[Dovecot] proxy_maybe & director incompatibility
Hi Folks,
I spent quite some time yesterday understanding how proxy works along with the director. I came to the conclusion that proxy_maybe and director cannot be used together, but this isn’t a true incompatibility so much as caused by the way things are handled and the order they are processed in.
The way proxy_maybe works is that it is processed by the auth provider once it gets the response from the passdb, it checks for proxy_maybe and then checks for the ‘host’ parameter and compares it to the local IP (this is always null at that stage, because director won’t add host until later). proxy_maybe is deleted and then if the IPs do not match (i.e. the connection should be proxied) it sets proxy.
This result is returned from the auth provider and then piped into director, which adds the relevant ‘host’ parameter if ‘proxy’ is set. The problem here is that because proxy_maybe is processed before director, it is not possible to conditionally proxy when using director — only if host is also returned from passdb. The secondary problem is that director only adds host= if proxy is set (and the auth code generally assumes proxy/proxy_maybe/proxy_always are exclusive settings) — this logic would also need to change. You would also need some logic to add host only if host doesn’t already exist, to handle situations where proxies might come from both passdb and/or director.
I am seeking to understand if there is any significant reason proxy_maybe is handled during the auth section, it would seem better to simply always set ‘proxy=yes’, and then optionally have proxy_maybe passed all the way through to the connection stage and then do the local host check there.
This would solve my use case, and I cannot imagine what else it would break — but I am no expert on dovecot or other people’s use cases, so I am hoping for feedback from others on this and what else would need to be considered or why this would not work before I spent time trying to implement the change.
Thanks, Trent Lloyd
w: www.webinabox.net.au
On Wed, 2013-11-27 at 14:43 +0800, Trent Lloyd wrote:
I am seeking to understand if there is any significant reason proxy_maybe is handled during the auth section, it would seem better to simply always set ‘proxy=yes’, and then optionally have proxy_maybe passed all the way through to the connection stage and then do the local host check there.
Set proxy_always=y and it'll work the way you want.
I considered doing the proxy_maybe check in login processes, but there were some reasons why it wouldn't have worked well. I can't remember why exactly now, although one issue at least was that then the same check would have needed to be done also by LMTP proxy and doveadm proxy.
participants (2)
-
Timo Sirainen
-
Trent Lloyd