Why can’t Apache and NGINX reverse proxy, act as SNAT?

October 6, 2024 Leave a comment

Because the reverse proxy, starts the request again, it substitutes the SOURCE IP in TCP packets.

1.1.1.1                          2.2.2.2                             192.168.1.2
[ Source IP ] --Source1.1.1.1--> Reverse Proxy  --Source 2.2.2.2--> [ WWW server ]

But there is a technology called Static NAT, or SNAT that rewrite TCP packets to new destination address, that operates on layer 3. 

1.1.1.1                          2.2.2.2                                192.168.1.2
[ Source IP ] --Source1.1.1.1--> Router w NAT 2.2.2.2 to 192.168.1.2--> [ WWW server ]  
route 0.0.0.0 sends the return packet back to source

Why with all the network programmers out there, hasn’t someone implemented such a feature in reverse proxies, b/c whatever you do in layer 7, you can do with layer 3 (assuming it isn’t hidden away by the OS, during de-capsulation, and we are re-encapslating layer 7).

1.1.1.1                          2.2.2.2                                                192.168.1.2
[ Source IP ] --Source1.1.1.1--> Reverse Proxy forwarding NAT 2.2.2.2 to 192.168.1.2--> [ WWW server ]  
                                 once it has received enough to determine layer 7 Request
Again!  route 0.0.0.0 sends the return packet back to source
is the TCP ack window process, the problem?  Ie. we are deliberately implementing a TCP hijack on purpose.  But we are calling a handoff.

B/c the source IP, is what the web server sees, when the TCP stream is de-encapulated, and layer 3 data is made available to the appliication as metadata data structure. Most applications otherwise has to be customized for a reverse proxy use case.

Leave a Reply

Your email address will not be published. Required fields are marked *