On 3/1/23 11:31 AM, Doug McIntyre wrote:
The problem that I assumed was the issue (but apparently not), is
that when Courier IMAP is setup behind a load balancer/proxy such as
HAProxy without using the proxy protocol extension, the IP address
that Courier IMAP sees is the IP address of the HAProxy, and not the
client IP because it is the proxy that connected to the service and
that is what gets logged.
It's been a long time since I've done anything with HAProxy, but I
really thought that it had a configuration mode where it didn't change
the source IP of the connection.
Maybe I'm conflating HAProxy with Linux Virtual Server (LVS).
Looking at the HAProxy documentation seems to indicate that HAPRoxy
operates on the TCP layer.
It does look like HAProxy supports transparent connections:
ยง 3.3.1 -- Basic features : Proxying -- Transparent connect : spoof the
client's (or any) IP address if needed when connecting to the server;
Link - HAProxy version 2.7.3-6 - Starter Guide
- http://docs.haproxy.org/2.7/intro.html#3.1
When you use the HAProxy Proxy Protocol, it sends
additional information inline with the protocol detailing
the true client IP address, protocol, source ports,
etc. etc. etc. ... This protocol is documented here
https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt
I read (most of) that document last night. HAProxy's protocol seems
like an interesting solution. Though I'm not sure I've run into a
problem where I needed that specific solution.
I wonder if anyone has created -- what I assume would be -- a TUN (as
opposed to TAP) device that receives HAProxy protocol and converts it
into a traditional interface for daemons to listen to, much like a GRE
tunnel interface. This seems like a logical option to enable more
things to support HAProxy Protocol without needing to modify the daemons
themselves. This also seems like it might enable doing other
interesting things with the traffic. }:-)
Otherwise, without this sort of extension, all you get in Courier
IMAP's logs is the IP address of the HAProxy box as one would expect.
I suspect that you would get the real client IP if you use the
"transparent" mode.
While HAproxy supports some form of cut-through proxy, it doesn't
work well nor in my environment. I'd rather that my backend service
supported the HAProxy Proxy Protocol which has worked very well with
other setups I've done.
That sounds like additional desires ~> requirements. ;-)
--
Grant. . . .
unix || die
_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
