On 11/19/2020 1:37 PM, Howard Chu wrote:
This would require that you actually read and process the proxy header
immediately after the accept call. It strikes me that this is the wrong
thing to do, if you also want to support TLS.
Unless I'm misunderstanding the specification, that is the only
Paul B. Henson wrote:
> On 11/19/2020 10:02 AM, Howard Chu wrote:
>
>>> 1. Config directives for specifying IP address(es) and network(s) expected
>>> and trusted to send proxy protocol header.
>>
>> Sounds like unnecessary work. Just use an ACL.
>
> I don't think an ldap level ACL would work fo
On 11/19/20 5:04 PM, Howard Chu wrote:
> Paul B. Henson wrote:
>> In general, I believe applications listening on a specific port are either
>> expecting the proxy protocol header, or not, I do not think it is dynamically
>> determined. As such, from an implementation perspective, my initial thoug
On 11/19/2020 10:02 AM, Howard Chu wrote:
1. Config directives for specifying IP address(es) and network(s)
expected and trusted to send proxy protocol header.
Sounds like unnecessary work. Just use an ACL.
I don't think an ldap level ACL would work for what he means? I think he
wants to con
On 11/19/2020 12:55 AM, Michael Ströder wrote:
Aaargh! I've missed the binary header part. So forget my former comments.
Version 1 of the protocol is ASCII, version 2 is binary. However, in
both cases the proxy protocol data is removed and processed before the
connection is handed down to th
On 11/19/2020 8:04 AM, Howard Chu wrote:
Yeah, that agrees with my read of the document. I think "ldapp://" and
"ldapsp://" would be usable.
Cool.
Doesn't seem too problematic. I would only support the version 2 (binary)
header,
seems silly to implement the version 1 support for such an old
Michael Ströder wrote:
> On 11/19/20 5:04 PM, Howard Chu wrote:
>> Paul B. Henson wrote:
>>> In general, I believe applications listening on a specific port are either
>>> expecting the proxy protocol header, or not, I do not think it is
>>> dynamically
>>> determined. As such, from an implementa
Paul B. Henson wrote:
> We currently run our openLDAP service on our campus behind an F5 load
> balancer which preserves the IP address of the connecting client through to
> the backend
> servers, which we rely on for a small amount of IP address based
> authorization differentiating between on-
On 11/19/20 9:52 AM, Michael Ströder wrote:
> On 11/19/20 2:49 AM, Paul B. Henson wrote:
>> Amazon's solution for that is to support HAProxy's proxy protocol in
>> their load balancer:
>>
>> https://www.haproxy.com/blog/haproxy/proxy-protocol/
>>
>> Basically, this is an in band signaling mecha
On 11/19/20 2:49 AM, Paul B. Henson wrote:
> Amazon's solution for that is to support HAProxy's proxy protocol in
> their load balancer:
>
> https://www.haproxy.com/blog/haproxy/proxy-protocol/
>
> Basically, this is an in band signaling mechanism that inserts an
> additional header in the in
10 matches
Mail list logo
