[PATCH] Add proxy_protocol option to mail listener
Maxim Dounin
mdounin at mdounin.ru
Tue Aug 8 19:25:19 UTC 2017
Hello!
On Mon, Aug 07, 2017 at 03:23:12PM +0200, Kees Bos wrote:
> # HG changeset patch
> # User Kees Bos <cornelis.bos at gmail.com>
> # Date 1500565189 0
> # Thu Jul 20 15:39:49 2017 +0000
> # Node ID 327f18e079b175b14277a23e75715f5feee34d69
> # Parent 863b862534d7ac0dbf8babf68b824de6fb0d6ef4
> Add proxy_protocol option to mail listener
Style, should be:
Mail: added proxy_protocol option to mail listener.
>
> Add support for the mail handlers. This enables the use of an upstream
> loadbalancer/proxy that connects with the proxy protocol. Examples of
> this are haproxy or a nginx stream handler that uses then proxy protocol
> in client conections.
>
> The proxy protocol source ip address will we exposed to the auth
> handler as 'Proxy-Protocol-IP'.
Probably this should be a separate patch. That is, one patch for
"listen ... proxy_protocol" and "Proxy-Protocol-IP", and another
one for set_real_ip_from (see below).
>
> If the sender ip address matches one or more "set_real_ip_from" directives,
> the source ip address as specified in the in the proxy protocol will be
> used as 'Client-IP' in the authentication call and as address in the
> XCLIENT call.
>
> Example config:
> mail {
> server_name mail.example.com;
> auth_http localhost:9000/;
>
> server {
> listen 143 proxy_protocol;
> protocol imap;
> }
>
> server {
> listen 25 proxy_protocol;
> protocol smtp;
> set_real_ip_from 127.0.0.0/8;
> set_real_ip_from ::/128;
> }
> }
>
> In the imap config, the source address given in the proxy protocol will
> never be used as Client-IP.
>
> In the smtp config, the source address given in the proxy protocol will
> only be used as XCLIENT address when the sender address matches the
> "set_real_ip_from" settings (in this case only loopback address).
This doesn't seem to match what is expected to happen whan a real
IP is set.
Much like in http and stream modules, if set_real_ip_from includes
the client's address, then the client's address have to be
replaced with one provided via PROXY protocol. And then this
address will be used everywhere where nginx uses client's address.
It looks like the set_real_ip_from part might not be familiar to
you, so please consider preserving only the first patch, with
"listen ... proxy_protocol" and "Proxy-Protocol-IP".
[...]
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list