summaryrefslogtreecommitdiff
path: root/doc/doc-txt
diff options
context:
space:
mode:
authorTodd Lyons <tlyons@exim.org>2014-04-17 11:58:09 -0700
committerTodd Lyons <tlyons@exim.org>2014-04-19 08:32:09 -0700
commiteb57651e8badf0b65af0371732e42f2ee5c7772c (patch)
tree0bc0f5ddf2deb86cf11e1063e5b28942009e36b8 /doc/doc-txt
parent887291d23b561d0bb8cf43db80c191810e2d8ce3 (diff)
Fix Proxy Protocol v2 handling
Change recv() to not use MSGPEEK and eliminated flush_input(). Add proxy_target_address/port expansions. Convert ipv6 decoding to memmove(). Use sizeof() for variable sizing. Correct struct member access. Enhance debug output when passed invalid command/family. Add to and enhance documentation. Client script to test Proxy Protocol, interactive on STDIN/STDOUT, so can be chained (ie a swaks pipe), useful for any service, not just Exim and/or smtp.
Diffstat (limited to 'doc/doc-txt')
-rw-r--r--doc/doc-txt/experimental-spec.txt21
1 files changed, 17 insertions, 4 deletions
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 265e1211b..f21609662 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1087,10 +1087,16 @@ Proxy Protocol server at 192.168.1.2 will look like this:
3. In the ACL's the following expansion variables are available.
-proxy_host_address The src IP of the proxy server making the connection
-proxy_host_port The src port the proxy server is using
-proxy_session Boolean, yes/no, the connected host is required to use
- Proxy Protocol.
+proxy_host_address The (internal) src IP of the proxy server
+ making the connection to the Exim server.
+proxy_host_port The (internal) src port the proxy server is
+ using to connect to the Exim server.
+proxy_target_address The dest (public) IP of the remote host to
+ the proxy server.
+proxy_target_port The dest port the remote host is using to
+ connect to the proxy server.
+proxy_session Boolean, yes/no, the connected host is required
+ to use Proxy Protocol.
There is no expansion for a failed proxy session, however you can detect
it by checking if $proxy_session is true but $proxy_host is empty. As
@@ -1110,6 +1116,13 @@ an example, in my connect ACL, I have:
[$sender_host_address] through proxy protocol \
host $proxy_host_address
+ # Possibly more clear
+ warn logwrite = Remote Source Address: $sender_host_address:$sender_host_port
+ logwrite = Proxy Target Address: $proxy_target_address:$proxy_target_port
+ logwrite = Proxy Internal Address: $proxy_host_address:$proxy_host_port
+ logwrite = Internal Server Address: $received_ip_address:$received_port
+
+
4. Runtime issues to be aware of:
- Since the real connections are all coming from your proxy, and the
per host connection tracking is done before Proxy Protocol is