Nginx transparent proxy

use nginx as a transparent proxy to terminate ssl traffic either locally or remotely

July 15, 2020
sysadmin nginx proxy load-balancer self hosting

So you want to self host part 2 ?

So you started hosting stuff at home, you either followed part 1 to use a wireguard vpn to get a public ip to your server at home, or came here because you did not find too much documentation on Nginx proxy_bind $remote_addr transparent mode and wants an example (it is called IP transparency in the doc ).

In this article, I’ll outline quickly how to use nginx as a transparent proxy to send the remote ip address to an upstream server, using the stream module ( not the http module and X-Forwarded-For header ).

That can allow you to load balance whatever protocol you want, preserving the client IP for your logs or other purposes.

As an added bonus, and as an example, I’ll show you how to terminate an https connection either locally on the LB or on the upstream server.


  • 1 server ‘load-balancer’ LB
  • 1 server ‘upstream’ UP

Global steps:

  • Install/configure nginx on LB
  • Configure iptables and ip rules on LB
  • install/configure nginx on UP ( <— or whatever you want to serve using the nginx proxy… )
  • make sure LB is the default route on UP ( already the case if you followed the wireguard tutorial ).

On the cheap vps LB: (you can just add those lines in the ‘up’ section of the of the wireguard article)):


# traffic coming back from UP should be routed back to nginx for relay
ip rule add fwmark 1 lookup 100
ip route add local dev lo table 100
iptables -t mangle -I PREROUTING 1 -p tcp -s --sport 443 -j MARK --set-xmark 0x1/0xffffffff
# traffic coming back from local backend should also be routed back to nginx for relay
# do not use for that, it won't work, use your local vpn ip it is easier ( or any other btw )
iptables -t mangle -I PREROUTING 1 -p tcp -s --sport 4430 -j MARK --set-xmark 0x1/0xffffffff
iptables -t mangle -I OUTPUT 1 -p tcp -s --sport 4430 -j MARK --set-xmark 0x1/0xffffffff


mkdir -p /etc/nginx/stream.d && echo 'include /etc/nginx/stream.d/*;' >> /etc/nginx/nginx.conf


stream {
    map $ssl_preread_server_name $upstream { local;
        default default;

    upstream local {

    upstream default {

    server {
        listen 443;
        ssl_preread on;
        proxy_pass $upstream;
        proxy_bind $remote_addr transparent;


server {

    location / {

    listen 4430 ssl http2;
    ssl_certificate ....
    ssl_certificate_key ....


On the UP server:

just configure nginx to have something listening on port 443 for this example.

Last steps:

  • launching on the LB is left for you to do as you see fit.
  • make sure LB is the default route for UP.


Easy to use, and allows you to have your status page on your vps while the rest is hosted at home, so you can be warned in case of trouble :) All domains not explicitely set in the map $ssl_preread_server_name $upstream on the LB will be sent to the nginx server on UP. Also, client IP being preserved, you can have your fail2ban, or whatever working properly.