haproxy ssl support
KT Walrus
kevin at my.walr.us
Thu Oct 26 15:13:57 EEST 2017
When is 2.3 scheduled to be released?
Kevin
> On Oct 26, 2017, at 7:57 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
> Hi!
>
> There is support for haproxy SSL TLVs in 2.3. See
>
> https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch
>
> Aki
>
>> On October 26, 2017 at 12:25 PM Rok Potočnik <r at rula.net> wrote:
>>
>>
>> Even though it seems dovecot (using 2.2.33.1) supports haproxy's
>> send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends
>> client's ssl state). It would be a nice feature for the backend server
>> to identify clients so one wouldn't have to use disable_plaintext_auth
>> on a production environment.
>>
>> --- haproxy.cfg
>> frontend pop3
>> bind [::]:110 v4v6
>> bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem
>> mode tcp
>> default_backend pop3
>> backend pop3
>> mode tcp
>> balance leastconn
>> stick store-request src
>> stick-table type ip size 200k expire 30m
>> timeout connect 5000
>> timeout server 50000
>> server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl
>> server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
>> ---
>>
>> --- dovecot.conf
>> haproxy_trusted_networks = [2001:db8::]/64
>> service pop3-login {
>> inet_listener pop3_haproxy {
>> port = 10110
>> haproxy = yes
>> }
>> }
>> ---
>>
>> It would also be nice if haproxy would support STARTTLS offloading but
>> that's a subject for a different mailing list ;)
>>
>> --
>> BR, Rok
More information about the dovecot
mailing list