[PATCH] Add support for Proxy Protocol to mail SMTP
Maxim Dounin
mdounin at mdounin.ru
Thu Nov 3 17:13:03 UTC 2016
Hello!
On Thu, Nov 03, 2016 at 09:41:03AM -0700, Maxim Vladimirsky wrote:
> Hi Folks,
>
> I was not sure if you would be interested in this, but decided to run it by
> you anyway.
>
> We need to run Nginx as an SMTP proxy sitting behind ELB in AWS, but we
> also want the upstream SMTP server to get the real client ip, so Nginx is
> configured to provide it via an XCLIENT command. However the stock version
> of Nginx provides ELB's ip instead, because it does not recognize the Proxy
> Protocol header (http://docs.aws.amazon.com/elasticloadbalancing/latest/
> classic/enable-proxy-protocol.html#proxy-protocol) sent to it by ELB.
Seems to be perfectly valid use case.
> The following patch updates the mail module so that it can be configured to
> expect Proxy Protocol header by setting `proxy_protocol on`. In that case
> Proxy Protocol header is parsed, a client IP is retrieved and passed to an
> SMTP upstream in an XCLIENT command.
The "proxy_protocol on" is expected to configure sending PROXY
protocol to an upstream server, similar to how it already works in
the stream module:
http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_protocol
Accepting PROXY protocol from clients is expected to be enabled
using a listening socket option instead, similar to what we have
in http and stream modules:
http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen
Open question is how it should work though. I.e., if it should
just unconditionally set provided address as a client one, similar
to how
listen 80 proxy_protocol;
real_ip_header proxy_protocol;
set_real_ip_from 0.0.0.0/0;
works in stream / http, or there should be some advanced control
like the realip module in stream / http.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list