Am setat nginx ca proxy de e-mail, dar am probleme la detectarea realului Client-Ip în scriptul de autentificare php numit de nginx prin auth_http.
Nu sunt interesat să obțin IP real pe serverul de e-mail din amonte.
Acesta este stack-ul meu:
- Cloudflare gestionează dns
- Restul se ocupă cu Docker
docker-compose.yml:
versiunea: „3.9”
Servicii:
traefik:
container_name: traefik
imagine: traefik:v2.6.0
porturi:
- „80:80”
- „443:443”
- „465:465”
- „993:993”
- „995:995”
...
etichete:
- traefik.enable=true
- traefik.http.routers.traefik-public-https.tls=true
...
volume:
- /var/run/docker.sock:/var/run/docker.sock:ro
...
comanda:
- --providers.docker
- --providers.docker.exposedbydefault=fals
- --entrypoints.http.address=:80
- --entrypoints.https.address=:443
- --entrypoints.entrypoint-nginx-mail-465.address=:465
- --entrypoints.entrypoint-nginx-mail-993.address=:993
- --entrypoints.entrypoint-nginx-mail-995.address=:995
- --entrypoints.entrypoint-forwardedHeaders-trustedIPs.forwardedHeaders.trustedIPs=${TRAEFIK_TRUSTED_IPS}
...
nginx:
container_name: nginx
imagine: nginx:1.21
volume:
- ${PWD}/sys/nginx/vhosts:/etc/nginx/conf.d
- ${PWD}/sys/nginx/custom.d:/etc/nginx/custom.d
...
etichete:
- traefik.enable=true
- traefik.tcp.routers.router-nginx-mail-465.entrypoints=entrypoint-nginx-mail-465
- traefik.tcp.routers.router-nginx-mail-465.rule=HostSNI(`*`)
- traefik.tcp.routers.router-nginx-mail-465.tls=true
- traefik.tcp.routers.router-nginx-mail-465.tls.certresolver=le
- traefik.tcp.routers.router-nginx-mail-465.service=service-nginx-mail-465
- traefik.tcp.services.service-nginx-mail-465.loadbalancer.server.port=587
- traefik.tcp.routers.router-nginx-mail-993.entrypoints=entrypoint-nginx-mail-993
- traefik.tcp.routers.router-nginx-mail-993.rule=HostSNI(`*`)
- traefik.tcp.routers.router-nginx-mail-993.tls=true
- traefik.tcp.routers.router-nginx-mail-993.tls.certresolver=le
- traefik.tcp.routers.router-nginx-mail-993.service=service-nginx-mail-993
- traefik.tcp.services.service-nginx-mail-993.loadbalancer.server.port=143
- traefik.tcp.routers.router-nginx-mail-995.entrypoints=entrypoint-nginx-mail-995
- traefik.tcp.routers.router-nginx-mail-995.rule=HostSNI(`*`)
- traefik.tcp.routers.router-nginx-mail-995.tls=true
- traefik.tcp.routers.router-nginx-mail-995.tls.certresolver=le
- traefik.tcp.routers.router-nginx-mail-995.service=service-nginx-mail-995
- traefik.tcp.services.service-nginx-mail-995.loadbalancer.server.port=110
...
php-fpm:
nume_container: php-fpm
imagine: bitnami/php-fpm:7.4
userns_mode: „gazdă”
etichete:
- traefik.enable=false
...
.env:
#https://www.cloudflare.com/ips
# Ultima actualizare: 8 aprilie 2021
TRAEFIK_TRUSTED_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/ 13.104.24.0.0/14.172.64.0.0/13.131.0.72.0/22.2400:cb00::/32.2606:4700::/32.2803:f800::/32.2405:05:05:05:05:05:05 :/32,2a06:98c0::/29,2c0f:f248::/32
...
sys/nginx/vhosts/00-main.conf:
Server {
asculta [::]:80;
asculta 80;
nume_server gazdă locală;
root /app/public;
index index.php;
locație ~ /\. {
nega totul;
}
locație ~ \.php$ {
fastcgi_pass php-fpm:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
sys/nginx/custom.d/mail.conf:
Poștă {
numele serverului _;
auth_http localhost:80/proxy.php;
proxy_pass_error_message activat;
imap_capabilities IMAP4 IMAP4rev1 LOGIN-REFERRALS SASL-IR ENABLE IDLE ID LITERAL+;
pop3_capabilities CAPA RESP-CODES UTILIZATOR TOP AUTH-RESP-CODE PIPELINING UIDL;
smtp_capabilities PIPELINING „SIZE ***” ETRN ENHANCEDSTATUSCODES 8BITMIME DSN CHUNKING;
...
Server {
asculta 110;
protocol pop3;
starttls on;
auth_http_header X-Auth-Port 110;
auth_http_header User-Agent „Proxy POP3”;
}
Server {
asculta 143;
protocol imap;
starttls on;
auth_http_header X-Auth-Port 143;
auth_http_header User-Agent „IMAP proxy”;
}
Server {
asculta 587;
protocol smtp;
starttls on;
auth_http_header X-Auth-Port 587;
auth_http_header User-Agent „SMTP proxy”;
}
}
getallheaders() în interiorul proxy.php:
matrice (
„User-Agent” => „Proxy IMAP”,
'X-Auth-Port' => '143',
'Client-Ip' => '172.27.0.2',
„Auth-Login-Tempt” => „1”,
„Auth-Protocol” => „imap”,
„Auth-Pass” => „***”,
'Auth-User' => '***',
'Auth-Method' => 'plată',
'Host' => 'localhost',
'Content-Length' => '',
„Content-Type” => „”,
)
$_SERVER în interiorul proxy.php:
matrice (
„HTTP_USER_AGENT” => „Proxy IMAP”,
'HTTP_X_AUTH_PORT' => '143',
'HTTP_CLIENT_IP' => '172.27.0.2',
'HTTP_AUTH_LOGIN_ATTEMPT' => '1',
„HTTP_AUTH_PROTOCOL” => „imap”,
'HTTP_AUTH_PASS' => '***',
'HTTP_AUTH_USER' => '***',
'HTTP_AUTH_METHOD' => 'simplu',
'HTTP_HOST' => 'localhost',
'REDIRECT_STATUS' => '200',
'SERVER_NAME' => 'localhost',
'SERVER_PORT' => '80',
'SERVER_ADDR' => '127.0.0.1',
'REMOTE_PORT' => '49360',
'REMOTE_ADDR' => '127.0.0.1',
'SERVER_SOFTWARE' => 'nginx/1.21.3',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'REQUEST_SCHEME' => 'http',
'SERVER_PROTOCOL' => 'HTTP/1.0',
'DOCUMENT_URI' => '/proxy.php',
'REQUEST_URI' => '/',
„SCRIPT_NAME” => „/proxy.php”,
'CONTENT_LENGTH' => '',
„CONTENT_TYPE” => „”,
„REQUEST_METHOD” => „OBȚINE”,
„QUERY_STRING” => „”,
'FCGI_ROLE' => 'RESPONDER',
'PHP_SELF' => '/proxy.php',
...
)
