haproxy ssl support

26 Oct 2017


      Even though it seems dovecot (using 2.2.33.1) supports haproxy's
send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends
client's ssl state). It would be a nice feature for the backend server
to identify clients so one wouldn't have to use disable_plaintext_auth
on a production environment.
--- haproxy.cfg
frontend pop3
bind [::]:110 v4v6
bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem
mode tcp
default_backend pop3
backend pop3
mode tcp
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
timeout connect 5000
timeout server  50000
server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl
server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
--- dovecot.conf
haproxy_trusted_networks = [2001:db8::]/64
service pop3-login {
inet_listener pop3_haproxy {
port = 10110
haproxy = yes
}
}
It would also be nice if haproxy would support STARTTLS offloading but
that's a subject for a different mailing list ;)
--
BR, Rok

haproxy ssl support

Rok Potočnik

--- dovecot.conf haproxy_trusted_networks = [2001:db8::]/64 service pop3-login { inet_listener pop3_haproxy { port = 10110 haproxy = yes } }