HAProxy Support
===============
For high availability, client connections can be spread across multiple backend
servers using HAProxy [http://www.haproxy.org/]. This solution is often
employed for large Dovecot installations as a replacement for a hardware load
balancer. A common problem with such a reverse proxy
[http://en.wikipedia.org/wiki/Reverse_proxy] is that Dovecot does not talk to
the client directly. This means that the connection information (IP:port) that
Dovecot uses for logging and authentication purposes points to the proxy,
rather than the real client. To solve this, the proxy needs to convey the
connection information to the backend somehow, so that that information is
available there. The developers of HAProxy defined a custom Proxy Protocol
[http://blog.haproxy.com/haproxy/proxy-protocol/] for this purpose. By this
protocol, the proxy sends the connection information immediately after
connection setup in a special initial header. Note that this isn't normally
needed after the initial Dovecot proxies, because Dovecot internally uses
IMAP/POP3/LMTP extensions to forward the original IP address. Dovecot supports
both versions of the Proxy Protocol since Dovecot version 2.2.19.
Dovecot Configuration
---------------------
The following global settings relate to HAProxy:
haproxy_trusted_networks = :
A space-separated list of trusted network ranges for HAProxy connections.
Connections from networks outside these ranges to ports that are configured
for HAProxy are aborted immediately.
haproxy_timeout = 3 :
The time in seconds after which a HAPRoxy connection is aborted when no
complete header is received.
The HAPRoxy protocol can be enabled for specific <TCP listeners>
[Services.txt]. This way, a service such as IMAP or POP3 can accept both normal
and HAProxy connections. A TCP listener is configured for HAProxy by setting
'haproxy=yes' for that listener. If 'haproxy=yes' is set for a listener, its
use is mandatory on that port; i.e., if the client is not a proper proxy (its
omits the PROXY header), the connection will be aborted.
For example, to enable normal IMAP connections on port 143, SSL connections on
port 993 and HAProxy connections on port 10143, the 'imap-login' service is
configured as follows:
---%<-------------------------------------------------------------------------
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
inet_listener imap_haproxy {
port = 10143
haproxy = yes
}
}
---%<-------------------------------------------------------------------------
HAProxy Configuration
---------------------
The documentation of this feature on the HAProxy side is a bit fragmented
between the HAProxy Configuration Manual
[http://www.haproxy.org/download/1.6/doc/configuration.txt] and the Proxy
Protocol documentation
[http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt]. In summary, it is
enabled by including the 'send-proxy' setting in the 'server' lines. It is
therefore only enabled on a per-server basis.
For example, the 'frontend' and 'backend' configuration of HAProxy could look
as follows:
---%<-------------------------------------------------------------------------
frontend ft_imap
bind :143
mode tcp
default_backend bk_imap
backend bk_imap
mode tcp
balance leastconn
stick store-request src
stick-table type ip size 200k expire 30m
server s1 backend.example.com:10143 send-proxy-v2
---%<-------------------------------------------------------------------------
(This file was created from the wiki on 2019-06-19 12:42)
Copyright 2K16 - 2K18 Indonesian Hacker Rulez