We have a business requirement to channel all outgoing connections from multiple processing servers through a single IP address.

Our setup is as follows:

We have an nginx server which works as a load balancer for incoming http requests. We then have multiple web servers, which connect to processing servers which in turn connect to our customers databases.

Client --> Loadbalancer --> Web servers --> Process servers --> Database

Client <-- Loadbalancer <-- Web servers <-- Process servers <-- Database

Currently, we provide our customers a list of IP addresses that they should add to their database whitelist. However, as we scale this whitelist will become longer and our customers in turn would need to again update their whitelist respectively.

Desired Setup

To work around this, we would like to channel all outgoing connections through another nginx server, which would mask the IP addresses of our processing servers. In turn, we would now only have one IP address that our customers would whitelist.

Client --> Loadbalancer --> Web servers --> Process servers --> IP Masking --> Database

Client <-- Loadbalancer <-- Web servers <-- Process servers <-- IP Masking <-- Database

Is this possible solely with nginx, if so, what steps would we need to take to achieve this?

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
  • 113
  • 1
  • 5
  • You're looking for a _forward_ proxy. Nginx is a _reverse_ proxy. Get a proper forward proxy such as squid, and this is very easy. – Michael Hampton Feb 20 '18 at 17:22

2 Answers2


What you ask is possible with nginx starting from version 1.9.0. They added tcp (not http) proxy support. Starting from 1.9.13 they also added udp proxying. Read https://www.nginx.com/resources/admin-guide/tcp-load-balancing/#upstream and https://nginx.ru/en/docs/stream/ngx_stream_proxy_module.html

The tricky part would be differentiating incoming connections on (IP mask nginx) to decide to which database to connect. In HTTP proxy you can use host name. In tcp proxy you should either listen on different ports or different IP addresses. nginx.conf:

worker_processes  4;

error_log  /var/log/nginx/error.log;

events { worker_connections  1024; }
stream {
        server {
           listen 3307;
           proxy_pass client2.db.dev:3306;
           proxy_buffer_size 16k;
        server {
           listen 3308;
           proxy_pass client1.db.dev:3306;
           proxy_buffer_size 16k;
  • 359
  • 2
  • 5
  • 1
    But generally nginx is not the best tool for proxying database connections. There are many database-specific proxy. For MySQL it's a ProxySQL, MaxScale SQL or mysql-proxy. Many use HAProxy for TCP (and SQL) proxying (it has embedded WEB connection state monitoring). – Nopius Feb 21 '18 at 03:10
  • I guess it is not the database connection we are proxying, it is the process servers themselves. The idea is that any one of these process servers could potentially connect to the customers database. The connection is via a request made from a node.js server running on the process servers. What we are looking to do is channel all outgoing requests from all of the process servers through a single IP so our customers only need to whiltelist 1 IP address at there end. – Glen Feb 21 '18 at 14:05
  • It doesn't matter which kind of connection to the customer database your node.js server is using if it's a TCP connection. Then Nginx TCP proxy would work. The only thing you should change on process server is customer database endpoint, which changes from real IP to your 'masking Nginx' IP. – Nopius Feb 21 '18 at 22:35
  • So in that case I set up nginx on another server. Use IP tables to point my outgoing traffic towards it and provide the customer with the IP of the server running nginx and all should be dandy? In your experience is there much of a traffic bottleneck with this sort of setup? – Glen Feb 21 '18 at 22:45
  • Not exactly. You setup Nginx server - yes. Then you change not IP tables, but process server's config to point to Nginx entry point to specific customer (you should have many such points if you have many database connections, they should also be configured on Nginx). What about traffic bottleneck, you may setup several Nginx servers and use either RR dns or configure different process servers with different nginx IPs – Nopius Feb 21 '18 at 22:51
  • OK I guess that ain't gonna work then because we would need to edit nginx config every time a new database is added which is multiple times per day. I like think your other solution using NAT might be better. We were kinda hoping for something as simple as point all outgoing connections to a single server that masks the IP and be done. Maybe we should get a Network Consultant . – Glen Feb 21 '18 at 22:56
  • nginx can reload configuration without interrupting connection, so it's safe to edit it as many times as you like. To make automation easy (just create or remove files), you may use nginx 'include' for directory where you put your upstream configuration: new upstsream -> new config file -> nginx reload. – Nopius Feb 27 '18 at 07:24

Another possible solution is using NAT. In this case masking server will be your router with configured network address translation. In this case you don't need to change customer database IP in node.js configuration, but you should change network, possibly routing configuration on all process servers and have one gateway with NAT configured

  • 359
  • 2
  • 5