Nginx dropping the first client as soon as the second connects

linux nginx iptables reverse-proxy

I'm trying to configure Nginx to reverse proxy port 445, but every time client A is connected to the share through Nginx and a client B connects I have the connection of client A dropped by Nginx even though he was actively using the share (downloading a big file, for example). It's like Nginx is reusing the connection for client B before client A finishes using it.

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log debug;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

stream {

    server {
         listen 445;
         proxy_pass storage:445;
    }
}

What's missing in the config file above to allow both client A and B to use the share simultaneously without dropping one connection to stablish the other?

Some extra context:
Nginx v. 1.17.1 runing on Ubuntu 18.04.2 LTS virtual machine 4 vCPU and 4Gb mem ;

I have already tried making this control using iptables instead of Nginx to forward the connections on port 445 to the share server and the result was similar: client A has its connection dropped when B connects;

The share works fine if the clients A and B connects directly to the storage share without Nginx between them;

I have tried quite a lot of recomended configurations from Nginx documentation (limit_conn, so_keepalive, reuseport....), but I might have misused them;

From Wireshark I see Nginx sends a [FIN, ACK] packet to client A when client B connects;

Log of Nginx when client A has its connection afected: *[error] 32110#32110: 7 recv() failed (104: Connection reset by peer) while proxying and reading from upstream... but I notice this log is related to a [RST, ACK] packet client A sends to Nginx even after that [FIN, ACK] packet it received.

Edit:
Tried with the newer version 1.17.3 and no success.


Solution 1:

I think SMB Server will disconnect you because from its side, the same machine is trying to connect using different users. This is the same using masquerade with iptables and Nginx.

I would continue using iptables, but without masquerading traffic to your SMB server, only allowing forward.

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 445 -j DNAT --to-destination storage:445
iptables -t filter -A FORWARD -d storage/32 -p tcp -m tcp --dport 445 -j ACCEPT

Make the traffic from your SMB server to the networks the clients resides to be routed through the proxy/forwarding server.

Then in the proxy/forwarding server you need to masquerade traffic to your clients networks. Example: 

iptables -t nat -A POSTROUTING -d 192.168.0.0/24 -o eth0 -j MASQUERADE

With this, the SMB server will receive traffic from the client's IPs, while the clients communication is with the proxy/forwarding server and should not disconnect when multiple clients connects.

Related

Win10 - can't reach ubuntu VM after last big windows update (again :-/ )
Counting blank rows in Excel, not blank cells
How to delete all the open files in notepad++
Why does Windows keep regenerating unneeded .regtrans-ms files in my user folder?
Ghostscript's /ebook preset creating some undesired effect on PDF but /printer doesn't
Upgrading secondary HDD - Copy/paste sufficient?
Reason for Windows turning on
Where do we get “queen” from? [closed]
Is "much" used for emphasis in "much to your surprise"?
Phrase for someone taking over business when you skip for humanity
Meaning of vitative(ness)
What is the correct definition and usage of the acronym "ETA"? [closed]