Nginx dropping the first client as soon as the second connects
I'm trying to configure Nginx to reverse proxy port 445, but every time client A is connected to the share through Nginx and a client B connects I have the connection of client A dropped by Nginx even though he was actively using the share (downloading a big file, for example). It's like Nginx is reusing the connection for client B before client A finishes using it.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
stream {
server {
listen 445;
proxy_pass storage:445;
}
}
What's missing in the config file above to allow both client A and B to use the share simultaneously without dropping one connection to stablish the other?
Some extra context:
Nginx v. 1.17.1 runing on Ubuntu 18.04.2 LTS virtual machine 4 vCPU and 4Gb mem ;
I have already tried making this control using iptables instead of Nginx to forward the connections on port 445 to the share server and the result was similar: client A has its connection dropped when B connects;
The share works fine if the clients A and B connects directly to the storage share without Nginx between them;
I have tried quite a lot of recomended configurations from Nginx documentation (limit_conn, so_keepalive, reuseport....), but I might have misused them;
From Wireshark I see Nginx sends a [FIN, ACK] packet to client A when client B connects;
Log of Nginx when client A has its connection afected: *[error] 32110#32110: 7 recv() failed (104: Connection reset by peer) while proxying and reading from upstream... but I notice this log is related to a [RST, ACK] packet client A sends to Nginx even after that [FIN, ACK] packet it received.
Edit:
Tried with the newer version 1.17.3 and no success.
Solution 1:
I think SMB Server will disconnect you because from its side, the same machine is trying to connect using different users. This is the same using masquerade with iptables and Nginx.
I would continue using iptables, but without masquerading traffic to your SMB server, only allowing forward.
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 445 -j DNAT --to-destination storage:445
iptables -t filter -A FORWARD -d storage/32 -p tcp -m tcp --dport 445 -j ACCEPT
Make the traffic from your SMB server to the networks the clients resides to be routed through the proxy/forwarding server.
Then in the proxy/forwarding server you need to masquerade traffic to your clients networks. Example:
iptables -t nat -A POSTROUTING -d 192.168.0.0/24 -o eth0 -j MASQUERADE
With this, the SMB server will receive traffic from the client's IPs, while the clients communication is with the proxy/forwarding server and should not disconnect when multiple clients connects.