haproxy ssl support

KT Walrus kevin at my.walr.us
Thu Oct 26 15:13:57 EEST 2017


When is 2.3 scheduled to be released?

Kevin

> On Oct 26, 2017, at 7:57 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> 
> Hi!
> 
> There is support for haproxy SSL TLVs in 2.3. See
> 
> https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch
> 
> Aki
> 
>> On October 26, 2017 at 12:25 PM Rok Potočnik <r at rula.net> wrote:
>> 
>> 
>> Even though it seems dovecot (using 2.2.33.1) supports haproxy's 
>> send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends 
>> client's ssl state). It would be a nice feature for the backend server 
>> to identify clients so one wouldn't have to use disable_plaintext_auth 
>> on a production environment.
>> 
>> --- haproxy.cfg
>> frontend pop3
>>         bind [::]:110 v4v6
>>         bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem
>>         mode tcp
>>         default_backend pop3
>> backend pop3
>>     mode tcp
>>     balance leastconn
>>     stick store-request src
>>     stick-table type ip size 200k expire 30m
>>     timeout connect 5000
>>     timeout server  50000
>>     server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl
>>     server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
>> ---
>> 
>> --- dovecot.conf
>> haproxy_trusted_networks = [2001:db8::]/64
>> service pop3-login {
>>   inet_listener pop3_haproxy {
>>     port = 10110
>>     haproxy = yes
>>   }
>> }
>> ---
>> 
>> It would also be nice if haproxy would support STARTTLS offloading but 
>> that's a subject for a different mailing list ;)
>> 
>> -- 
>> BR, Rok



More information about the dovecot mailing list