[Users] Recompiilng Zimbra's Nginx

Omar Mochtar iomarmochtar at gmail.com
Fri Dec 22 09:53:12 CET 2017 

If i implementing fail2ban or other blocking method in proxy or mailbox
server it will blocking IP of HAproxy.

On Dec 22, 2017 15:47, "Barry de Graaff" <info at barrydegraaff.tk> wrote:

Perhaps use iptables and fail2ban...

Similar to
https://github.com/Zimbra-Community/mailing-lists/wiki/DDOS-protection

Why not use zimbra dosfilter?

Barry

On 22 Dec 2017, at 09:33, Omar Mochtar <iomarmochtar at gmail.com> wrote:



Yes, HAProxy is in front of zimbra MTA & proxy server, since it's a load
balancer.

What i found in HAproxy log file is just information of source & destinated
server and it's very verbose because used in quite high client traffic so i
cannot trace what source IP is (try) using X account just like in normal
nginx.log without haproxy.



On Dec 22, 2017 15:13, "Barry de Graaff" <info at barrydegraaff.tk> wrote:

> Hello Omar,
>
> I dunno, but isn’t easier to just put haproxy in front of zimbra proxy and
> block all from there?
>
> Barry
>
> On 22 Dec 2017, at 08:47, Omar Mochtar <iomarmochtar at gmail.com> wrote:
>
> Hi All,
>
>
>
> Here's the background of the issue: I implemented HAProxy as Load Balancer
> for Zimbra MTA & Proxy (webmail, pop3, imap) services and it's running
> smoothly until we have brute force issue then when i want to block the
> source of brute force IP but it just shown HAProxy server's IP in the log
> files since the traffics are come from it.
>
>
> After searching the solution is using HAProxy's Proxy Protocol that will
> add additional source information in package that will be forwarded to it's
> backend servers. For Postfix there is clear documentation in HaProxy's
> official blog (https://www.haproxy.com/blog/efficient-smtp-relay-infrastru
> cture-with-postfix-and-load-balancers/) and for the rest service
> (webmail, pop3, imap) which handled with Nginx the clue is only this
> documentation http://nginx.org/en/docs/stream/ngx_stream_proxy_module.
> html#proxy_protocol .
>
>
> Unfortunately nginx's proxy_protocol configuration  is available from
> version 1.9.2 and Nginx version in Zimbra 8.7 is 1.7.1 .
>
> The question is how to recompiling new version of Nginx (including it's
> zmlookup modules, etc)  that will be replaced the existing one ?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20171222/9ffcbaaf/attachment.html>

More information about the Users mailing list