haproxy ssl support

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

haproxy ssl support

Rok Potočnik
Even though it seems dovecot (using 2.2.33.1) supports haproxy's
send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends
client's ssl state). It would be a nice feature for the backend server
to identify clients so one wouldn't have to use disable_plaintext_auth
on a production environment.

--- haproxy.cfg
frontend pop3
         bind [::]:110 v4v6
         bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem
         mode tcp
         default_backend pop3
backend pop3
     mode tcp
     balance leastconn
     stick store-request src
     stick-table type ip size 200k expire 30m
     timeout connect 5000
     timeout server  50000
     server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl
     server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
---

--- dovecot.conf
haproxy_trusted_networks = [2001:db8::]/64
service pop3-login {
   inet_listener pop3_haproxy {
     port = 10110
     haproxy = yes
   }
}
---

It would also be nice if haproxy would support STARTTLS offloading but
that's a subject for a different mailing list ;)

--
BR, Rok
Reply | Threaded
Open this post in threaded view
|

Re: haproxy ssl support

Aki Tuomi-2
Hi!

There is support for haproxy SSL TLVs in 2.3. See

https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch

Aki

> On October 26, 2017 at 12:25 PM Rok Potočnik <[hidden email]> wrote:
>
>
> Even though it seems dovecot (using 2.2.33.1) supports haproxy's
> send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends
> client's ssl state). It would be a nice feature for the backend server
> to identify clients so one wouldn't have to use disable_plaintext_auth
> on a production environment.
>
> --- haproxy.cfg
> frontend pop3
>          bind [::]:110 v4v6
>          bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem
>          mode tcp
>          default_backend pop3
> backend pop3
>      mode tcp
>      balance leastconn
>      stick store-request src
>      stick-table type ip size 200k expire 30m
>      timeout connect 5000
>      timeout server  50000
>      server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl
>      server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
> ---
>
> --- dovecot.conf
> haproxy_trusted_networks = [2001:db8::]/64
> service pop3-login {
>    inet_listener pop3_haproxy {
>      port = 10110
>      haproxy = yes
>    }
> }
> ---
>
> It would also be nice if haproxy would support STARTTLS offloading but
> that's a subject for a different mailing list ;)
>
> --
> BR, Rok
Reply | Threaded
Open this post in threaded view
|

Re: haproxy ssl support

KT Walrus
When is 2.3 scheduled to be released?

Kevin

> On Oct 26, 2017, at 7:57 AM, Aki Tuomi <[hidden email]> wrote:
>
> Hi!
>
> There is support for haproxy SSL TLVs in 2.3. See
>
> https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch
>
> Aki
>
>> On October 26, 2017 at 12:25 PM Rok Potočnik <[hidden email]> wrote:
>>
>>
>> Even though it seems dovecot (using 2.2.33.1) supports haproxy's
>> send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends
>> client's ssl state). It would be a nice feature for the backend server
>> to identify clients so one wouldn't have to use disable_plaintext_auth
>> on a production environment.
>>
>> --- haproxy.cfg
>> frontend pop3
>>         bind [::]:110 v4v6
>>         bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem
>>         mode tcp
>>         default_backend pop3
>> backend pop3
>>     mode tcp
>>     balance leastconn
>>     stick store-request src
>>     stick-table type ip size 200k expire 30m
>>     timeout connect 5000
>>     timeout server  50000
>>     server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl
>>     server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
>> ---
>>
>> --- dovecot.conf
>> haproxy_trusted_networks = [2001:db8::]/64
>> service pop3-login {
>>   inet_listener pop3_haproxy {
>>     port = 10110
>>     haproxy = yes
>>   }
>> }
>> ---
>>
>> It would also be nice if haproxy would support STARTTLS offloading but
>> that's a subject for a different mailing list ;)
>>
>> --
>> BR, Rok
Reply | Threaded
Open this post in threaded view
|

Re: haproxy ssl support

Aki Tuomi-2
We are planning to release it later this year.

Aki

> On October 26, 2017 at 3:13 PM KT Walrus <[hidden email]> wrote:
>
>
> When is 2.3 scheduled to be released?
>
> Kevin
>
> > On Oct 26, 2017, at 7:57 AM, Aki Tuomi <[hidden email]> wrote:
> >
> > Hi!
> >
> > There is support for haproxy SSL TLVs in 2.3. See
> >
> > https://github.com/dovecot/core/compare/f43567aa%5E...b6fbc235.patch
> >
> > Aki
> >
> >> On October 26, 2017 at 12:25 PM Rok Potočnik <[hidden email]> wrote:
> >>
> >>
> >> Even though it seems dovecot (using 2.2.33.1) supports haproxy's
> >> send-proxy-v2, it seems to lack send-proxy-v2-ssl (which also sends
> >> client's ssl state). It would be a nice feature for the backend server
> >> to identify clients so one wouldn't have to use disable_plaintext_auth
> >> on a production environment.
> >>
> >> --- haproxy.cfg
> >> frontend pop3
> >>         bind [::]:110 v4v6
> >>         bind [::]:995 v4v6 ssl crt /etc/pki/tls/private/haproxy.pem
> >>         mode tcp
> >>         default_backend pop3
> >> backend pop3
> >>     mode tcp
> >>     balance leastconn
> >>     stick store-request src
> >>     stick-table type ip size 200k expire 30m
> >>     timeout connect 5000
> >>     timeout server  50000
> >>     server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl
> >>     server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl
> >> ---
> >>
> >> --- dovecot.conf
> >> haproxy_trusted_networks = [2001:db8::]/64
> >> service pop3-login {
> >>   inet_listener pop3_haproxy {
> >>     port = 10110
> >>     haproxy = yes
> >>   }
> >> }
> >> ---
> >>
> >> It would also be nice if haproxy would support STARTTLS offloading but
> >> that's a subject for a different mailing list ;)
> >>
> >> --
> >> BR, Rok