self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-07-17 01:32:29 +02:00
Code Issues Releases Activity

nginx with proxy protocol: clarify documentation

Browse Source
This commit is contained in:
Didier Raboud
2023-03-28 17:38:20 +02:00
committed by GitHub
parent cd7dc7baea
commit dcd3a45dba
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/configuration.rst
View File

@ -256,6 +256,7 @@ The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usua
The ``PROXY_PROTOCOL`` (default: unset) allows the the front container to receive TCP and HTTP connections with The ``PROXY_PROTOCOL`` (default: unset) allows the the front container to receive TCP and HTTP connections with
the `PROXY protocol`_ (originally introduced in HAProxy, now also configurable in other proxy servers). the `PROXY protocol`_ (originally introduced in HAProxy, now also configurable in other proxy servers).
It can be set to: It can be set to:
* ``http`` to accept the ``PROXY`` protocol on nginx's HTTP proxy ports * ``http`` to accept the ``PROXY`` protocol on nginx's HTTP proxy ports
* ``mail`` to accept the ``PROXY`` protocol on nginx's mail proxy ports * ``mail`` to accept the ``PROXY`` protocol on nginx's mail proxy ports
* ``all`` to accept the ``PROXY`` protocol on all nginx's HTTP and mail proxy ports * ``all`` to accept the ``PROXY`` protocol on all nginx's HTTP and mail proxy ports
@ -263,7 +264,10 @@ It can be set to:
.. _`PROXY protocol`: https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt .. _`PROXY protocol`: https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt
This requires to have a valid ``REAL_IP_FROM`` (default: unset). Setting ``PROXY_PROTOCOL`` without setting This requires to have a valid ``REAL_IP_FROM`` (default: unset). Setting ``PROXY_PROTOCOL`` without setting
``REAL_IP_FROM`` *will not work*. Make sure to set a ``REAL_IP_FROM`` only pointing to IP addresses or networks ``REAL_IP_FROM`` *will not work*. The ``REAL_IP_HEADER`` **must be unset**. Otherwise Mailu will not accept
the IP address from the remote client specified by the proxy. This results in the proxy being rate limited
or even banned (when fail2ban is used).
Make sure to set a ``REAL_IP_FROM`` only pointing to IP addresses or networks
that you trust; accepting the ``PROXY`` protocol from untrusted sources is a serious security vulnerability, that you trust; accepting the ``PROXY`` protocol from untrusted sources is a serious security vulnerability,
allowing a potential attacker to spoof their source address. allowing a potential attacker to spoof their source address.