Welcome! Log In Create A New Profile

Re: [PATCH] Add proxy_protocol option to mail listener

Forum List Message List New Topic Print View

waydenie

August 07, 2017 07:52AM

Registered: 12 years ago
Posts: 4

On 08/07/2017 03:44 AM, Kees Bos wrote:, and when I do set
>> proxy_protocol
>> on the listen directive I see the correct ip and port picked up and
>> logged in the error.log, however, then nginx stops sending the smtp
>> greeting... My mail client connects to my loadbalancer, the lb
>> connects
>> to nginx:587 sending the PROXY line, nginx parses and logs the PROXY
>> fields, then the client times out waiting for any return traffic
>> from
>> nginx... I know it's something I'm doing :-)
>>
>> I'm happy to keep poking away at it, but curious mostly, if you think
>> the approach is sound? (ie. use $proxy_protocol_addr, set by
>> proxy_protocol directive and pass in to auth_http script in auth url
>> as
>> a get param?) and if an initial patch that starts by just setting
>> $proxy_protocol_* variables would be a useful first step in this type
>> of
>> functionality?
>>> Just to get the picture right (it looks to me that your downstream smtp
>>> server expects the proxy protocol), what's the exact flow you're trying
>>> to accomplish?

Hi Kees,

Thanks for looking!

In my use case I have an external hardware loadbalancer that is
receiving end user connections on a VIP, pre-pending proxy_protocol
header and loadbalancing them to small pool of nginx servers running as
the mail proxies. Nginx is parsing the proxy_protocol header and (I
hope) proxying to my upstream smtp server without passing the
proxy_protocol header, which my upstream smtp server doesn't support (as
currently implemented).

Flow like:

1) Client makes connection to [external-LB-VIP:587] for email submission
2) [external-LB-VIP:587] --> injects proxy_protocol header --> load
balances to set of nginx services via TCP service pool (ie: lb
straight tcp, no application level inspection by loadbalancer, other
than prepending proxy_protocol header)
3) Nginx parses proxy_protocol header, logs client ip and passes
client IP into auth_http script, along with username and password
for authn/authz
4) on successful return response from auth_http; nginx proxies mail
submission to upstream smtp server without proxy_protocol header.

So, if possible, I'd like nginx to get the client ip passed to it from
the external hardware load balancer, log it and then use it in the
auth_http script, but otherwise not pass it on to the upstream smtp
server...

Is this doable?

Thanks,Wayde.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] Add proxy_protocol option to mail listener	waydenie	491	August 05, 2017 08:46PM
Re: [PATCH] Add proxy_protocol option to mail listener	Kees Bos	172	August 07, 2017 03:46AM
Re: [PATCH] Add proxy_protocol option to mail listener	waydenie	236	August 07, 2017 07:52AM
Re: [PATCH] Add proxy_protocol option to mail listener	Kees Bos	172	August 07, 2017 09:26AM
Re: [PATCH] Add proxy_protocol option to mail listener	waydenie	233	August 08, 2017 02:52AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 160

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018