[PATCH] Add proxy_protocol option to mail listener

Kees Bos cornelis.bos at gmail.com
Wed Jul 12 13:01:11 UTC 2017


On wo, 2017-07-12 at 15:56 +0300, Maxim Dounin wrote:
> On Wed, Jul 12, 2017 at 02:08:31PM +0200, Kees Bos wrote:
> On di, 2017-07-11 at 18:12 +0300, Maxim Dounin wrote:
> > > On Fri, Jul 07, 2017 at 03:38:02PM +0200, Kees Bos wrote:
> > > 2. It unconditionally trusts all clients who can connect to the 
> > > port in question.  This doesn't look wise.
> > I'm not sure what you mean here.
> > 
> > There's no way to verify the correctness of the proxy protocol
> > (that's
> > also true so for the http/stream implementation). If a proxy
> > protocol
> > claims to originate from 1.1.1.1:1 and that the connection was
> > originally to 2.2.2.2:2 the listener has no way to know that that's
> > correct (or not).
> Obviously enough, you can't verify the information provided.  But 
> you can trust or do not trust to the particular client.  For 
> example, in the ngx_http_realip_module this is done using the 
> set_real_ip_from directive (http://nginx.org/r/set_real_ip_from) - 
> you can explicitly configure address blocks you want to allow to 
> set client's address based on the provided header or PROXY 
> protocol.

Yes. That's clear. Now (I think) I understand what you mean.


> 
> The link I've provided in the previous message contains an example 
> with set_real_ip_from as part of the review.
> 


More information about the nginx-devel mailing list