haproxy ssl support

Aki Tuomi aki.tuomi at dovecot.fi
Thu Oct 26 14:57:54 EEST 2017


Hi!

There is support for haproxy SSL TLVs in 2.3. See

https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch

Aki

> On October 26, 2017 at 12:25 PM Rok Potočnik <r at rula.net> wrote:
> 
> 
> Even though it seems dovecot (using 2.2.33.1) supports haproxy's 
> send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends 
> client's ssl state). It would be a nice feature for the backend server 
> to identify clients so one wouldn't have to use disable_plaintext_auth 
> on a production environment.
> 
> --- haproxy.cfg
> frontend pop3
>          bind [::]:110 v4v6
>          bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem
>          mode tcp
>          default_backend pop3
> backend pop3
>      mode tcp
>      balance leastconn
>      stick store-request src
>      stick-table type ip size 200k expire 30m
>      timeout connect 5000
>      timeout server  50000
>      server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl
>      server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
> ---
> 
> --- dovecot.conf
> haproxy_trusted_networks = [2001:db8::]/64
> service pop3-login {
>    inet_listener pop3_haproxy {
>      port = 10110
>      haproxy = yes
>    }
> }
> ---
> 
> It would also be nice if haproxy would support STARTTLS offloading but 
> that's a subject for a different mailing list ;)
> 
> -- 
> BR, Rok


More information about the dovecot mailing list