-
-
Notifications
You must be signed in to change notification settings - Fork 660
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nginx proxy protocol to Haraka on port 465 w/ proxy protocol enabled = SSL handshake fail #3105
Comments
I just noticed some strangeness around the proxy protocol too. Using swaks on port 25 with the
I mean...it shows the server sending I'm assuming you're using Kubernetes. If you set: If you set: |
Thanks for the input @darkpixel. We haven't used Kubernetes in our attempt, we simply ran both Nginx and Haraka on the same machine. The simplified Nginx stream config we used looks like that (assuming we set Haraka smtps to run on port 466):
A similar config works for Dovecot with proxy protocol enabled. But it fails with Haraka, though connecting via Possibly Nginx is sending proxy protocol commands before Haraka is ready to accept them? Just a guess. |
Could be. I've been doing a bunch of crazy/stupid stuff in my test environment today, and for the life of me, I can't bring up 465. 25 and 587 work just fine. I'll do some testing tomorrow after I handle an unrelated issue with external-dns and multiple load balancers. |
Just wondering if anybody else has encountered this and found a solution? |
I can't find the root cause, but here is the difference near the end of the connection when testing with proxy_protocol on vs proxy_protocol off, in case someone can figure it out. With proxy_protocol on:
With proxy_protocol off:
The latter is what happens if the proxy IP is not in the haproxy_hosts file. If it is, the log waits after But with proxy_protocol on, the log is always the same and the connection is always closed right away with Nginx error As mentioned in the first message, this happens only on the smtps port (e.g. 465). On non SSL ports (e.g. 587 and 25), Haraka's haproxy support works fine with Nginx's proxy_protocol on. |
I think I can confirm that it breaks because the PROXY header is sent first (before the SSL handshake), as per the proxy protocol specs. Adding this log after creating the smtps TLS server:
We get:
Suggesting that Haraka is attempting to read a malformed SSL version header, which in reality is the PROXY header. I then tried fiddling with Haraka's code, to create a TCP server instead of a TLS one, that reads the PROXY command and then upgrades to a TLS server. I could have the server read the PROXY command successfully, but after that so far I can't make it work. |
Is proxy protocol supposed to work also on port 465 (implicit SSL/TLS)?
I've set up an Nginx stream proxy in front of Haraka, that works fine. But when I enable the proxy protocol (
proxy_protocol
directive on Nginx andhaproxy_hosts
config file on Haraka), the connection breaks before Haraka logs even a single thing, with the following error from Nginx:peer closed connection in SSL handshake while SSL handshaking to upstream
I tried the same thing without SSL (targeting port 587 STARTTLS instead), and it worked fine. Hence I'm wondering if there could be some issue when using proxy protocol with SSL/TLS?
Interestingly Dovecot works fine with the same setup (proxy protocol to implicit SSL/TLS IMAP and POP ports).
The text was updated successfully, but these errors were encountered: