Handle the case where PROXY_PROTOCOL_25 is set

2025-03-03 14:52:36 +02:00 · 2024-06-24 09:46:06 +02:00 · 2024-06-24 09:46:06 +02:00 · 0ff18c6079
commit 0ff18c6079
parent 3e8e8cef8e
4 changed files with 34 additions and 35 deletions
--- a/core/base/libs/socrate/socrate/system.py
+++ b/core/base/libs/socrate/socrate/system.py
@ -108,8 +108,39 @@ def set_env(required_secrets=[], log_filters=[]):
           }

 def clean_env():
-    """ remove all secret keys """
+    """ remove all secret keys, normalize PROXY_PROTOCOL """
    [os.environ.pop(key, None) for key in os.environ.keys() if key.endswith("_KEY")]
+    # Configure PROXY_PROTOCOL
+    PROTO_MAIL=['25', '110', '995', '143', '993', '587', '465', '4190']
+    PROTO_ALL_BUT_HTTP=PROTO_MAIL.copy()
+    PROTO_ALL_BUT_HTTP.extend(['443'])
+    PROTO_ALL=PROTO_ALL_BUT_HTTP.copy()
+    PROTO_ALL.extend(['80'])
+    for item in os.environ.get('PROXY_PROTOCOL', '').split(','):
+        if item.isdigit():
+            os.environ[f'PROXY_PROTOCOL_{item}']=True
+        elif item == 'mail':
+            for p in PROTO_MAIL: os.environ[f'PROXY_PROTOCOL_{p}']=True
+        elif item == 'all-but-http':
+            for p in PROTO_ALL_BUT_HTTP: os.environ[f'PROXY_PROTOCOL_{p}']=True
+        elif item == 'all':
+            for p in PROTO_ALL: os.environ[f'PROXY_PROTOCOL_{p}']=True
+        elif item == '':
+            pass
+        else:
+            log.error(f'Not sure what to do with {item} in PROXY_PROTOCOL ({args.get("PROXY_PROTOCOL")})')
+
+    PORTS_REQUIRING_TLS=['443', '465', '993', '995']
+    ALL_PORTS='25,80,443,465,993,995,4190'
+    for item in os.environ.get('PORTS', ALL_PORTS).split(','):
+        if item in PORTS_REQUIRING_TLS and os.environ['TLS_FLAVOR'] == 'notls':
+            continue
+        os.environ[f'PORT_{item}']=True
+
+    if os.environ['TLS_FLAVOR'] != 'notls':
+        for item in os.environ.get('TLS', ALL_PORTS).split(','):
+            if item in PORTS_REQUIRING_TLS:
+                os.environ[f'TLS_{item}']=True

 def drop_privs_to(username='mailu'):
    pwnam = getpwnam(username)
--- a/core/nginx/config.py
+++ b/core/nginx/config.py
@ -70,38 +70,6 @@ with open("/etc/resolv.conf") as handle:
    resolver = content[content.index("nameserver") + 1]
    args["RESOLVER"] = f"[{resolver}]" if ":" in resolver else resolver

-# Configure PROXY_PROTOCOL
-PROTO_MAIL=['25', '110', '995', '143', '993', '587', '465', '4190']
-PROTO_ALL_BUT_HTTP=PROTO_MAIL.copy()
-PROTO_ALL_BUT_HTTP.extend(['443'])
-PROTO_ALL=PROTO_ALL_BUT_HTTP.copy()
-PROTO_ALL.extend(['80'])
-for item in args.get('PROXY_PROTOCOL', '').split(','):
-    if item.isdigit():
-        args[f'PROXY_PROTOCOL_{item}']=True
-    elif item == 'mail':
-        for p in PROTO_MAIL: args[f'PROXY_PROTOCOL_{p}']=True
-    elif item == 'all-but-http':
-        for p in PROTO_ALL_BUT_HTTP: args[f'PROXY_PROTOCOL_{p}']=True
-    elif item == 'all':
-        for p in PROTO_ALL: args[f'PROXY_PROTOCOL_{p}']=True
-    elif item == '':
-        pass
-    else:
-        log.error(f'Not sure what to do with {item} in PROXY_PROTOCOL ({args.get("PROXY_PROTOCOL")})')
-
-PORTS_REQUIRING_TLS=['443', '465', '993', '995']
-ALL_PORTS='25,80,443,465,993,995,4190'
-for item in args.get('PORTS', ALL_PORTS).split(','):
-    if item in PORTS_REQUIRING_TLS and args['TLS_FLAVOR'] == 'notls':
-        continue
-    args[f'PORT_{item}']=True
-
-if args['TLS_FLAVOR'] != 'notls':
-    for item in args.get('TLS', ALL_PORTS).split(','):
-        if item in PORTS_REQUIRING_TLS:
-            args[f'TLS_{item}']=True
-
 # TLS configuration
 cert_name = args.get("TLS_CERT_FILENAME", "cert.pem")
 keypair_name = args.get("TLS_KEYPAIR_FILENAME", "key.pem")
--- a/docs/mailu-network-diagram.ipynb
+++ b/docs/mailu-network-diagram.ipynb
@ -561,7 +561,7 @@
    "    antispam -> antivirus [label = \"3310/tcp\";];\n",
    "    \n",
    "    fetchmail -> admin [label = \"8080/tcp\"]\n",
-    "    fetchmail -> front [label = \"25/tcp\"]\n",
+    "    fetchmail -> proxy [label = \"25/tcp\"]\n",
    "    fetchmail -> front [label = \"2525/tcp\"]\n",
    "    #\n",
    "    # those don't need internet:\n",
--- a/optional/fetchmail/fetchmail.py
+++ b/optional/fetchmail/fetchmail.py
@ -60,7 +60,7 @@ def run(debug):
                protocol=fetch["protocol"],
                host=escape_rc_string(fetch["host"]),
                port=fetch["port"],
-                smtphost=f'{os.environ["FRONT_ADDRESS"]}' if fetch['scan'] else f'{os.environ["FRONT_ADDRESS"]}/2525',
+                smtphost=f'{os.environ["HOSTNAMES"].split(",")[0]}' if fetch['scan'] and os.environ.get('PROXY_PROTOCOL_25', False) else f'{os.environ["FRONT_ADDRESS"]}' if fetch['scan'] else f'{os.environ["FRONT_ADDRESS"]}/2525',
                username=escape_rc_string(fetch["username"]),
                password=escape_rc_string(fetch["password"]),
                options=options,