On Tue, Feb 28, 2023 at 08:05:02PM -0500, Sam Varshavchik wrote: > Doug McIntyre writes: > > > On Tue, Feb 28, 2023 at 06:22:12PM -0500, Sam Varshavchik wrote: > > > > > That's because there is nothing that the server can do to determine the > > > client's real IP address. When NAT is used, as is apparently the case is > > > here, as far as the server knows that's the IP address where the > > > connection > > > is coming from, and that's the only IP address that's involved. The real > > > client IP address is only known to the network proxy. > > > > > > What would it take to have Courier-IMAP support HAProxy Proxy Protocol? > > https://www.haproxy.com/de/blog/haproxy/proxy-protocol/ > > I'm not familiar with haproxy, so I can't say; but Courier takes the > incoming connection, sets environment variables to the socket peer's IP > address, and forks off the child daemon. Whatever's happening with haproxy, > mimicing this should result in logging reflecting the real client IP address.
The problem that I assumed was the issue (but apparently not), is that when Courier IMAP is setup behind a load balancer/proxy such as HAProxy without using the proxy protocol extension, the IP address that Courier IMAP sees is the IP address of the HAProxy, and not the client IP because it is the proxy that connected to the service and that is what gets logged. In web servers, they developed the X-Forwarded-For: header to handle working aroiund this, but there are other protocols that proxy/load balancers are useful than just web servers that don't have this. (ie. Databases, SMTP, DNS, other email services). When you use the HAProxy Proxy Protocol, it sends additional information inline with the protocol detailing the true client IP address, protocol, source ports, etc. etc. etc. Such that when load balanced through haproxy, the backend client can still log information such as the client IP address instead of the IP address that connected to it, (ie. the haproxy machine in front of it). This protocol is documented here https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt As I mentioned, other Load Balancer devices do support the haproxy proxy protocol as a defacto standard. Otherwise, without this sort of extension, all you get in Courier IMAP's logs is the IP address of the HAProxy box as one would expect. In my case, I have F5 load balancer in front doing the cut through proxy, such that Courier IMAP still sees it as the client IP, but I want to change out my EOL'd F5s to HAProxy instead, but I'm going to lose access to client IP address information unless Courier IMAP supported the proxy protocol extension. While HAproxy supports some form of cut-through proxy, it doesn't work well nor in my environment. I'd rather that my backend service supported the HAProxy Proxy Protocol which has worked very well with other setups I've done. _______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
