Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proxy Protocol support #264

Open
ArnCo opened this issue Jun 7, 2023 · 7 comments
Open

Proxy Protocol support #264

ArnCo opened this issue Jun 7, 2023 · 7 comments
Labels
enhancement New feature or request pending answer

Comments

@ArnCo
Copy link

ArnCo commented Jun 7, 2023

Is your feature request related to a problem? Please describe.
I would like to expose my mail services through traefik. I currently run them as hostPorts.

Describe the solution you'd like
Support proxy protocol, as described here: https://mailu.io/2.0/releases.html#proxy-protocol-support

Additional context
Mailu 2 now supports proxy protocol.

Let me know how I can help :-)
@ArnCo ArnCo added the enhancement New feature or request label Jun 7, 2023
@ArnCo
Copy link
Author

ArnCo commented Jun 9, 2023
edited
Loading

So I have started investigating how it could work. Proxy protocol is supposed to be activated through the PROXY_PROTOCOL env variable, which i have set in the extraEnvVars of the front container:

  extraEnvVars:
    - name: PROXY_PROTOCOL
      value: "mail"

In order to route the TCP traffic from my traefik load balancer, I have created the following CRDs:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: mailu-smtp
  namespace: mailu
spec:
  entryPoints:
    - smtp
  routes:
  - match: HostSNI(`*`)
    services:
    - name: mailu-front
      port: 25
      proxyProtocol:
        version: 2
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: mailu-imaps
  namespace: mailu
spec:
  entryPoints:
    - imaps
  routes:
  - match: HostSNI(`*`)
    services:
    - name: mailu-front
      port: 993
      proxyProtocol:
        version: 2
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: mailu-smtps
  namespace: mailu
spec:
  entryPoints:
    - smtps
  routes:
    - match: HostSNI(`*`)
      services:
      - name: mailu-front
        port: 465
        proxyProtocol:
          version: 2
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: mailu-starttls
  namespace: mailu
spec:
  entryPoints:
    - starttls
  routes:
  - match: HostSNI(`*`)
    services:
      - name: mailu-front
        port: 587
        proxyProtocol:
          version: 2

This configuration is functional, BUT results in an open relay, (the front container sees the reverse-proxy IP, and does not seem to use Proxy Protocol in order to resolve the real source IP.
Any ideas?

@ArnCo
Copy link
Author

ArnCo commented Jun 9, 2023
edited
Loading

Well, I got it working with the following extraEnvVars:

  extraEnvVars:
    - name: PROXY_PROTOCOL
      value: "mail"
    - name: REAL_IP_FROM
      value: "10.42.0.0/16,fd23:23:42:0::/56"

The service now listens both on IPV4 and IPV6 and successfully resolves origin IPs, so no more open relay! I am not sure what would be the best to integrate it in the Chart, however as realIpFrom can already be set under the ingress, maybe proxy_protocol should be added there as well.

@ArnCo
Copy link
Author

ArnCo commented Jun 14, 2023
edited
Loading

Hi again :-) I came across an issue on my dual stack (IPv4 + IPv6) deployment.
It looks like Dovecot is not happy when Proxy Protocol specifies and IPv6 address while the real IP (of the traefik load balancer) is IPv4, which is the default behavior of traefik, and cannot be changed. For the record, I get this error only for IPv6 originate donnections on dovecot, postfix handles them without any problem:

imap-login: Error: haproxy(v1): Client disconnected: Proxied local address is invalid (address=`10.42.4.15', rip=10.42.4.15)

Anybody thinking about a solution here ? At the moment I just rolled back my imap DNS record to IPv4 only, and everything works like a charm, while postfix is running fully dual stack.
Cheers,
ArnC

@m5ingh
Copy link

m5ingh commented Aug 23, 2023

I am trying to recreate this on my k3s cluster, but am getting error entryPoint "imaps/smtp/smtps/starttls" doesn't exist.
I would be really thankful if you can share broadly steps to recreate this setup and relevant parts of associated yamls

@jjangga0214
Copy link

jjangga0214 commented Nov 24, 2023
edited
Loading

@m5ingh

getting error entryPoint "imaps/smtp/smtps/starttls" doesn't exist.

You should first create the entrypoints from traefik's side.
And then refer to the entrypoints from IngressRoute.

For example, traefik's helm chart has ports value.
web, websecure, and treafik are defined by defaults, but you can customize them or add more entrypoints.

    ports:
        web:
          expose: true
          port: 8080
          exposedPort: 80
          protocol: TCP
        websecure:
          expose: true
          port: 8443
          exposedPort: 443
          protocol: TCP
        traefik:
          expose: true
          port: 39000
          exposedPort: 9000
          protocol: TCP
        smtp:
          expose: true
          port: 30025
          exposedPort: 25
          protocol: TCP
        pop3:
          expose: true
          port: 30110
          exposedPort: 110
          protocol: TCP
        imap:
          expose: true
          port: 30143
          exposedPort: 143
          protocol: TCP
        smtps:
          expose: true
          port: 30465
          exposedPort: 465
          protocol: TCP
        starttls:
          expose: true
          port: 30587
          exposedPort: 587
          protocol: TCP
        imaps:
          expose: true
          port: 30993
          exposedPort: 993
          protocol: TCP
        pop3s:
          expose: true
          port: 30995
          exposedPort: 995
          protocol: TCP

@ArnCo
Copy link
Author

ArnCo commented Oct 29, 2024

Hello there, I see that a proxyProtocol section has been added to the helm file, which is nice. With more fiddling, I have been able to make everything work, both over ipv4 and ipv6, adding the following service and ingressroute in traefik:

apiVersion: v1
kind: Service
metadata:
  annotations:
    meta.helm.sh/release-name: mailu
    meta.helm.sh/release-namespace: mailu
  labels:
    app.kubernetes.io/component: front
    app.kubernetes.io/instance: mailu
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: mailu
  name: mailu-front-6
  namespace: mailu
spec:
  internalTrafficPolicy: Cluster
  ipFamilies:
    - IPv6
  ipFamilyPolicy: SingleStack
  ports:
    - name: pop3
      port: 110
      protocol: TCP
      targetPort: 110
    - name: pop3s
      port: 995
      protocol: TCP
      targetPort: 995
    - name: imap
      port: 143
      protocol: TCP
      targetPort: 143
    - name: imaps
      port: 993
      protocol: TCP
      targetPort: 993
    - name: smtp
      port: 25
      protocol: TCP
      targetPort: 25
    - name: lmtp
      port: 2525
      protocol: TCP
      targetPort: 2525
    - name: smtps
      port: 465
      protocol: TCP
      targetPort: 465
    - name: smtpd
      port: 587
      protocol: TCP
      targetPort: 587
    - name: smtp-auth
      port: 10025
      protocol: TCP
      targetPort: 10025
    - name: imap-auth
      port: 10143
      protocol: TCP
      targetPort: 10143
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
    - name: sieve
      port: 14190
      protocol: TCP
      targetPort: 14190
  selector:
    app.kubernetes.io/component: front
    app.kubernetes.io/instance: mailu
    app.kubernetes.io/name: mailu
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: mailu-smtp
  namespace: mailu
spec:
  entryPoints:
    - smtp
  routes:
  - match: HostSNI(`*`)
    services:
    - name: mailu-front
      port: 25
      proxyProtocol:
        version: 2
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: mailu-imaps-6
  namespace: mailu
spec:
  entryPoints:
    - imaps
  routes:
  - match: HostSNI(`*`) && ClientIP(`::/0`)
    services:
      - name: mailu-front-6
        port: 993
        proxyProtocol:
          version: 2
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: mailu-imaps
  namespace: mailu
spec:
  entryPoints:
    - imaps
  routes:
  - match: HostSNI(`*`) && ClientIP(`0.0.0.0/0`)
    services:
      - name: mailu-front
        port: 993
        proxyProtocol:
          version: 2
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: mailu-smtps
  namespace: mailu
spec:
  entryPoints:
    - smtps
  routes:
    - match: HostSNI(`*`)
      services:
      - name: mailu-front
        port: 465
        proxyProtocol:
          version: 2
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: mailu-starttls
  namespace: mailu
spec:
  entryPoints:
    - starttls
  routes:
  - match: HostSNI(`*`)
    services:
      - name: mailu-front
        port: 587
        proxyProtocol:
          version: 2

@fastlorenzo
Copy link
Collaborator

Awesome @ArnCo, does it mean we can close this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request pending answer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fastlorenzo @ArnCo @jjangga0214 @m5ingh