[Users] Recompiilng Zimbra's Nginx
Omar Mochtar
iomarmochtar at gmail.com
Fri Dec 22 10:13:43 CET 2017
I have try it already before,
that's why for to make Zimbra's Nginx understand the proxy protocol which
comes from HAProxy it must recompiled by new version (>= 1.9) as mailbox
read header X-Forwarded-For from nginx
Here's to illustrate the traffic flow:
CLIENT ==> HAPROXY ==|proxy protocol|==> NGINX ==|X-Forwarded-For| ==>
MAILBOX
for Zimbra's postfix it's already done with similar flow as i documented in
https://iomarmochtar.wordpress.com/2017/11/21/using-haproxy-against-zimbra-mta-services-reveal-origin-ip/
On Fri, Dec 22, 2017 at 4:00 PM, Barry de Graaff <info at barrydegraaff.tk>
wrote:
> No, it will not, but you need to pass on the external ip in oip
>
> https://github.com/Zimbra-Community/account-history#log-external-ip
>
> You may also need to do this in haproxy,
>
> Barry
>
> On 22 Dec 2017, at 09:53, Omar Mochtar <iomarmochtar at gmail.com> wrote:
>
> If i implementing fail2ban or other blocking method in proxy or mailbox
> server it will blocking IP of HAproxy.
>
> On Dec 22, 2017 15:47, "Barry de Graaff" <info at barrydegraaff.tk> wrote:
>
> Perhaps use iptables and fail2ban...
>
> Similar to
> https://github.com/Zimbra-Community/mailing-lists/wiki/DDOS-protection
>
> Why not use zimbra dosfilter?
>
> Barry
>
> On 22 Dec 2017, at 09:33, Omar Mochtar <iomarmochtar at gmail.com> wrote:
>
>
>
> Yes, HAProxy is in front of zimbra MTA & proxy server, since it's a load
> balancer.
>
> What i found in HAproxy log file is just information of source &
> destinated server and it's very verbose because used in quite high client
> traffic so i cannot trace what source IP is (try) using X account just like
> in normal nginx.log without haproxy.
>
>
>
> On Dec 22, 2017 15:13, "Barry de Graaff" <info at barrydegraaff.tk> wrote:
>
>> Hello Omar,
>>
>> I dunno, but isn’t easier to just put haproxy in front of zimbra proxy
>> and block all from there?
>>
>> Barry
>>
>> On 22 Dec 2017, at 08:47, Omar Mochtar <iomarmochtar at gmail.com> wrote:
>>
>> Hi All,
>>
>>
>>
>> Here's the background of the issue: I implemented HAProxy as Load
>> Balancer for Zimbra MTA & Proxy (webmail, pop3, imap) services and it's
>> running smoothly until we have brute force issue then when i want to block
>> the source of brute force IP but it just shown HAProxy server's IP in the
>> log files since the traffics are come from it.
>>
>>
>> After searching the solution is using HAProxy's Proxy Protocol that will
>> add additional source information in package that will be forwarded to it's
>> backend servers. For Postfix there is clear documentation in HaProxy's
>> official blog (https://www.haproxy.com/blog/
>> efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/)
>> and for the rest service (webmail, pop3, imap) which handled with Nginx the
>> clue is only this documentation http://nginx.org/en/docs/strea
>> m/ngx_stream_proxy_module.html#proxy_protocol .
>>
>>
>> Unfortunately nginx's proxy_protocol configuration is available from
>> version 1.9.2 and Nginx version in Zimbra 8.7 is 1.7.1 .
>>
>> The question is how to recompiling new version of Nginx (including it's
>> zmlookup modules, etc) that will be replaced the existing one ?
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20171222/9eb47995/attachment.html>
More information about the Users
mailing list