About Nginx steam feature for sync port behind nginx

esingress · October 20, 2021, 10:03am

Hi all,

I found another topic about this issue, but the topic already closed. https://forum.syncthing.net/t/resolved-expected-1-certificate-got-2-error/16015/5

I can’t make the stream feature work.

Here is my server setting

Router (192.168.0.1)
Nginx (192.168.0.2)
Syncthing Server (192.168.0.3)

I want to set tcp://syncthing.test.com:12345 → tcp://192.168.0.3:22000

Here is my part of nginx.conf

stream {

    upstream syncthing{
        hash $remote_addr consistent;
        server 192.168.0.3:22000;
    }

    map $ssl_preread_server_name $name {
        syncthing.test.com syncthing;
    }

    server {
        listen 192.168.0.2:12345;
        proxy_pass $name;
    }
}

Any idea?

Thanks!

calmh · October 20, 2021, 11:00am

You need to explain what you did in Syncthing, what it is that doesn’t work, and what you see instead.

(Also not clear to me why as it seems the proxy is just beside Syncthing in the same network.)

AudriusButkevicius · October 20, 2021, 5:07pm

Also, I don’t think this will work, as we don’t use SNI, so you couldn’t put more than 1 syncthing behind the proxy.

Plus things like discovery make zero sense at that point, as you somehow would need to discover nginx and not syncthing.

esingress · October 21, 2021, 2:27am

Sorry for my bad explanation. It is “Discover” problem not “Sync” problem.

Since I cannot use port “22000” in office. I can use port “12345” only. And port “12345” forwarded to Nginx Server 443 port.

I can access the GUI outside the network, followed by this guide https://docs.syncthing.net/users/reverseproxy.html

But the Syncthing server cannot discovery by other outside the network.

And I found the post, https://forum.syncthing.net/t/resolved-expected-1-certificate-got-2-error/16015/5

He seems can config the Nginx to act as port forwarding.

But I can’t make it work.

After the above setting, When I use “tcp://syncthing.test.com:12345”, for the server address. I will got another device id (an unknown id), which is not the Server real device id.

calmh · October 21, 2021, 7:03am

Yeah I don’t know ngingx but as Audrius says we don’t send SNI, so the “map” and “preread $name” stuff looks suspicious and is probably not going to work. Just a straight TCP proxy on port 12345 should work with your statically configured address.

AudriusButkevicius · October 21, 2021, 8:16am

Note the caveat @calmh mentioned that discovering this node will not work, as there is no way to discover the proxy the instamce is behind, so you will have to configure the device address (point it at the proxy) manually.

system · November 20, 2021, 8:17am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.