proxy/haproxy: Update haproxy documentation#1499
Conversation
This comment has been minimized.
This comment has been minimized.
cmouse
force-pushed
the
haproxy
branch
2 times, most recently
from
e9171b4 to
c8da05b
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
cmouse
force-pushed
the
haproxy
branch
2 times, most recently
from
3b7c4da to
943faf4
Compare
|
|
||
| This section describes how TLS can be handled when using HAProxy in front of Dovecot, and the implications of different configurations. | ||
|
|
||
| ### HAProxy TLS forwarding directives |
There was a problem hiding this comment.
I was thinking just squash this whole section into same as HAproxy PROXY protocol. The only TLS-specific ting here is the send-proxy-v2-ssl and it's not too bad to be outside the TLS sections.
| - Set `haproxy = yes` on the listener | ||
| - Set `haproxy_trusted_networks` to the IP address(es) of HAProxy — Dovecot rejects PROXY headers from any unlisted address | ||
|
|
||
| ## Recommended Deployment |
There was a problem hiding this comment.
### since this is under TLS
| **Disadvantages:** | ||
| * Dovecot does not advertise STARTTLS on this listener, so clients cannot use it. | ||
|
|
||
| #### Mutual TLS (mTLS) Between HAProxy and Dovecot |
There was a problem hiding this comment.
I think ##### since this is in addition to #### HAProxy → Dovecot with TLS (Recommended), not a alternative to it.
|
|
||
| HAProxy presents a client certificate to Dovecot; Dovecot verifies it before accepting the connection. | ||
|
|
||
| ### HAProxy → Dovecot Without TLS (Not Recommended) |
There was a problem hiding this comment.
I think #### since this is an alternative to #### HAProxy → Dovecot with TLS (Recommended)
|
|
||
| ::: code-group | ||
| ```haproxy[haproxy_plain_backend] | ||
| backend dovecot_imap |
There was a problem hiding this comment.
This example is missing frontend imap_tls. (Can't assume it will be copy-pasted from HAProxy → Dovecot with TLS example, since it's an alternative to this oe.)
|
|
||
| ### Plaintext Client Connections (Port 143) | ||
|
|
||
| If a client connects on a plaintext port, HAProxy passes the connection through without TLS termination. |
There was a problem hiding this comment.
My complaints about these sections go away if you add something like: When doing TLS termination on HAProxy, the recommendation is to disable plaintext client connections entirely.
|
|
||
| See [HAProxy → Dovecot with TLS](#haproxy-dovecot-with-tls-recommended) for the full example. | ||
|
|
||
| ### TLS Termination at HAProxy |
There was a problem hiding this comment.
Now at the very end of my review, I realize you have:
## HAProxy TLS Termination
### TLS Termination at HAProxy
How do these differ.. Can we get rid of one of them or rename one of them?
2 participants
JIRA: DOV-6879