Support for proxy/sec gateway/LBL: X-Forwarded-For and proxy protocol implementation
Idea shared by Mail Server - March 22 at 12:32 PM
Proposed
Suggestion/Feature request:

Please implement X-Forwarded-For an proxy protocoll for web and mail protocols:

For an up to date application design fulfilling security aspects a proxy/sec geteway ... is absolutely necessary. Best would be Proxy/Sec Gateway -> Application/web Server -> Backend Data store
No way to expose an application/http server direct to the internet. Always use something like F5 LBL, haproxy, nginx, apache, IIS. Not to talk ablot load balancing, HA setups and SSL offloading.

To fulfill these major app design rules, it's an absolutely need to implement X-Forwarded-For header (https://tools.ietf.org/html/rfc7239) and the proxy protocoll (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). A lot of applications do so right now!

Without these features, all IP restrictions, protocoll information and IP-Restrictions are wothless when using an security based application design.

So I would really appreciate to think about these really necessary feature for the Web and mail services (imap, smtp ...)

Many Thanks and best regards

2 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
So if I'm understanding this correctly.

When SM receives these web requests they are coming from a load-balancer (or web Gateway) with the "X-Forwarded-For" header?
I could see this. We could then verify that if we do see "X-Forwarded-For" that we only accept that header when coming from a known safe IP. Otherwise client's could write this header's themselves to bypass IP checks. Thankfully we have a list for these kinds of checks already, bypassed IP's.

What specific purpose does proxy-protocol fill that 'X-Forwarded-For' doesn't? Looking at it, seems like it would be quite a bit of work.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Hi Matt,

yes right, the header is insertet by the proxy/lbl. Typically at this point all client inserted headers are replaced.

X-Forwarded-For is only usable when speaking abount http protocol but not for TCP smtps, imaps, pops ... for these protocols I only know about proxy protocol. However the "best but most complex" solution is a transparent proxy.

...
The protocol is simple enough that it is expected that other implementations will appear, especially in environments such as SMTP, IMAP, FTP, RDP where the client's address is an important piece of information for the server and some intermediaries. In fact, several proprietary deployments have already done so on FTP and SMTP servers.
...
Best regards

Reply to Thread