Even though it seems dovecot (using 2.2.33.1) supports haproxy's
send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends
client's ssl state). It would be a nice feature for the backend server
to identify clients so one wouldn't have to use disable_plaintext_auth
on a production environment.
--- haproxy.cfg
frontend pop3
bind [::]:110 v4v6
bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem
mode tcp
default_backend pop3
backend pop3
mode tcp
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
timeout connect 5000
timeout server 50000
server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl
server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
---
--- dovecot.conf
haproxy_trusted_networks = [2001:db8::]/64
service pop3-login {
inet_listener pop3_haproxy {
port = 10110
haproxy = yes
}
}
---
It would also be nice if haproxy would support STARTTLS offloading but
that's a subject for a different mailing list ;)
--
BR, Rok
Hi! There is support for haproxy SSL TLVs in 2.3. See https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch Aki> On October 26, 2017 at 12:25 PM Rok Poto?nik <r at rula.net> wrote: > > > Even though it seems dovecot (using 2.2.33.1) supports haproxy's > send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends > client's ssl state). It would be a nice feature for the backend server > to identify clients so one wouldn't have to use disable_plaintext_auth > on a production environment. > > --- haproxy.cfg > frontend pop3 > bind [::]:110 v4v6 > bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem > mode tcp > default_backend pop3 > backend pop3 > mode tcp > balance leastconn > stick store-request src > stick-table type ip size 200k expire 30m > timeout connect 5000 > timeout server 50000 > server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl > server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl > --- > > --- dovecot.conf > haproxy_trusted_networks = [2001:db8::]/64 > service pop3-login { > inet_listener pop3_haproxy { > port = 10110 > haproxy = yes > } > } > --- > > It would also be nice if haproxy would support STARTTLS offloading but > that's a subject for a different mailing list ;) > > -- > BR, Rok
When is 2.3 scheduled to be released? Kevin> On Oct 26, 2017, at 7:57 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > Hi! > > There is support for haproxy SSL TLVs in 2.3. See > > https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch > > Aki > >> On October 26, 2017 at 12:25 PM Rok Poto?nik <r at rula.net> wrote: >> >> >> Even though it seems dovecot (using 2.2.33.1) supports haproxy's >> send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends >> client's ssl state). It would be a nice feature for the backend server >> to identify clients so one wouldn't have to use disable_plaintext_auth >> on a production environment. >> >> --- haproxy.cfg >> frontend pop3 >> bind [::]:110 v4v6 >> bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem >> mode tcp >> default_backend pop3 >> backend pop3 >> mode tcp >> balance leastconn >> stick store-request src >> stick-table type ip size 200k expire 30m >> timeout connect 5000 >> timeout server 50000 >> server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl >> server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl >> --- >> >> --- dovecot.conf >> haproxy_trusted_networks = [2001:db8::]/64 >> service pop3-login { >> inet_listener pop3_haproxy { >> port = 10110 >> haproxy = yes >> } >> } >> --- >> >> It would also be nice if haproxy would support STARTTLS offloading but >> that's a subject for a different mailing list ;) >> >> -- >> BR, Rok