Thanks for quick response. See my comment below: On Thu, Nov 3, 2016 at 10:13 AM, Maxim Dounin <mdou...@mdounin.ru> wrote:
> Hello! > > On Thu, Nov 03, 2016 at 09:41:03AM -0700, Maxim Vladimirsky wrote: > > > Hi Folks, > > > > I was not sure if you would be interested in this, but decided to run it > by > > you anyway. > > > > We need to run Nginx as an SMTP proxy sitting behind ELB in AWS, but we > > also want the upstream SMTP server to get the real client ip, so Nginx is > > configured to provide it via an XCLIENT command. However the stock > version > > of Nginx provides ELB's ip instead, because it does not recognize the > Proxy > > Protocol header (http://docs.aws.amazon.com/elasticloadbalancing/latest/ > > classic/enable-proxy-protocol.html#proxy-protocol) sent to it by ELB. > > Seems to be perfectly valid use case. > > > The following patch updates the mail module so that it can be configured > to > > expect Proxy Protocol header by setting `proxy_protocol on`. In that case > > Proxy Protocol header is parsed, a client IP is retrieved and passed to > an > > SMTP upstream in an XCLIENT command. > > The "proxy_protocol on" is expected to configure sending PROXY > protocol to an upstream server, similar to how it already works in > the stream module: > > http://nginx.org/en/docs/stream/ngx_stream_proxy_ > module.html#proxy_protocol > > Accepting PROXY protocol from clients is expected to be enabled > using a listening socket option instead, similar to what we have > in http and stream modules: > > http://nginx.org/en/docs/http/ngx_http_core_module.html#listen > http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen I will fix that. > > > Open question is how it should work though. I.e., if it should > just unconditionally set provided address as a client one, similar > to how > > listen 80 proxy_protocol; > real_ip_header proxy_protocol; > set_real_ip_from 0.0.0.0/0; > > works in stream / http, or there should be some advanced control > like the realip module in stream / http. > Taking ip from Proxy Protocol header and passing in via XCLIENT is really all we need, and I cannot even think of a scenario where we would need any kind of fine tuning of this logic. So this is probably a question to a broader audience. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
