Implement HAProxy protocol support

This patch implements support for incoming connections wrapped in the HAProxy protocol v1. This is useful when running chasquid behind a HAProxy server, as it needs the original source IP to perform SPF checks. This patch is a reimplementation of one originally provided by Denys Vitali in pull request #15, except the logic for the protocol handling is moved to a new package, and the smtpsrv.Conn handling of the source IP is simplified. It is marked as experimental for now, since we want to give it a bit more exposure just in case the option/api needs adjustment. Thanks a lot to Denys Vitali (@denysvitali in github) for sending the original patch for this, and helping test it!
2025-12-16 14:27:01 +00:00 · 2020-11-12 22:00:46 +00:00
parent c9d3ba0ca0
commit e79586a014
22 changed files with 389 additions and 24 deletions
--- a/docs/haproxy.md
+++ b/docs/haproxy.md
@@ -0,0 +1,32 @@
+
+# HAProxy integration
+
+As of version 1.6, [chasquid] supports being deployed behind a [HAProxy]
+instance.
+
+**This is EXPERIMENTAL for now, and can change in backwards-incompatible
+ways.**
+
+
+## Configuring HAProxy
+
+In the backend server line, set the [send-proxy] parameter to turn on the use
+of the PROXY protocol against chasquid.
+
+You need to set this for each of the ports that are forwarded.
+
+
+## Configuring chasquid
+
+Add the following line to `/etc/chasquid/chasquid.conf`:
+
+```
+haproxy_incoming: true
+```
+
+That turns HAProxy support on for all incoming SMTP connections.
+
+
+[chasquid]: https://blitiri.com.ar/p/chasquid
+[HAProxy]: https://www.haproxy.org/
+[send-proxy]: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.2-send-proxy
--- a/docs/man/chasquid.conf.5
+++ b/docs/man/chasquid.conf.5
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "chasquid.conf 5"
-.TH chasquid.conf 5 "2020-05-24" "" ""
+.TH chasquid.conf 5 "2020-11-12" "" ""
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -234,6 +234,14 @@ databases will be authenticated via dovecot.  Default: \f(CW\*(C`false\*(C'\fR.
 The path to dovecot's auth sockets is autodetected, but can be manually
 overridden using the \f(CW\*(C`dovecot_userdb_path\*(C'\fR and \f(CW\*(C`dovecot_client_path\*(C'\fR if
 needed.
+.IP "\fBhaproxy_incoming\fR (bool):" 8
+.IX Item "haproxy_incoming (bool):"
+\&\fB\s-1EXPERIMENTAL\s0\fR, might change in backwards-incompatible ways.
+.Sp
+If true, expect incoming \s-1SMTP\s0 connections to use the HAProxy protocol.
+This allows deploying chasquid behind a HAProxy server, as the address
+information is preserved, and \s-1SPF\s0 checks can be performed properly.
+Default: \f(CW\*(C`false\*(C'\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBchasquid\fR\|(1)
--- a/docs/man/chasquid.conf.5.pod
+++ b/docs/man/chasquid.conf.5.pod
@@ -113,6 +113,15 @@ The path to dovecot's auth sockets is autodetected, but can be manually
 overridden using the C<dovecot_userdb_path> and C<dovecot_client_path> if
 needed.

+=item B<haproxy_incoming> (bool):
+
+B<EXPERIMENTAL>, might change in backwards-incompatible ways.
+
+If true, expect incoming SMTP connections to use the HAProxy protocol.
+This allows deploying chasquid behind a HAProxy server, as the address
+information is preserved, and SPF checks can be performed properly.
+Default: C<false>.
+
 =back

 =head1 SEE ALSO