[PATCH] Add proxy_protocol option to mail listener

Maxim Dounin mdounin at mdounin.ru
Tue Aug 8 19:25:19 UTC 2017 

Hello!

On Mon, Aug 07, 2017 at 03:23:12PM +0200, Kees Bos wrote:

> # HG changeset patch
> # User Kees Bos <cornelis.bos at gmail.com>
> # Date 1500565189 0
> #      Thu Jul 20 15:39:49 2017 +0000
> # Node ID 327f18e079b175b14277a23e75715f5feee34d69
> # Parent  863b862534d7ac0dbf8babf68b824de6fb0d6ef4
> Add proxy_protocol option to mail listener

Style, should be:

Mail: added proxy_protocol option to mail listener.

> 
> Add support for the mail handlers. This enables the use of an upstream
> loadbalancer/proxy that connects with the proxy protocol. Examples of
> this are haproxy or a nginx stream handler that uses then proxy protocol
> in client conections.
> 
> The proxy protocol source ip address will we exposed to the auth
> handler as 'Proxy-Protocol-IP'.

Probably this should be a separate patch.  That is, one patch for 
"listen ... proxy_protocol" and "Proxy-Protocol-IP", and another 
one for set_real_ip_from (see below).

> 
> If the sender ip address matches one or more "set_real_ip_from" directives,
> the source ip address as specified in the in the proxy protocol will be
> used as 'Client-IP' in the authentication call and as address in the
> XCLIENT call.
> 
> Example config:
> mail {
>     server_name mail.example.com;
>     auth_http   localhost:9000/;
> 
>     server {
>         listen 143 proxy_protocol;
>         protocol imap;
>     }
> 
>     server {
>         listen 25 proxy_protocol;
>         protocol smtp;
>         set_real_ip_from 127.0.0.0/8;
>         set_real_ip_from ::/128;
>     }
> }
> 
> In the imap config, the source address given in the proxy protocol will
> never be used as Client-IP.
> 
> In the smtp config, the source address given in the proxy protocol will
> only be used as XCLIENT address when the sender address matches the
> "set_real_ip_from" settings (in this case only loopback address).

This doesn't seem to match what is expected to happen whan a real 
IP is set.

Much like in http and stream modules, if set_real_ip_from includes 
the client's address, then the client's address have to be 
replaced with one provided via PROXY protocol.  And then this 
address will be used everywhere where nginx uses client's address.

It looks like the set_real_ip_from part might not be familiar to 
you, so please consider preserving only the first patch, with 
"listen ... proxy_protocol" and "Proxy-Protocol-IP".

[...]

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx-devel mailing list