[PATCH] Add proxy_protocol option to mail listener
cornelis.bos at gmail.com
Wed Jul 12 13:01:11 UTC 2017
On wo, 2017-07-12 at 15:56 +0300, Maxim Dounin wrote:
> On Wed, Jul 12, 2017 at 02:08:31PM +0200, Kees Bos wrote:
> On di, 2017-07-11 at 18:12 +0300, Maxim Dounin wrote:
> > > On Fri, Jul 07, 2017 at 03:38:02PM +0200, Kees Bos wrote:
> > > 2. It unconditionally trusts all clients who can connect to the
> > > port in question. This doesn't look wise.
> > I'm not sure what you mean here.
> > There's no way to verify the correctness of the proxy protocol
> > (that's
> > also true so for the http/stream implementation). If a proxy
> > protocol
> > claims to originate from 184.108.40.206:1 and that the connection was
> > originally to 220.127.116.11:2 the listener has no way to know that that's
> > correct (or not).
> Obviously enough, you can't verify the information provided. But
> you can trust or do not trust to the particular client. For
> example, in the ngx_http_realip_module this is done using the
> set_real_ip_from directive (http://nginx.org/r/set_real_ip_from) -
> you can explicitly configure address blocks you want to allow to
> set client's address based on the provided header or PROXY
Yes. That's clear. Now (I think) I understand what you mean.
> The link I've provided in the previous message contains an example
> with set_real_ip_from as part of the review.
More information about the nginx-devel