[PATCH] Add proxy_protocol option to mail listener

Maxim Dounin mdounin at mdounin.ru
Thu Jul 20 13:22:15 UTC 2017


Hello!

On Thu, Jul 20, 2017 at 09:52:08AM +0200, Kees Bos wrote:

> On di, 2017-07-18 at 18:02 +0300, Maxim Dounin wrote:
> > Hello!
> > 
> > On Tue, Jul 18, 2017 at 03:13:21PM +0200, Kees Bos wrote:
> > 
> > > 
> > > Some inline stuff just to be sure I do understand what you mean.
> > > 
> > > On di, 2017-07-18 at 15:56 +0300, Maxim Dounin wrote:
> > > > 
> > > > Hello!
> > > > 
> > > > On Tue, Jul 18, 2017 at 12:06:09PM +0200, Kees Bos wrote:
> > > > 
> > > > > 
> > > > > 
> > > > > # HG changeset patch
> > > > > # User Kees Bos <cornelis.bos at gmail.com>
> > > > > # Date 1500371531 0
> > > > > #      Tue Jul 18 09:52:11 2017 +0000
> > > > > # Node ID 8dd6050ca6858d9bea139067611ca5c69cfe8f18
> > > > > # Parent  e3723f2a11b7ec1c196d59c331739bc21d9d9afd
> > > > > Add proxy_protocol option to mail listener
> > > > > 
> > > > > Add support for the mail handlers. This enables the use of an
> > > > > upstream
> > > > > loadbalancer/proxy (like haproxy) that connects with the proxy
> > > > > protocol.
> > > > > 
> > > > > The original ip (as exposed with the proxy protocol) will be
> > > > > used
> > > > > as
> > > > > parameter for the 'Client-IP' in the authentication call and as
> > > > > address
> > > > > in the XCLIENT call.
> > > > > 
> > > > > Optionally (if set), the real ips from the client that are
> > > > > using
> > > > > the
> > > > > proxy protocol can be restricted with "set_real_ip_from".
> > > > This approach looks unsafe and counter-intuitive.
> > > > 
> > > > Instead, address should be changed if and only if there is 
> > > > set_real_ip_from and it lists a particular client address, much 
> > > > like it is done in http and stream modules.
> > > So, "set_real_ip_from" is required as soon as "proxy_protocol" is
> > > used
> > > in the listen directive.
> > > 
> > > Correct?
> > > 
> > > 
> > > > 
> > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Example config:
> > > > > mail {
> > > > >     server_name mail.example.com;
> > > > >     auth_http   localhost:9000/;
> > > > > 
> > > > >     server {
> > > > >         listen 143 proxy_protocol;
> > > > >         protocol imap;
> > > > >     }
> > > > That is, only parsing of PROXY protocol header should happen
> > > > here.
> > > And the connection will be closed since "set_real_ip_from" is
> > > missing.
> > > 
> > > Correct?
> > > 
> > No.
> > 
> > Try looking at http and/or stream modules: "listen ...  
> > proxy_protocol" means that nginx will accept PROXY protocol 
> > header, and will make its contents available via the 
> > $proxy_protocol_addr and $proxy_protocol_port variables.
> > 
> > When "set_real_ip_from ...; real_ip_header proxy_protocol;" is 
> > additionally used, the address obtained from the PROXY protocol 
> > header will be used as a client address.
> > 
> > > 
> > > > 
> > > > > 
> > > > >     server {
> > > > >         listen 25 proxy_protocol;
> > > > >         protocol smtp;
> > > > >         set_real_ip_from 127.0.0.0/8;
> > > > >         set_real_ip_from ::/128;
> > > > And here we can change client's address if a connection was from 
> > > > listed addresses.
> > > > 
> > > > We may also consider sending the information from the header in 
> > > > separate auth_http headers (something like Proxy-Protocol-IP, 
> > > > Proxy-Protocol-Port?) regardless of set_real_ip_from.  But
> > > > clearly 
> > > > this should be a separate header from Client-IP to make it 
> > > > possible for auth_http script to decide if this information
> > > > should 
> > > > be trusted or not.
> > > Would an additional Client-Real-IP and Client-Real-Port be better?
> > I don't think so.
> > 
> > The word "Real" is misleading.  We don't know if it's real or not, 
> > it is up to the script to decide if the address should be trusted 
> > to use PROXY protocol.
> > 
> > Additionally, it doesn't describe the source of the information, 
> > so it is a) not clear how Client-IP is different from 
> > Client-Real-IP, and b) if a different source will be introduced 
> > (for example, XCLIENT), we will have to invent another way to name 
> > things.
> > 
> > The Proxy-Protocol-IP as proposed above is an attempt to provide 
> > something similar to $proxy_protocol_addr and Client-IP at the 
> > same time.
> > 
> > (Given that we currently don't provide Client-Port in auth_http, 
> > Proxy-Protocol-Port probably is a bad idea.)
> 
> 
> Maybe it would be a bit future proof (in case some other mangling
> protocols will be invented) to use (iff proxy-protocol ip address is
> set) something like:
> 
> Proxy-IP: <connection ip address>
> Original-IP: <proxy-protocol ip address>

I don't see how it resolves the same disadvanteges as outline for 
the Client-Real-IP header.  Much like in the Client-Real-IP case,

- "Original" is misleading, and 

- it will conflict if we'll have an IP address from a different 
  source (for example, the XCLIENT SMTP command).

Additionally, I don't see reasons to introduce Proxy-IP instead of 
currently used Client-IP.  It looks unneeded (we already have 
Client-IP for the very same data, no?) and also confusing (it can 
be easily interpreted as $proxy_protocol_addr instead, at least 
this is what I initially tought when reading your messages).

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx-devel mailing list