PROXY protocol
Nikolaos Milas
nmilas at noa.gr
Sat Aug 22 11:56:17 UTC 2015
On 22/8/2015 10:38 πμ, Stephan Bosch wrote:
> Why are you putting this in the auth service? That makes no sense.
Sorry for my ignorance.
> This needs to be put in the services that you want to enable the haproxy
> protocol for. For pop and imap those are the login sevices pop3-login
> and imap-login.
>
> ...
>
> Note that this will prevent normal clients from connecting to port 143,
> since the server is expecting the PROXY header. It will drop the
> connection if it is absent. If you need to retain normal client access,
> e.g. for a webmail client, the haproxy listener can be put on a
> different port.
Thank you Stephan. Following your advice, I configured as follows:
service imap-login {
service_count = 1
vsz_limit = 128 M
inet_listener {
haproxy = yes
port = 23001
ssl = no
}
inet_listener {
haproxy = yes
port = 23003
ssl = yes
}
}
service pop3-login {
service_count = 1
vsz_limit = 128 M
inet_listener {
haproxy = yes
port = 23002
ssl = no
}
inet_listener {
haproxy = yes
port = 23004
ssl = yes
}
}
...and everything seems to be working fine. Obviously, the proxy sends
requests to different ports. For example, requests received by the proxy
at port 993 are sent to dovecot's port 23003 etc.
If you think the config could be better/cleaner, I would appreciate your
advice.
One final (I hope) question: I would like to see in dovecot logs which
requests come from the proxy. Can we "stamp" log entries originating
from different listeners with a configurable label?
Many thanks,
Nick
More information about the dovecot
mailing list