. Finally we use xt_TPROXY to mark the some of the packets (selected by iptables' # `-m set` condition) with the mark we use above (12345) so that they'll be # routed as rule above. # # 4. We also specified a IP/port as xt_TPROXY's parameters so that the process # listening on that IP/port will receive the packets and proxy them as desired. # The environment variables goes first. export PATH=/usr/local/bin:/opt/bin:/opt/sbin:$PATH # Send all packets with mark 12345 to routing table #123. ip rule add fwmark 12345 table 123 ip -6 rule add fwmark 12345 table 123 # Routing table #123 routes all packets to loopback device. ip route add local default dev lo table 123 ip -6 route add local default dev lo table 123 # For packets with `dst` matching `proxied_v4`, mark them with 12345, # and let process listening on 127.0.0.1:8765 to receive it. iptables -t mangle -A PREROUTING -p tcp -m set --match-set proxied_v4 dst -j TPROXY --on-port 8765 --on-ip 127.0.0.1 --tproxy-mark 12345 iptables -t mangle -A PREROUTING -p udp -m set --match-set proxied_v4 dst -j TPROXY --on-port 8765 --on-ip 127.0.0.1 --tproxy-mark 12345 # For packets with `dst` matching `proxied_v6`, mark them with 12345, # and let process listening on [::1]:8765 to receive it. ip6tables -t mangle -A PREROUTING -p tcp -m set --match-set proxied_v6 dst -j TPROXY --on-port 8765 --on-ip ::1 --tproxy-mark 12345 ip6tables -t mangle -A PREROUTING -p udp -m set --match-set proxied_v6 dst -j TPROXY --on-port 8765 --on-ip ::1 --tproxy-mark 12345 |
It surprised me a bit that ddwrt (Kong build) is not shipped with xt_TPROXY. Fortunately it’s possible to compile kernel modules for ddwrt and load them later. The major stepsContinue reading
After digging the issue for about two days, it looks like to me that it’s caused by a bug in ipv6.ko. Unfortunately the rootfs is readonly on ddwrt, thus patchingContinue reading
Welcome to WordPress. This is your first post. Edit or delete it, then start writing!