search

sozu-proxy / sozu

Sōzu HTTP reverse proxy, configurable at runtime, fast and safe, built in Rust. It is awesome!
https://www.sozu.io/
GNU Affero General Public License v3.0
3.12k stars 193 forks source link

Incoming network traffic to Proxy Protocol #1086

Closed shoutmarble closed 8 months ago

shoutmarble commented 9 months ago

I use HAProxy to take incoming network traffic and turn it into Proxy Protocol traffic to be consumed by my Stalwart Email server that consumes the Proxy Protocol.

Right now there are only two solutions to do this and that is with HAProxy and Varnish

This is so that the Client IP and the Email Server are working with each others actual IP values for TLS termination.

I have figured a way without converting the incoming network first to proxy protocol with TRaefik to my Proxy Protocol supporting Stalwart Email Server.

But, it looks to be a solution that someone who is good at TRaefik would make. A simpler solution like HAProxy is a better solution. Although HAProxy itself is quite a juggernaut to configure.

But, having a feature in SOZO to ingest incoming network traffic to backend Proxy Protocol network traffic as does HAProxy or Varnish that would be over the top.

I looked at Caddy + L4 network plugin but that breaks the consistent caddy configuration into L4 declarations inside JSON files that are just going to break as the project matures and are incorporated into the baseline of Caddy.

There is docker-easy-haproxy which by ease of use and features the best reverse-proxy although it works from many iterations behind the current HAProxy release version.

But, if SOZU could ingest network traffic and produce backend proxy protocol network traffic as easily as docker-easy-haproxy with just using docker compose labels or JSON, etc, that would be amazing!

Wonshtrum commented 9 months ago

Hi, Sozu can already send the proxy protocol header. It is not a feature I personally use and I don't think it is well tested. You can search in the config.toml those lines:

# activates the proxy protocol to send IP information to the backend
# send_proxy = false

To be clear:

Example config.toml:

activate_listeners = true

[[listeners]]
protocol = "tcp"
address = "..." # Address Sozu is listening on

[clusters.StalwartEmailCluster]
protocol = "tcp"
send_proxy = true # Send Proxy Protocol header to backend
frontends = [
  { address = "..." } # Address of your Stalwart Email server
]

Is it what you were looking for?

shoutmarble commented 9 months ago

Yes

Stalwart Server.toml

#############################################
# Server configuration
#############################################

[server]
hostname = "%{HOST}%"
max-connections = 8192

#[server.proxy]  <-- I uncommented 
#trusted-networks = {"127.0.0.0/8", "::1", "10.0.0.0/8"}  <-- and I will put SOZO here

Haproxy.cfg for Proxy-Protocol

frontend FRONT_STALWART
    mode tcp
    bind 0.0.0.0:443                           # JMAP
    bind 0.0.0.0:4190                          # SIEVE
    bind 0.0.0.0:25                            # SMTP
    bind 0.0.0.0:465                           # SMTP
    bind 0.0.0.0:587                           # SMTP
    bind 0.0.0.0:143                           # IMAP
    bind 0.0.0.0:993                           # IMAP

    log stdout format raw local0 debug

    default_backend BACK_STALWART
 backend BACK_STALWART
        mode  tcp
        log           stdout format raw local0 debug

        server  STALWART      stalwart send-proxy-v2 check port 443