haproxy ssl support
Even though it seems dovecot (using 2.2.33.1) supports haproxy's send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends client's ssl state). It would be a nice feature for the backend server to identify clients so one wouldn't have to use disable_plaintext_auth on a production environment.
--- haproxy.cfg frontend pop3 bind [::]:110 v4v6 bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem mode tcp default_backend pop3 backend pop3 mode tcp balance leastconn stick store-request src stick-table type ip size 200k expire 30m timeout connect 5000 timeout server 50000 server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
--- dovecot.conf haproxy_trusted_networks = [2001:db8::]/64 service pop3-login { inet_listener pop3_haproxy { port = 10110 haproxy = yes } }
It would also be nice if haproxy would support STARTTLS offloading but that's a subject for a different mailing list ;)
-- BR, Rok
Hi!
There is support for haproxy SSL TLVs in 2.3. See
https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch
Aki
On October 26, 2017 at 12:25 PM Rok Potočnik <r@rula.net> wrote:
Even though it seems dovecot (using 2.2.33.1) supports haproxy's send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends client's ssl state). It would be a nice feature for the backend server to identify clients so one wouldn't have to use disable_plaintext_auth on a production environment.
--- haproxy.cfg frontend pop3 bind [::]:110 v4v6 bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem mode tcp default_backend pop3 backend pop3 mode tcp balance leastconn stick store-request src stick-table type ip size 200k expire 30m timeout connect 5000 timeout server 50000 server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
--- dovecot.conf haproxy_trusted_networks = [2001:db8::]/64 service pop3-login { inet_listener pop3_haproxy { port = 10110 haproxy = yes } }
It would also be nice if haproxy would support STARTTLS offloading but that's a subject for a different mailing list ;)
-- BR, Rok
When is 2.3 scheduled to be released?
Kevin
On Oct 26, 2017, at 7:57 AM, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
Hi!
There is support for haproxy SSL TLVs in 2.3. See
https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch
Aki
On October 26, 2017 at 12:25 PM Rok Potočnik <r@rula.net> wrote:
Even though it seems dovecot (using 2.2.33.1) supports haproxy's send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends client's ssl state). It would be a nice feature for the backend server to identify clients so one wouldn't have to use disable_plaintext_auth on a production environment.
--- haproxy.cfg frontend pop3 bind [::]:110 v4v6 bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem mode tcp default_backend pop3 backend pop3 mode tcp balance leastconn stick store-request src stick-table type ip size 200k expire 30m timeout connect 5000 timeout server 50000 server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
--- dovecot.conf haproxy_trusted_networks = [2001:db8::]/64 service pop3-login { inet_listener pop3_haproxy { port = 10110 haproxy = yes } }
It would also be nice if haproxy would support STARTTLS offloading but that's a subject for a different mailing list ;)
-- BR, Rok
We are planning to release it later this year.
Aki
On October 26, 2017 at 3:13 PM KT Walrus <kevin@my.walr.us> wrote:
When is 2.3 scheduled to be released?
Kevin
On Oct 26, 2017, at 7:57 AM, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
Hi!
There is support for haproxy SSL TLVs in 2.3. See
https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch
Aki
On October 26, 2017 at 12:25 PM Rok Potočnik <r@rula.net> wrote:
Even though it seems dovecot (using 2.2.33.1) supports haproxy's send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends client's ssl state). It would be a nice feature for the backend server to identify clients so one wouldn't have to use disable_plaintext_auth on a production environment.
--- haproxy.cfg frontend pop3 bind [::]:110 v4v6 bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem mode tcp default_backend pop3 backend pop3 mode tcp balance leastconn stick store-request src stick-table type ip size 200k expire 30m timeout connect 5000 timeout server 50000 server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
--- dovecot.conf haproxy_trusted_networks = [2001:db8::]/64 service pop3-login { inet_listener pop3_haproxy { port = 10110 haproxy = yes } }
It would also be nice if haproxy would support STARTTLS offloading but that's a subject for a different mailing list ;)
-- BR, Rok
participants (3)
-
Aki Tuomi
-
KT Walrus
-
Rok Potočnik