Re: PROXY protocol
On 25/8/2015 11:13 μμ, Timo Sirainen wrote: Can we stamp log entries originating from different listeners with a configurable label? Added: http://hg.dovecot.org/dovecot-2.2/rev/a919414e68d2 Thank you Timo! I am sure this feature will be helpful to all us poor sysadmins :-) Cheers, Nick
Re: PROXY protocol
On 22/8/2015 2:56 μμ, Nikolaos Milas wrote: Can we stamp log entries originating from different listeners with a configurable label? Hello, I haven't received any reply on it. Is it possible or not? Thanks, Nick
Re: PROXY protocol
On 25 Aug 2015, at 20:31, Nikolaos Milas nmi...@noa.gr wrote: On 22/8/2015 2:56 μμ, Nikolaos Milas wrote: Can we stamp log entries originating from different listeners with a configurable label? Hello, I haven't received any reply on it. Is it possible or not? Added: http://hg.dovecot.org/dovecot-2.2/rev/a919414e68d2
Re: PROXY protocol
On 24/8/2015 3:29 πμ, Tim Groeneveld wrote: Have you come across any issues after enabling the haproxy on the inet_listeners? Would love to hear if everything is still going OK. I would love to throw a similar configuration into production. Hi Tim, The configuration I described works fine in our test environment: behavior and logging is as expected. However, I have not put it into production yet, so I haven't tested under normal load. We are still building our new production environment using haproxy servers, so we are not ready to go live. Experience from tests does not indicate anticipated performance or other issues in production. If you try it, please provide info about your experience. Best regards, Nick
Re: PROXY protocol
Hey Nikolaos, On Sat, 22 Aug 2015 21:56:17 +1000 Nikolaos Milasnmi...@noa.gr wrote ...and everything seems to be working fine. Obviously, the proxy sends requests to different ports. For example, requests received by the proxy at port 993 are sent to dovecot's port 23003 etc. Have you come across any issues after enabling the haproxy on the inet_listeners? Would love to hear if everything is still going OK. I would love to throw a similar configuration into production. Regards, Tim
Re: PROXY protocol
Op 8/21/2015 om 1:31 PM schreef Nikolaos Milas:
On 20/8/2015 11:09 μμ, Nikolaos Milas wrote:
As soon as I manage to re-build Dovecot with the latest snapshot,
I'll test it!
Hello,
I've built dovecot with a today snapshot from hg
(dovecot-2-2-9f815e781beb) and I am trying to enable haproxy.
I configured as follows (lines added compared to initial config are
marked with +):
service auth {
+ inet_listener {
+haproxy = yes
+ }
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0660
user = vmail
}
user = root
}
Why are you putting this in the auth service? That makes no sense. This
needs to be put in the services that you want to enable the haproxy
protocol for. For pop and imap those are the login sevices pop3-login
and imap-login.
So, something like:
service imap-login {
service_count = 1
vsz_limit = 128 M
inet_listener imap {
haproxy = yes
port = 143
ssl = no
}
}
Note that this will prevent normal clients from connecting to port 143,
since the server is expecting the PROXY header. It will drop the
connection if it is absent. If you need to retain normal client access,
e.g. for a webmail client, the haproxy listener can be put on a
different port.
Regards,
Stephan.
Re: PROXY protocol
On 22/8/2015 10:38 πμ, Stephan Bosch wrote:
Why are you putting this in the auth service? That makes no sense.
Sorry for my ignorance.
This needs to be put in the services that you want to enable the haproxy
protocol for. For pop and imap those are the login sevices pop3-login
and imap-login.
...
Note that this will prevent normal clients from connecting to port 143,
since the server is expecting the PROXY header. It will drop the
connection if it is absent. If you need to retain normal client access,
e.g. for a webmail client, the haproxy listener can be put on a
different port.
Thank you Stephan. Following your advice, I configured as follows:
service imap-login {
service_count = 1
vsz_limit = 128 M
inet_listener {
haproxy = yes
port = 23001
ssl = no
}
inet_listener {
haproxy = yes
port = 23003
ssl = yes
}
}
service pop3-login {
service_count = 1
vsz_limit = 128 M
inet_listener {
haproxy = yes
port = 23002
ssl = no
}
inet_listener {
haproxy = yes
port = 23004
ssl = yes
}
}
...and everything seems to be working fine. Obviously, the proxy sends
requests to different ports. For example, requests received by the proxy
at port 993 are sent to dovecot's port 23003 etc.
If you think the config could be better/cleaner, I would appreciate your
advice.
One final (I hope) question: I would like to see in dovecot logs which
requests come from the proxy. Can we stamp log entries originating
from different listeners with a configurable label?
Many thanks,
Nick
Re: PROXY protocol
On 22/8/2015 2:56 μμ, Nikolaos Milas wrote: One final (I hope) question: I would like to see in dovecot logs which requests come from the proxy. Can we stamp log entries originating from different listeners with a configurable label? I noticed that dovecot log entries retain the proxy ip address as the lip, so they are easily distinguishable. Yet, if it is possible to add a label per listener, it would still be useful to identify them all at once, because there may be many proxies and therefore different lip's. All the best, Nick
Re: PROXY protocol
On 20/8/2015 11:09 μμ, Nikolaos Milas wrote:
As soon as I manage to re-build Dovecot with the latest snapshot, I'll
test it!
Hello,
I've built dovecot with a today snapshot from hg
(dovecot-2-2-9f815e781beb) and I am trying to enable haproxy.
I configured as follows (lines added compared to initial config are
marked with +):
+ haproxy_trusted_networks = 62.217.xxx.xxx/29, 2001:648:xxx:xxx::/64
service auth {
+ inet_listener {
+haproxy = yes
+ }
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0660
user = vmail
}
user = root
}
service imap-login {
service_count = 1
vsz_limit = 128 M
}
service pop3-login {
service_count = 1
vsz_limit = 128 M
}
Dovecot starts OK and accepts connections successfully as usual, but
when I add the 'send-proxy' directive on haproxy server nodes (in
haproxy.cfg), clients cannot login.
With pop3s, imaps, I get errors of the form:
Aug 21 13:30:04 vdev dovecot: pop3-login: Disconnected (no auth attempts
in 0 secs): user=, rip={haproxy-server-ip-address},
lip={local-dovecot-server-ip-address}, TLS handshaking: SSL_accept()
failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol, session=m1tAwM8dDQA+2XwE
Aug 21 13:30:14 vdev dovecot: imap-login: Disconnected (disconnected
before auth was ready, waited 0 secs): user=,
rip={haproxy-server-ip-address}, lip={local-dovecot-server-ip-address},
TLS handshaking: SSL_accept() failed: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=PCjXwM8degA+2XwE
Aug 21 13:30:15 vdev dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=, rip={haproxy-server-ip-address},
lip={local-dovecot-server-ip-address}, TLS handshaking: SSL_accept()
failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol, session=MeTtwM8dfAA+2XwE
With pop3, imap, I get failed auth messages:
Aug 21 14:18:12 vdev dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 14 secs): user=tester, method=PLAIN, rip=62.217.124.4,
lip=195.251.204.232, session=h2yOa9AdKQA+2XwE
Aug 21 14:20:33 vdev dovecot: auth:
plain(?,{haproxy-server-ip-address},r2/KdNAdYQA+2XwE): Invalid base64
data in continued response
Aug 21 14:20:38 vdev dovecot: auth:
plain(?,{haproxy-server-ip-address},f8AZddAdZwA+2XwE): Invalid base64
data in continued response
Aug 21 14:20:38 vdev dovecot: imap-login: Disconnected (auth failed, 1
attempts in 0 secs): user=, method=PLAIN,
rip={haproxy-server-ip-address}, lip={local-dovecot-server-ip-address},
session=f8AZddAdZwA+2XwE
Note: I have replaced real IP addresses with {haproxy-server-ip-address}
and {local-dovecot-server-ip-address}.
Should I configure things differently?
Please advise.
Thanks,
Nick
Re: PROXY protocol
On 19/8/2015 5:43 μμ, Stephan Bosch wrote: Well... http://hg.dovecot.org/dovecot-2.2/rev/4d7a83ddb644 Regards, Stephan. That was impressive! Thank you Timo and Stephan. You are superb! I hope you will be able to provide some basic guidelines on how to enable/use the new functionality. (I am not very code-literate.) Looking forward to it! Thanks again! All the best, Nick
Re: PROXY protocol
Hey Niko,
On Thu, 20 Aug 2015 16:55:42 +1000 Nikolaos Milasnmi...@noa.gr wrote
I hope you will be able to provide some basic guidelines on how to
enable/use the new functionality. (I am not very code-literate.)
Looking through the code, the functionality should not be too hard to
enable using the configuration:
# This is a list of trusted networks... ips are seperated by ,
# default, empty
haproxy_trusted_networks = 10.1.2.0/24, 10.2.1.0/24
# This is the timeout... in seconds.
# default, 3
# haproxy_timeout = 3
# modify your inet listener's to include haproxy=yes
inet_listener {
haproxy = yes
}
As for HAProxy, the configuration would look something like this:
listen smtp :25
mode tcp
option tcplog
option smtpchk
balance roundrobin
server smtp1 ip.of.server1:25 check-send-proxy check inter 10s
send-proxy
server smtp2 ip.of.server2:25 check-send-proxy check inter 10s
send-proxy
Regards,
Tim
Re: PROXY protocol
On 20/8/2015 10:35 πμ, Tim Groeneveld wrote:
# This is a list of trusted networks... ips are seperated by ,
# default, empty
haproxy_trusted_networks = 10.1.2.0/24, 10.2.1.0/24
# This is the timeout... in seconds.
# default, 3
# haproxy_timeout = 3
# modify your inet listener's to include haproxy=yes
inet_listener {
haproxy = yes
}
Thank you Tim,
As soon as I manage to re-build Dovecot with the latest snapshot, I'll
test it!
All the best,
Nick
Re: PROXY protocol
Op 19-8-2015 om 16:36 schreef Nikolaos Milas: On 12/1/2015 10:29 μμ, Francisco Wagner C. Freire wrote: +1 On Fri, Jan 9, 2015 at 3:49 PM, Hoggins! fucks...@wheres5.com wrote: Hello folks, Any plans on implementing the PROXY protocol to allow Dovecot being behind a TCP proxy, and still logging the real IP address of the users ? See : http://blog.haproxy.com/haproxy/proxy-protocol/ Thanks ! Any news on that? In a lot of scenarios the haproxy PROXY protocol will be important. Please let us know if it is in the roadmap. Can you please let us know of any alternative solution(s) to pass to dovecot real client info through a haproxy server (services imap, imaps, pop3, pop3s)? Well... http://hg.dovecot.org/dovecot-2.2/rev/4d7a83ddb644 Regards, Stephan.
Re: PROXY protocol
On 12/1/2015 10:29 μμ, Francisco Wagner C. Freire wrote: +1 On Fri, Jan 9, 2015 at 3:49 PM, Hoggins! fucks...@wheres5.com wrote: Hello folks, Any plans on implementing the PROXY protocol to allow Dovecot being behind a TCP proxy, and still logging the real IP address of the users ? See : http://blog.haproxy.com/haproxy/proxy-protocol/ Thanks ! Any news on that? In a lot of scenarios the haproxy PROXY protocol will be important. Please let us know if it is in the roadmap. Can you please let us know of any alternative solution(s) to pass to dovecot real client info through a haproxy server (services imap, imaps, pop3, pop3s)? Thanks in advance, Nick
Re: PROXY protocol
+1 On Fri, Jan 9, 2015 at 3:49 PM, Hoggins! fucks...@wheres5.com wrote: Hello folks, Any plans on implementing the PROXY protocol to allow Dovecot being behind a TCP proxy, and still logging the real IP address of the users ? See : http://blog.haproxy.com/haproxy/proxy-protocol/ Thanks !
