Set port range for nginx

Hi, all
I’ve got an nginx server in an internal network, and the server will
forward request to outer net using proxy_pass,
it seems like:
proxy_pass http://[public ip]:[port]
Unfortunately, the firewall block most of the port, so the proxy_pass
failed.
I have two questions:
How the proxy_pass use port to forward the request? pick a random port?
Would that be possible to set a port range (10000~20000 e.g) for
proxy_pass
to use?

Regards,
Yao

On 8 February 2013 02:05, Maxim D. [email protected] wrote:

failed.
/proc/sys/net/ipv4/ip_local_port_range.

Would that be possible to set a port range (10000~20000 e.g) for proxy_pass
to use?

In theory, nginx can use bind() syscall to select some particular
port, but only one of them, and this doesn’t make sense with
proxy_pass - as this will not allow more than one connection to
the same destination address. That is, tuning the OS as suggested
above is the only way to go.

Or, alternatively, a local firewall with port translation can be used
to ensure that all outgoing ports that are used would be the ones that
would pass the upstream firewall.

See OpenBSD PF: Traffic Redirection (Port Forwarding) for some details, which has
a couple of examples of port redirection/translation within the
firewall.

C.

Hello!

On Fri, Feb 08, 2013 at 11:20:35AM +0800, Fufeng Yao wrote:

Hi, all
I’ve got an nginx server in an internal network, and the server will
forward request to outer net using proxy_pass,
it seems like:
proxy_pass http://[public ip]:[port]
Unfortunately, the firewall block most of the port, so the proxy_pass
failed.
I have two questions:
How the proxy_pass use port to forward the request? pick a random port?

Outoing port (as well as IP address, unless proxy_bind is used) is
selected by your OS. Use your system configuration options to
tune port range used.

E.g. on FreeBSD it can be done with net.inet.ip.portrange.first
and net.inet.ip.portrange.last sysctl’s. On Linux it’s tuned with
net.ipv4.ip_local_port_range sysctl or
/proc/sys/net/ipv4/ip_local_port_range.

Would that be possible to set a port range (10000~20000 e.g) for proxy_pass
to use?

In theory, nginx can use bind() syscall to select some particular
port, but only one of them, and this doesn’t make sense with
proxy_pass - as this will not allow more than one connection to
the same destination address. That is, tuning the OS as suggested
above is the only way to go.


Maxim D.