Op 8/21/2015 om 1:31 PM schreef Nikolaos Milas:> On 20/8/2015 11:09 ??, Nikolaos Milas wrote: > >> As soon as I manage to re-build Dovecot with the latest snapshot, >> I'll test it! > > Hello, > > I've built dovecot with a today snapshot from hg > (dovecot-2-2-9f815e781beb) and I am trying to enable haproxy. > > I configured as follows (lines added compared to initial config are > marked with +): > > service auth { > + inet_listener { > + haproxy = yes > + } > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > unix_listener auth-master { > group = vmail > mode = 0660 > user = vmail > } > user = root > }Why are you putting this in the auth service? That makes no sense. This needs to be put in the services that you want to enable the haproxy protocol for. For pop and imap those are the login sevices pop3-login and imap-login. So, something like: service imap-login { service_count = 1 vsz_limit = 128 M inet_listener imap { haproxy = yes port = 143 ssl = no } } Note that this will prevent normal clients from connecting to port 143, since the server is expecting the PROXY header. It will drop the connection if it is absent. If you need to retain normal client access, e.g. for a webmail client, the haproxy listener can be put on a different port. Regards, Stephan.
On 22/8/2015 10:38 ??, Stephan Bosch wrote:> Why are you putting this in the auth service? That makes no sense.Sorry for my ignorance.> This needs to be put in the services that you want to enable the haproxy > protocol for. For pop and imap those are the login sevices pop3-login > and imap-login. > > ... > > Note that this will prevent normal clients from connecting to port 143, > since the server is expecting the PROXY header. It will drop the > connection if it is absent. If you need to retain normal client access, > e.g. for a webmail client, the haproxy listener can be put on a > different port.Thank you Stephan. Following your advice, I configured as follows: service imap-login { service_count = 1 vsz_limit = 128 M inet_listener { haproxy = yes port = 23001 ssl = no } inet_listener { haproxy = yes port = 23003 ssl = yes } } service pop3-login { service_count = 1 vsz_limit = 128 M inet_listener { haproxy = yes port = 23002 ssl = no } inet_listener { haproxy = yes port = 23004 ssl = yes } } ...and everything seems to be working fine. Obviously, the proxy sends requests to different ports. For example, requests received by the proxy at port 993 are sent to dovecot's port 23003 etc. If you think the config could be better/cleaner, I would appreciate your advice. One final (I hope) question: I would like to see in dovecot logs which requests come from the proxy. Can we "stamp" log entries originating from different listeners with a configurable label? Many thanks, Nick
On 22/8/2015 2:56 ??, Nikolaos Milas wrote:> One final (I hope) question: I would like to see in dovecot logs which > requests come from the proxy. Can we "stamp" log entries originating > from different listeners with a configurable label?I noticed that dovecot log entries retain the proxy ip address as the "lip", so they are easily distinguishable. Yet, if it is possible to add a label per listener, it would still be useful to identify them all at once, because there may be many proxies and therefore different lip's. All the best, Nick
Hey Nikolaos, ---- On Sat, 22 Aug 2015 21:56:17 +1000 Nikolaos Milas<nmilas at noa.gr> wrote ---- > ...and everything seems to be working fine. Obviously, the proxy sends > requests to different ports. For example, requests received by the proxy > at port 993 are sent to dovecot's port 23003 etc. Have you come across any issues after enabling the haproxy on the inet_listeners? Would love to hear if everything is still going OK. I would love to throw a similar configuration into production. Regards, Tim