diff --git a/.gitbook/assets/proxy_protocol_with.png b/.gitbook/assets/proxy_protocol_with.png new file mode 100644 index 0000000..ca9d361 Binary files /dev/null and b/.gitbook/assets/proxy_protocol_with.png differ diff --git a/.gitbook/assets/proxy_protocol_without.png b/.gitbook/assets/proxy_protocol_without.png new file mode 100644 index 0000000..216bee2 Binary files /dev/null and b/.gitbook/assets/proxy_protocol_without.png differ diff --git a/SUMMARY.md b/SUMMARY.md index d36509b..d01ae96 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -15,7 +15,8 @@ * [Configurations](index/configurations/README.md) * [Which user type am I](index/configurations/which-user-type-am-i.md) * [Port forwarding](index/configurations/port-forwarding.md) - * [Listen](index/configurations/listen.md) + * [Listen](index/configurations/listen/README.md) + * [Proxy protocol](index/configurations/listen/proxy-protocol.md) * [IP Access](index/configurations/ip-access.md) * [Domains](index/configurations/domains/README.md) * [Own DNS Server](index/configurations/domains/own-dns-server.md) diff --git a/index/configurations/README.md b/index/configurations/README.md index 5bdd0e4..e83da9c 100644 --- a/index/configurations/README.md +++ b/index/configurations/README.md @@ -13,4 +13,4 @@ description: >- The following order should be followed when configuring Flyingfish for the first time: -
  1. Which user type am I
Clarification of the use of FlyingFishwhich-user-type-am-i.md
  1. Port forwarding
Information for port forwarding from the routerport-forwarding.md
  1. Listen
Connections from the internet to the servicelisten.md
  1. IP Access
IP access management White-/Black-listip-access.md
  1. Domains
Creating and managing the domainsdomains
+
  1. Which user type am I
Clarification of the use of FlyingFishwhich-user-type-am-i.md
  1. Port forwarding
Information for port forwarding from the routerport-forwarding.md
  1. Listen
Connections from the internet to the servicelisten
  1. IP Access
IP access management White-/Black-listip-access.md
  1. Domains
Creating and managing the domainsdomains
diff --git a/index/configurations/listen.md b/index/configurations/listen/README.md similarity index 52% rename from index/configurations/listen.md rename to index/configurations/listen/README.md index f80c43b..ebc2f73 100644 --- a/index/configurations/listen.md +++ b/index/configurations/listen/README.md @@ -6,7 +6,7 @@ description: >- # Listen -
+
The ports specified here come from the web interface and are used by nginx intern docker container. @@ -16,9 +16,9 @@ The ports specified here come from the web interface and are used by nginx inter | 443 (TCP) | HTTPS/SSH/SSL Protocols\* | | 53 (TCP/UDP) | DNS Protocol | -These ports are internal to nginx of type "Stream". You can see a port overview again in [port forwarding](port-forwarding.md). +These ports are internal to nginx of type "Stream". You can see a port overview again in [port forwarding](../port-forwarding.md). -

Standard listen ports by setup

+

Standard listen ports by setup

If you only use the standard ports for your services, you do not need to enter any additional ports here. @@ -28,7 +28,7 @@ If you only use the standard ports for your services, you do not need to enter a
-

Add Listen

+

Add Listen

@@ -36,21 +36,21 @@ Add a list, a dialog follows that also appears when editing. -
+
1. **Name:** Name your list, so you always recognize it in the UI. -2. **Type:** Type of listening from Nginx Proxy. Stream or HTTP/HTTPS, the difference is how the connection is handled. +2. **Type:** Type of listening from Nginx proxy. Stream or HTTP/HTTPS, the difference is how the connection is handled. 3. **Protocol:** Which protocol should be used, UDP can also be used in addition to TCP for a stream. 4. **Port:** Which port the listening is listening on. 5. **Description:** Here you can describe in more detail what the listener is used for. 6. **IP6 enable:** Additionally enables listening on an IP6 address (untested yet, but enables it in the nginx config). 7. **IP access:** Enables checking of the IP address against a list (blacklist/whitelist). -8. **Access type:** Which list to use for the IP check. The lists can be maintained under [IP Access](ip-access.md). -9. **Proxy protocol enable:** Activates the use of the proxy protocol. From now on all packets are provided with the Proxy Protocol header. This setting is important for internal HTTP/HTTPS processing. Only in this way does the route get the correct IP of the inquiring request for further checks or logging. -10. **Proxy protocol incoming enable:** Enables expecting a packet with a proxy header. Should the FlyingFish sit behind another proxy server with a proxy protocol. +8. **Access type:** Which list to use for the IP check. The lists can be maintained under [IP Access](../ip-access.md). +9. **Proxy protocol enable:** Activates the use of the [proxy protocol](proxy-protocol.md). From now on all packets are provided with the [proxy protocol](proxy-protocol.md) header. This setting is important for internal HTTP/HTTPS processing. Only in this way does the route get the correct IP of the inquiring request for further checks or logging. +10. **Proxy protocol incoming enable:** Enables expecting a packet with a proxy header. Should the FlyingFish sit behind another proxy server with a [proxy protocol](proxy-protocol.md). 11. **Disable this listen:** Disables listening, settings are skipped during nginx config build. All dependent routes are also skipped. -After the initial installation, you can view the automatically installed listeners. You will find that ports 80 and 443 work with the proxy protocol. There is a good reason for this, since the stream points to the internal HTTP/HTTPS servers (lists). Which in turn expect the proxy protocol to process the correct IP from the request and not the IP 127.0.01. +After the initial installation, you can view the automatically installed listeners. You will find that ports 80 and 443 work with the [proxy protocol](proxy-protocol.md). There is a good reason for this, since the stream points to the internal HTTP/HTTPS servers (lists). Which in turn expect the [proxy protocol](proxy-protocol.md) to process the correct IP from the request and not the IP 127.0.01. @@ -62,11 +62,11 @@ Save causes an immediate reload of nginx. Existing connections are kept as if ru The following graphic should help to understand the list process: -

Portsflow

+

Portsflow

Port 5333, 80, 443 Listening on the network from the host (as a bridge, port forwarding to the Docker container). -There, the Nginx first uses "[IP access"](ip-access.md) to check whether the IPs have access rights. Then the streams (TCP/UDP) are split into their protocol (SSL/HTTP/etc.) and split into [domains](domains/) for forwarded to a destination. Should not specify an external destination, then use the internal ports for the HTTP (10080) and HTTPS (10443) server are specified as standard. They perform a "proxy reserve" and request a route too internal or external HTTP/HTTPS server. +There, the Nginx first uses "[IP access"](../ip-access.md) to check whether the IPs have access rights. Then the streams (TCP/UDP) are split into their protocol (SSL/HTTP/etc.) and split into [domains](../domains/) for forwarded to a destination. Should not specify an external destination, then use the internal ports for the HTTP (10080) and HTTPS (10443) server are specified as standard. They perform a "proxy reserve" and request a route too internal or external HTTP/HTTPS server. @@ -74,4 +74,4 @@ There, the Nginx first uses "[

Listen flow!

+

Listen flow!

diff --git a/index/configurations/listen/proxy-protocol.md b/index/configurations/listen/proxy-protocol.md new file mode 100644 index 0000000..cf56c61 --- /dev/null +++ b/index/configurations/listen/proxy-protocol.md @@ -0,0 +1,21 @@ +--- +description: How is this to be understood? +--- + +# Proxy protocol + +As already mentioned in [Listen](./), a stream forwarded by Nginx cannot include the source IP. We help ourselves by activating the proxy protocol. As a result, the packet is taken and the information from the original IP is stored at the beginning. + + + +
+ +As can be seen in the diagram, the stream still receives the original IP from the querying client. As soon as the stream connects to the reverse proxy, this is an internal connection with 127.0.0.1. The information is lost from the reverse proxy for the web server. + + + +
+ +With the Proxy protocol, the reverse proxy receives the original IP with the package extension of the Proxy protocol header and can pass it on to the web server. + +You can read more about it at [Exploring the proxy protocol](https://seriousben.com/posts/2020-02-exploring-the-proxy-protocol/). diff --git a/index/configurations/routes.md b/index/configurations/routes.md index 14db4ef..8261518 100644 --- a/index/configurations/routes.md +++ b/index/configurations/routes.md @@ -4,9 +4,9 @@ description: Setting a route from the listen to the target. # Routes -A route is a path from the input ([Listen](listen.md)) to the destination. The destination can be of different types, stream, HTTP/HTTPS, SSH, use. +A route is a path from the input ([Listen](listen/)) to the destination. The destination can be of different types, stream, HTTP/HTTPS, SSH, use. -With the help of the [graphic from Listen](listen.md#listen-flow) I would like to show the area controlled by the route again: +With the help of the [graphic from Listen](listen/#listen-flow) I would like to show the area controlled by the route again:

Listen and Routes

@@ -26,4 +26,9 @@ Existing connections are kept as if running the command: nginx -s reload The default routes cannot be edited or deleted. {% endhint %} -3. Each domain entered in [Domains](domains/) is displayed under Routes. One or more routes from one or more [Listen](listen.md) to a destination can now be entered. +3. Each domain entered in [Domains](domains/) is displayed under Routes. One or more routes from one or more [Listen](listen/) to a destination can now be entered. + + + +## Default Routes +