mox icon indicating copy to clipboard operation
mox copied to clipboard
verified publisher icon mjl-

No real ip behind haproxy 0.0.15

Open vooon opened this issue 6 months ago • 4 comments

Hello,

I'm trying to setup Mox behind the HAproxy, UI/MTA-STS/... works, but seems Mox not processing X-Forwarded-For / X-Real-IP because in logs and account client ip is 127.0.0.1.

mox.conf is like that:

Listeners:
	internal:
		AccountHTTP:
			Enabled: true
			Port: 1080
			Forwarded: true
		AdminHTTP:
			Enabled: true
			Port: 1080
			Forwarded: true
		WebmailHTTP:
			Enabled: true
			Port: 1080
			Forwarded: true
		WebAPIHTTP:
			Enabled: true
			Port: 1080
			Forwarded: true

haproxy.cfg:

frontend https
  mode http
  bind :443 ssl alpn h2,http/1.1 crt /etc/acme/haproxy/
  # bind quic4@:443 ssl alpn h3 crt /etc/acme/haproxy/
  # http-after-response add-header alt-svc 'h3=":443"; ma=60'
  option forwardfor
  http-request set-header X-Real-IP %[src]
  http-request set-header X-Forwarded-Proto https
  http-response set-header Strict-Transport-Security "max-age=2592000"

  use_backend mox-ui          if { hdr(host) -i mx.foo } OR { hdr(host) -i mail.foo }
  use_backend mox-autoconf    if { hdr(host) -i mta-sts.foo } OR { hdr(host) -i autoconfig.foo }
  default_backend barbrady

backend mox-ui
  mode http
  server localhost 127.0.0.1:1080 check

backend mox-autoconf
  mode http
  server localhost 127.0.0.1:1081 check

I've tried to sniff http, and can confirm that the headers present. The only noticeable thing - they are in lower case, like in HTTP/2, i.e. x-forwarded-for: <ip>.

vooon avatar Jul 02 '25 15:07 vooon

Same here with k3s deployment with ingress nginx. I got X-Forwarded-For,X-RealIp and other headers set (over proxy protocol, and I can see the real ips in another k3s service), yet nothing here in Mox.

luckyycode avatar Jul 06 '25 14:07 luckyycode

Can confirm, same with regular nginx and the following config:

    location /webmail/ {
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_buffering off;
      proxy_request_buffering off;
      proxy_read_timeout 3600;
      proxy_pass http://127.0.0.1:2080/webmail/;
    }

sigio avatar Jul 07 '25 15:07 sigio

I've hit this too. Poking the code, it looks like X-Forwarded-For is taken into account only for the rate-limiting, and not for the logging or other uses that may come up.

There's also no way to specify Forwarded: true for mta-sts or autoconfig listeners at the moment.

lupine avatar Aug 29 '25 23:08 lupine

https://github.com/mjl-/mox/pull/381

lupine avatar Aug 30 '25 18:08 lupine