-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proxy Protocol support #264
Comments
So I have started investigating how it could work. Proxy protocol is supposed to be activated through the
In order to route the TCP traffic from my traefik load balancer, I have created the following CRDs:
This configuration is functional, BUT results in an open relay, (the front container sees the reverse-proxy IP, and does not seem to use Proxy Protocol in order to resolve the real source IP. |
Well, I got it working with the following extraEnvVars:
The service now listens both on IPV4 and IPV6 and successfully resolves origin IPs, so no more open relay! I am not sure what would be the best to integrate it in the Chart, however as realIpFrom can already be set under the ingress, maybe proxy_protocol should be added there as well. |
Hi again :-) I came across an issue on my dual stack (IPv4 + IPv6) deployment.
Anybody thinking about a solution here ? At the moment I just rolled back my imap DNS record to IPv4 only, and everything works like a charm, while postfix is running fully dual stack. |
I am trying to recreate this on my k3s cluster, but am getting error entryPoint "imaps/smtp/smtps/starttls" doesn't exist. |
You should first create the entrypoints from traefik's side. For example, traefik's helm chart has ports:
web:
expose: true
port: 8080
exposedPort: 80
protocol: TCP
websecure:
expose: true
port: 8443
exposedPort: 443
protocol: TCP
traefik:
expose: true
port: 39000
exposedPort: 9000
protocol: TCP
smtp:
expose: true
port: 30025
exposedPort: 25
protocol: TCP
pop3:
expose: true
port: 30110
exposedPort: 110
protocol: TCP
imap:
expose: true
port: 30143
exposedPort: 143
protocol: TCP
smtps:
expose: true
port: 30465
exposedPort: 465
protocol: TCP
starttls:
expose: true
port: 30587
exposedPort: 587
protocol: TCP
imaps:
expose: true
port: 30993
exposedPort: 993
protocol: TCP
pop3s:
expose: true
port: 30995
exposedPort: 995
protocol: TCP |
Hello there, I see that a proxyProtocol section has been added to the helm file, which is nice. With more fiddling, I have been able to make everything work, both over ipv4 and ipv6, adding the following service and ingressroute in traefik: apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: mailu
meta.helm.sh/release-namespace: mailu
labels:
app.kubernetes.io/component: front
app.kubernetes.io/instance: mailu
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: mailu
name: mailu-front-6
namespace: mailu
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv6
ipFamilyPolicy: SingleStack
ports:
- name: pop3
port: 110
protocol: TCP
targetPort: 110
- name: pop3s
port: 995
protocol: TCP
targetPort: 995
- name: imap
port: 143
protocol: TCP
targetPort: 143
- name: imaps
port: 993
protocol: TCP
targetPort: 993
- name: smtp
port: 25
protocol: TCP
targetPort: 25
- name: lmtp
port: 2525
protocol: TCP
targetPort: 2525
- name: smtps
port: 465
protocol: TCP
targetPort: 465
- name: smtpd
port: 587
protocol: TCP
targetPort: 587
- name: smtp-auth
port: 10025
protocol: TCP
targetPort: 10025
- name: imap-auth
port: 10143
protocol: TCP
targetPort: 10143
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: sieve
port: 14190
protocol: TCP
targetPort: 14190
selector:
app.kubernetes.io/component: front
app.kubernetes.io/instance: mailu
app.kubernetes.io/name: mailu
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: mailu-smtp
namespace: mailu
spec:
entryPoints:
- smtp
routes:
- match: HostSNI(`*`)
services:
- name: mailu-front
port: 25
proxyProtocol:
version: 2
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: mailu-imaps-6
namespace: mailu
spec:
entryPoints:
- imaps
routes:
- match: HostSNI(`*`) && ClientIP(`::/0`)
services:
- name: mailu-front-6
port: 993
proxyProtocol:
version: 2
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: mailu-imaps
namespace: mailu
spec:
entryPoints:
- imaps
routes:
- match: HostSNI(`*`) && ClientIP(`0.0.0.0/0`)
services:
- name: mailu-front
port: 993
proxyProtocol:
version: 2
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: mailu-smtps
namespace: mailu
spec:
entryPoints:
- smtps
routes:
- match: HostSNI(`*`)
services:
- name: mailu-front
port: 465
proxyProtocol:
version: 2
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: mailu-starttls
namespace: mailu
spec:
entryPoints:
- starttls
routes:
- match: HostSNI(`*`)
services:
- name: mailu-front
port: 587
proxyProtocol:
version: 2 |
Awesome @ArnCo, does it mean we can close this issue? |
Is your feature request related to a problem? Please describe.
I would like to expose my mail services through traefik. I currently run them as hostPorts.
Describe the solution you'd like
Support proxy protocol, as described here: https://mailu.io/2.0/releases.html#proxy-protocol-support
Additional context
Mailu 2 now supports proxy protocol.
Let me know how I can help :-)
The text was updated successfully, but these errors were encountered: