Hello folks,
Any plans on implementing the PROXY protocol to allow Dovecot being behind a TCP proxy, and still logging the real IP address of the users ? See : http://blog.haproxy.com/haproxy/proxy-protocol/
Thanks !
+1
On Fri, Jan 9, 2015 at 3:49 PM, Hoggins! fuckspam@wheres5.com wrote:
Hello folks,
Any plans on implementing the PROXY protocol to allow Dovecot being behind a TCP proxy, and still logging the real IP address of the users ? See : http://blog.haproxy.com/haproxy/proxy-protocol/
Thanks !
On 12/1/2015 10:29 μμ, Francisco Wagner C. Freire wrote:
+1
On Fri, Jan 9, 2015 at 3:49 PM, Hoggins! fuckspam@wheres5.com wrote:
Hello folks,
Any plans on implementing the PROXY protocol to allow Dovecot being behind a TCP proxy, and still logging the real IP address of the users ? See : http://blog.haproxy.com/haproxy/proxy-protocol/
Thanks !
Any news on that?
In a lot of scenarios the haproxy PROXY protocol will be important.
Please let us know if it is in the roadmap.
Can you please let us know of any alternative solution(s) to pass to dovecot real client info through a haproxy server (services imap, imaps, pop3, pop3s)?
Thanks in advance, Nick
Op 19-8-2015 om 16:36 schreef Nikolaos Milas:
On 12/1/2015 10:29 μμ, Francisco Wagner C. Freire wrote:
+1
On Fri, Jan 9, 2015 at 3:49 PM, Hoggins! fuckspam@wheres5.com wrote:
Hello folks,
Any plans on implementing the PROXY protocol to allow Dovecot being behind a TCP proxy, and still logging the real IP address of the users ? See : http://blog.haproxy.com/haproxy/proxy-protocol/
Thanks !
Any news on that?
In a lot of scenarios the haproxy PROXY protocol will be important.
Please let us know if it is in the roadmap.
Can you please let us know of any alternative solution(s) to pass to dovecot real client info through a haproxy server (services imap, imaps, pop3, pop3s)?
Well...
http://hg.dovecot.org/dovecot-2.2/rev/4d7a83ddb644
Regards,
Stephan.
On 19/8/2015 5:43 μμ, Stephan Bosch wrote:
Well...
http://hg.dovecot.org/dovecot-2.2/rev/4d7a83ddb644
Regards,
Stephan.
That was impressive!
Thank you Timo and Stephan. You are superb!
I hope you will be able to provide some basic guidelines on how to enable/use the new functionality. (I am not very code-literate.)
Looking forward to it!
Thanks again!
All the best, Nick
Hey Niko,
---- On Thu, 20 Aug 2015 16:55:42 +1000 Nikolaos Milasnmilas@noa.gr wrote ----
I hope you will be able to provide some basic guidelines on how to
enable/use the new functionality. (I am not very code-literate.)
Looking through the code, the functionality should not be too hard to enable using the configuration:
# This is a list of trusted networks... ips are seperated by ", " # default, empty haproxy_trusted_networks = 10.1.2.0/24, 10.2.1.0/24
# This is the timeout... in seconds. # default, 3 # haproxy_timeout = 3
# modify your inet listener's to include haproxy=yes inet_listener { haproxy = yes }
As for HAProxy, the configuration would look something like this:
listen smtp :25 mode tcp option tcplog option smtpchk balance roundrobin server smtp1 ip.of.server1:25 check-send-proxy check inter 10s send-proxy server smtp2 ip.of.server2:25 check-send-proxy check inter 10s send-proxy
Regards, Tim
On 20/8/2015 10:35 πμ, Tim Groeneveld wrote:
# This is a list of trusted networks... ips are seperated by ", " # default, empty haproxy_trusted_networks = 10.1.2.0/24, 10.2.1.0/24
# This is the timeout... in seconds. # default, 3 # haproxy_timeout = 3
# modify your inet listener's to include haproxy=yes inet_listener { haproxy = yes }
Thank you Tim,
As soon as I manage to re-build Dovecot with the latest snapshot, I'll test it!
All the best, Nick
On 20/8/2015 11:09 μμ, Nikolaos Milas wrote:
As soon as I manage to re-build Dovecot with the latest snapshot, I'll test it!
Hello,
I've built dovecot with a today snapshot from hg (dovecot-2-2-9f815e781beb) and I am trying to enable haproxy.
I configured as follows (lines added compared to initial config are marked with +):
+ haproxy_trusted_networks = 62.217.xxx.xxx/29, 2001:648:xxx:xxx::/64
service auth {
+ inet_listener {
+ haproxy = yes
+ }
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0660
user = vmail
}
user = root
}
service imap-login {
service_count = 1
vsz_limit = 128 M
}
service pop3-login {
service_count = 1
vsz_limit = 128 M
}Dovecot starts OK and accepts connections successfully as usual, but when I add the 'send-proxy' directive on haproxy server nodes (in haproxy.cfg), clients cannot login.
With pop3s, imaps, I get errors of the form:
Aug 21 13:30:04 vdev dovecot: pop3-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip={haproxy-server-ip-address},
lip={local-dovecot-server-ip-address}, TLS handshaking: SSL_accept()
failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol, session=
With pop3, imap, I get failed auth messages:
Aug 21 14:18:12 vdev dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 14 secs): user=<tester>, method=PLAIN, rip=62.217.124.4,
lip=195.251.204.232, session=
Aug 21 14:20:33 vdev dovecot: auth:
plain(?,{haproxy-server-ip-address},
Note: I have replaced real IP addresses with {haproxy-server-ip-address} and {local-dovecot-server-ip-address}.
Should I configure things differently?
Please advise.
Thanks, Nick
Op 8/21/2015 om 1:31 PM schreef Nikolaos Milas:
On 20/8/2015 11:09 μμ, Nikolaos Milas wrote:
As soon as I manage to re-build Dovecot with the latest snapshot, I'll test it!
Hello,
I've built dovecot with a today snapshot from hg (dovecot-2-2-9f815e781beb) and I am trying to enable haproxy.
I configured as follows (lines added compared to initial config are marked with +):
service auth {
- inet_listener {
- haproxy = yes
- } unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-master { group = vmail mode = 0660 user = vmail } user = root }
Why are you putting this in the auth service? That makes no sense. This needs to be put in the services that you want to enable the haproxy protocol for. For pop and imap those are the login sevices pop3-login and imap-login.
So, something like:
service imap-login { service_count = 1 vsz_limit = 128 M inet_listener imap { haproxy = yes port = 143 ssl = no } }
Note that this will prevent normal clients from connecting to port 143, since the server is expecting the PROXY header. It will drop the connection if it is absent. If you need to retain normal client access, e.g. for a webmail client, the haproxy listener can be put on a different port.
Regards,
Stephan.
On 22/8/2015 10:38 πμ, Stephan Bosch wrote:
Why are you putting this in the auth service? That makes no sense.
Sorry for my ignorance.
This needs to be put in the services that you want to enable the haproxy protocol for. For pop and imap those are the login sevices pop3-login and imap-login.
...
Note that this will prevent normal clients from connecting to port 143, since the server is expecting the PROXY header. It will drop the connection if it is absent. If you need to retain normal client access, e.g. for a webmail client, the haproxy listener can be put on a different port.
Thank you Stephan. Following your advice, I configured as follows:
service imap-login {
service_count = 1
vsz_limit = 128 M
inet_listener {
haproxy = yes
port = 23001
ssl = no
}
inet_listener {
haproxy = yes
port = 23003
ssl = yes
}
}
service pop3-login {
service_count = 1
vsz_limit = 128 M
inet_listener {
haproxy = yes
port = 23002
ssl = no
}
inet_listener {
haproxy = yes
port = 23004
ssl = yes
}
}...and everything seems to be working fine. Obviously, the proxy sends requests to different ports. For example, requests received by the proxy at port 993 are sent to dovecot's port 23003 etc.
If you think the config could be better/cleaner, I would appreciate your advice.
One final (I hope) question: I would like to see in dovecot logs which requests come from the proxy. Can we "stamp" log entries originating from different listeners with a configurable label?
Many thanks, Nick
On 22/8/2015 2:56 μμ, Nikolaos Milas wrote:
One final (I hope) question: I would like to see in dovecot logs which requests come from the proxy. Can we "stamp" log entries originating from different listeners with a configurable label?
I noticed that dovecot log entries retain the proxy ip address as the "lip", so they are easily distinguishable. Yet, if it is possible to add a label per listener, it would still be useful to identify them all at once, because there may be many proxies and therefore different lip's.
All the best, Nick
Hey Nikolaos,
---- On Sat, 22 Aug 2015 21:56:17 +1000 Nikolaos Milasnmilas@noa.gr wrote ----
...and everything seems to be working fine. Obviously, the proxy sends
requests to different ports. For example, requests received by the proxy
at port 993 are sent to dovecot's port 23003 etc.
Have you come across any issues after enabling the haproxy on the inet_listeners?
Would love to hear if everything is still going OK. I would love to throw a similar configuration into production.
Regards, Tim
On 24/8/2015 3:29 πμ, Tim Groeneveld wrote:
Have you come across any issues after enabling the haproxy on the inet_listeners?
Would love to hear if everything is still going OK. I would love to throw a similar configuration into production.
Hi Tim,
The configuration I described works fine in our test environment: behavior and logging is as expected.
However, I have not put it into production yet, so I haven't tested under normal load. We are still building our new production environment using haproxy servers, so we are not ready to go live.
Experience from tests does not indicate anticipated performance or other issues in production.
If you try it, please provide info about your experience.
Best regards, Nick
On 25 Aug 2015, at 20:31, Nikolaos Milas nmilas@noa.gr wrote:
On 22/8/2015 2:56 μμ, Nikolaos Milas wrote:
Can we "stamp" log entries originating from different listeners with a configurable label?
Hello,
I haven't received any reply on it. Is it possible or not?
On 25/8/2015 11:13 μμ, Timo Sirainen wrote:
Can we "stamp" log entries originating from different listeners with a configurable label?
Thank you Timo!
I am sure this feature will be helpful to all us poor sysadmins.... :-)
Cheers, Nick
participants (6)
-
Francisco Wagner C. Freire
-
Hoggins!
-
Nikolaos Milas
-
Stephan Bosch
-
Tim Groeneveld
-
Timo Sirainen