Make nginx use the haproxy protocol for mail
Mail listens for haproxy proxy messages, which have extra information about
where the query came from (similar to X-Forwarded-For headers in HTTP).
Unfortunately, we were forwarding it raw TCP data from nginx.
This commit uses ProxyStream (introduced in helpers commit
Ia15a18380624375ec4eb5d87d802df1e31f3c82d) to add haproxy proxying.
Finally, this commit removes an extraneous email vhost (ignored since helpers
commit I1e3dc3db735c0ccea5a6b7407cda8338ff7cf1e8)
Change-Id: Ia6142f249b911e11fef1a6476fcef4002d88b86d
diff --git a/flake.lock b/flake.lock
index 6dd1f0b..fd8bd0d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -59,11 +59,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
- "lastModified": 1697846472,
- "narHash": "sha256-OWxoAM79X6fssw6CnlhPvxfmuoC4Aq4PX+0aYv/ONBQ=",
+ "lastModified": 1698014047,
+ "narHash": "sha256-UkFM0AMx5876howd1rTBxJKt/J9TioxkRBRaE/3VXMg=",
"ref": "refs/heads/main",
- "rev": "5c7ee827fd35a9b2e489e919796f73536788c483",
- "revCount": 11,
+ "rev": "06e9c2b007673ff27fa3620c17644e8ba8f33ced",
+ "revCount": 15,
"type": "git",
"url": "https://git.clicks.codes/Clicks/NixHelpers"
},
diff --git a/helpers b/helpers
index 5c7ee82..06e9c2b 160000
--- a/helpers
+++ b/helpers
@@ -1 +1 @@
-Subproject commit 5c7ee827fd35a9b2e489e919796f73536788c483
+Subproject commit 06e9c2b007673ff27fa3620c17644e8ba8f33ced
diff --git a/modules/nginx-routes.nix b/modules/nginx-routes.nix
index 889a17c..a5ff7a5 100644
--- a/modules/nginx-routes.nix
+++ b/modules/nginx-routes.nix
@@ -37,9 +37,7 @@
"smtp.coded.codes"
"smtp.clicks.codes"
"smtp.hopescaramels.com"
- ] (ReverseProxy "localhost:1080"))
- (Hosts [ "mail.clicks.codes" "mail.coded.codes" "mail.hopescaramels.com" ]
- (ReverseProxy "localhost:1080"))
+ ] (ReverseProxy "127.0.0.1:1080"))
(Host "matrix.coded.codes" (Directory "${builtins.toString
(pkgs.schildichat-web.override {
conf = {
@@ -91,12 +89,12 @@
])
];
clicks.nginx.streams = with helpers.nginx; [
- (Stream 143 "localhost:1143" "tcp") # imap
- (Stream 993 "localhost:1993" "tcp") # imap
- (Stream 110 "localhost:1110" "tcp") # pop3
- (Stream 995 "localhost:1995" "tcp") # pop3
- (Stream 25 "localhost:1025" "tcp") # smtp
- (Stream 465 "localhost:1465" "tcp") # smtp
- (Stream 587 "localhost:1587" "tcp") # smtp
+ (ProxyStream 143 "127.0.0.1:1143" "tcp") # imap
+ (ProxyStream 993 "127.0.0.1:1993" "tcp") # imap
+ (ProxyStream 110 "127.0.0.1:1110" "tcp") # pop3
+ (ProxyStream 995 "127.0.0.1:1995" "tcp") # pop3
+ (ProxyStream 25 "127.0.0.1:1025" "tcp") # smtp
+ (ProxyStream 465 "127.0.0.1:1465" "tcp") # smtp
+ (ProxyStream 587 "127.0.0.1:1587" "tcp") # smtp
];
}
diff --git a/modules/nginx.nix b/modules/nginx.nix
index 08ae0cf..7515dcb 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -124,6 +124,7 @@
internal = lib.mkOption { type = str; };
external = lib.mkOption { type = port; };
protocol = lib.mkOption { type = strMatching "^(tcp|udp)$"; };
+ haproxy = lib.mkOption { type = bool; };
};
});
example = lib.literalExpression ''
@@ -157,7 +158,8 @@
listen ${builtins.toString stream.external}${
lib.optionalString (stream.protocol == "udp") " udp"
};
- proxy_pass ${builtins.toString stream.internal};
+ proxy_pass ${stream.internal};
+ ${if stream.haproxy then "proxy_protocol on;" else ""}
}
'') config.clicks.nginx.streams);
};