haproxy ssl support
Aki Tuomi
aki.tuomi at dovecot.fi
Thu Oct 26 15:17:19 EEST 2017
We are planning to release it later this year.
Aki
> On October 26, 2017 at 3:13 PM KT Walrus <kevin at my.walr.us> wrote:
>
>
> When is 2.3 scheduled to be released?
>
> Kevin
>
> > On Oct 26, 2017, at 7:57 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> >
> > Hi!
> >
> > There is support for haproxy SSL TLVs in 2.3. See
> >
> > https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch
> >
> > Aki
> >
> >> On October 26, 2017 at 12:25 PM Rok Potočnik <r at rula.net> wrote:
> >>
> >>
> >> Even though it seems dovecot (using 2.2.33.1) supports haproxy's
> >> send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends
> >> client's ssl state). It would be a nice feature for the backend server
> >> to identify clients so one wouldn't have to use disable_plaintext_auth
> >> on a production environment.
> >>
> >> --- haproxy.cfg
> >> frontend pop3
> >> bind [::]:110 v4v6
> >> bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem
> >> mode tcp
> >> default_backend pop3
> >> backend pop3
> >> mode tcp
> >> balance leastconn
> >> stick store-request src
> >> stick-table type ip size 200k expire 30m
> >> timeout connect 5000
> >> timeout server 50000
> >> server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl
> >> server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
> >> ---
> >>
> >> --- dovecot.conf
> >> haproxy_trusted_networks = [2001:db8::]/64
> >> service pop3-login {
> >> inet_listener pop3_haproxy {
> >> port = 10110
> >> haproxy = yes
> >> }
> >> }
> >> ---
> >>
> >> It would also be nice if haproxy would support STARTTLS offloading but
> >> that's a subject for a different mailing list ;)
> >>
> >> --
> >> BR, Rok
More information about the dovecot
mailing list