[Solved, RFC needed?] NGINX as IMAP reverse proxy

Started by ruggerio, October 25, 2020, 01:21:34 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
October 25, 2020, 01:21:34 PM Last Edit: October 26, 2020, 01:12:02 PM by ruggerio
i got nginx at 80% as reverse proxy for dovecot running. 80% because i don't get the external ip of the client transferred to the mailserver.

if i enable proxy protocol, the connection will not be accepted. Does anybody have an idea? Eventually i was searching false, but google did not reply that much on imap on reverse proxy

all i would need is having the external ip in the logs of dovecot.

Thx,
Ruggerio
October 25, 2020, 01:36:17 PM #1
Can't see how this could be solved.

If you - for example - proxy http requests, the client IP will be the proxy (nginx) but with http there is the chance to set a Forwarded-For header. For IMAP I don't see that chance. It has to do with networking principles: the proxy is not only sending the requests to the IMAP server, it also needs to take care about the answers. He couldn't do this if the source IP would be the real client.

Maybe you can explain, why you want to reverse proxy IMAP with nginx? A simple port forward would be too easy? In this case you would see the real IP instantly.
,,The S in IoT stands for Security!" :)
October 25, 2020, 03:16:55 PM #2
i have this already running on haproxy without any problem. In dovecot, you have to enter there 2 special lines for haproxy. of course, this is primarly seen for loadbalancing reasons.

haproxy_trusted_networks = 192.168.0.0/24,192.168.1.0/24
haproxy_timeout = 10s



main goal was having http/s on nginx, as there is a free of charge waf included.

For the reason, not having haproxy and nginx for the same, i try to change to nginx.

Ruggerio
October 25, 2020, 03:29:28 PM #3
As far as I can see there is only a solution for HaProxy available.
The client IP needs to be sent as additional info.

Saw someone creating an extra logfile just for this information.
https://serverfault.com/questions/869863/nginx-mail-proxy-hides-clients-ip
,,The S in IoT stands for Security!" :)
October 25, 2020, 06:54:05 PM #4
nginx is an IMAP proxy (not available in the UI) but if you want to handle it via TCP, there is s proxy you can install on the IMAP server to handle the proxy protocol as well:

https://github.com/cloudflare/mmproxy
October 25, 2020, 08:29:24 PM #5
@fabian
dovecot is proxy-aware, so i think it makes sense to try to configure it without mmproxy
October 26, 2020, 07:19:14 AM #6 Last Edit: October 26, 2020, 07:32:39 AM by Fright
@ruggerio
what is your current opnsense\nginx conf for imap? stream?
for now when you turn "PROXY protocol" on in GUI for Stream Server it enables proxy protocol to upstream and proxy client. so nginx waits for proxy protocol in imap request.
try to edit nginx.conf and delete "proxy_protocol" directive after port number in "listen" directive. then restart nginx and check result.
for dovecont conf i think "haproxy = yes" directive is needed
October 26, 2020, 10:30:08 AM #7
Hi,

I tried with and without proxy protocol. in conf-files it's not inserted, if you don't click it in gui. without proxy-protocol, it works, i have the haproxy-config listening to 10143, which then dovecot returns:

Okt 26 10:28:08 stlucia dovecot[51]: imap-login: Error: haproxy: Client timed out (rip=192.168.3.1)
Okt 26 10:28:08 stlucia dovecot[51]: imap-login: Error: haproxy: Client timed out (rip=192.168.3.1)
Okt 26 10:28:08 stlucia dovecot[51]: imap-login: Error: haproxy: Client timed out (rip=192.168.3.1)
Okt 26 10:28:06 stlucia dovecot[51]: imap-login: Error: haproxy: Client timed out (rip=192.168.3.1)
Okt 26 10:28:06 stlucia dovecot[51]: imap-login: Error: haproxy: Client timed out (rip=192.168.3.1)

...still with the ip of the sense...

thx
ruggerio
October 26, 2020, 10:43:07 AM #8 Last Edit: October 26, 2020, 10:50:32 AM by Fright
no, i suggest to enable PROXY in GUI but delete some of config after that
i.e. when you enable PROXY in GUI stream server part will look like:
Code Select
    server {
        listen  143 proxy_protocol;
        listen  [::]:143 proxy_protocol;
       
       blah-blah-blah

        proxy_protocol on;
    }

you can try to make it like
Code Select
    server {
        listen  143;
        listen  [::]:143;
       
       blah-blah-blah

        proxy_protocol on;
    }

October 26, 2020, 10:49:31 AM #9
    # servers
    server {
        listen  143 proxy_protocol;
        listen  [::]:143 proxy_protocol;

        access_log  /var/log/nginx/stream_d3e1b124-88e2-4744-9538-cceaf6f84ff1.access.log main;
        error_log  /var/log/nginx/stream_d3e1b124-88e2-4744-9538-cceaf6f84ff1.error.log info;


        proxy_ssl off;
        proxy_pass upstream3605708c54c0460ca656e8fbaeadabb9;
        proxy_protocol on;

    }


so, this should be correct?
October 26, 2020, 10:57:53 AM #10
proxy_protocol parameter in "listen" directive makes nginx to expect proxy protocol when client connects to 143 port. so try to delete this parameter.
only "proxy_protocol on" directive is needed to enable proxy when talking to upstream
October 26, 2020, 12:02:35 PM #11
thx, fright, i changed to this:

Code Select

    server {
        listen  143;
        listen  [::]:143;

        proxy_ssl off;
        proxy_pass upstream3605708c54c0460ca656e8fbaeadabb9;
        proxy_protocol on;

    }


Now, at least it hast the same behaviour as sending directly to Port 143 with data streaming - means, that there is not yet a transformation about the external ip. x-forwarded-for cannot be used in that use-case, right? I read, that imap usually needs ID, which needs a manual implementation for a mail-section. But in fact, the connection now is accepted also on port 10143 for the upstream-server, which was not the case before.
October 26, 2020, 01:09:34 PM #12
not correct, what i wrote. i had an old server inside nginx, which did it wrong. changed it to right, now it works.

would be a cool change, having a checkbox in opnense or a selection under proxy protocol:

1) checkbox: use haproxy protocol
2) selection: instead of clicking the proxy protocol having the chose between standard or haproxy

In case of selecting haproxy, the enries in the services list (listen-part) shouldn't been placed, but still this one here: proxy_protocol on;

this would make perhaps much easier for mailservers. shall i file a CR on github? btw. this is tested with dovecot only. in my protocols i see now the external ips

Thx!
Ruggerio
October 26, 2020, 03:12:46 PM #13
Quotewould be a cool change, having a checkbox in opnense or a selection under proxy protocol:
IMHO it can be two PROXY-enable checkboxes: "accept proxy protocol" and "enable proxy proto to upstream".
you can FR for this but I got the impression that this is unlikely to work.
so that the changes do not disappear when you apply nginx config via gui you can insert stream server config hook in streams.conf template and stop using PROXY checkbox in GUI. add "proxy_protocol on;" via that hook
October 27, 2020, 10:26:46 AM #14
does somewhere exist kind of rtfm for this?

Thx,
Ruggerio
Print
Go Up Pages1 2
User actions