On Wed, Mar 01, 2023 at 03:31:55PM -0700, Grant Taylor via Courier-imap wrote: > On 3/1/23 11:31 AM, Doug McIntyre wrote: > > The problem that I assumed was the issue (but apparently not), is > > that when Courier IMAP is setup behind a load balancer/proxy such as > > HAProxy without using the proxy protocol extension, the IP address > > that Courier IMAP sees is the IP address of the HAProxy, and not the > > client IP because it is the proxy that connected to the service and > > that is what gets logged. > > It's been a long time since I've done anything with HAProxy, but I > really thought that it had a configuration mode where it didn't change > the source IP of the connection.
There is a transparent mode for certain OS versions, setup a certain way with iptables and special routing. If your network doesn't match on everything, it does not work at all. And even then, it only works partially on other environments. My OS choice does not support it. > > When you use the HAProxy Proxy Protocol, it sends > > additional information inline with the protocol detailing > > the true client IP address, protocol, source ports, > > etc. etc. etc. ... This protocol is documented here > > https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt > > I read (most of) that document last night. HAProxy's protocol seems > like an interesting solution. Though I'm not sure I've run into a > problem where I needed that specific solution. Databases, web apps that don't support X-Forwarded-For. Things that support only L4 load balancing (there are *many* out there). DNS, mail server applications. etc. I've setup all of these for my work & client requests. > I suspect that you would get the real client IP if you use the > "transparent" mode. If it worked in my environment. It does not. > > While HAproxy supports some form of cut-through proxy, it doesn't > > work well nor in my environment. I'd rather that my backend service > > supported the HAProxy Proxy Protocol which has worked very well with > > other setups I've done. > > That sounds like additional desires ~> requirements. ;-) OOTH, Dovecot and Postfix have supported it for years. My future needs will probably push me to Dovecot rather than switching out my base OS. _______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
