[PATCH] Add proxy_protocol option to mail listener

Maxim Dounin mdounin at mdounin.ru
Wed Jul 12 12:56:36 UTC 2017


Hello!

On Wed, Jul 12, 2017 at 02:08:31PM +0200, Kees Bos wrote:

> On di, 2017-07-11 at 18:12 +0300, Maxim Dounin wrote:
> > Hello!
> > 
> > On Fri, Jul 07, 2017 at 03:38:02PM +0200, Kees Bos wrote:
> > 
> > > 
> > > # HG changeset patch
> > > # User Kees Bos <cornelis.bos at gmail.com>
> > > # Date 1499422505 0
> > > #      Fri Jul 07 10:15:05 2017 +0000
> > > # Node ID bc79b2baf494aabb889de1e5dbe3184ff0cb9bfa
> > > # Parent  70e65bf8dfd7a8d39aae8ac3a209d426e6947735
> > > Add proxy_protocol option to mail listener
> > > 
> > > Add support for the mail handlers. This enables the use of an
> > > upstream
> > > loadbalancer/proxy (like haproxy) that connects with the proxy
> > > protocol.
> > > 
> > > The original ip (as exposed with the proxy protocol) will be used
> > > as
> > > parameter for the 'Client-IP' in the authentication call.
> > > 
> > > Example config:
> > > mail {
> > >     server_name mail.example.com;
> > >     auth_http   localhost:9000/;
> > > 
> > >     server {
> > >         listen 143 proxy_protocol;
> > >         protocol imap;
> > >     }
> > > }
> > I see at least the following problems in this patch:
> 
> Thanks for the comments. I wasn't aware of a previous attempt (just
> started to look at nginx code etc). Apparently I'm not the only one
> interested in proxy_protocol for the mail module :-)

Well, I've provided the link when you asked about it in April in 
the nginx@ mailing list:

http://mailman.nginx.org/pipermail/nginx/2017-April/053582.html

> > 1. The implementation is not complete compared to other modules 
> > (http, stream): it only tries to change the address passed as 
> > Client-IP in auth_http, but not the address used for logging 
> > and/or for XCLIENT.
> 
> I'll handle that.
> 
> > 
> > 2. It unconditionally trusts all clients who can connect to the 
> > port in question.  This doesn't look wise.
> 
> I'm not sure what you mean here.
> 
> There's no way to verify the correctness of the proxy protocol (that's
> also true so for the http/stream implementation). If a proxy protocol
> claims to originate from 1.1.1.1:1 and that the connection was
> originally to 2.2.2.2:2 the listener has no way to know that that's
> correct (or not).

Obviously enough, you can't verify the information provided.  But 
you can trust or do not trust to the particular client.  For 
example, in the ngx_http_realip_module this is done using the 
set_real_ip_from directive (http://nginx.org/r/set_real_ip_from) - 
you can explicitly configure address blocks you want to allow to 
set client's address based on the provided header or PROXY 
protocol.

The link I've provided in the previous message contains an example 
with set_real_ip_from as part of the review.

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx-devel mailing list