Opened 5 years ago
Closed 3 years ago
#1899 closed enhancement (wontfix)
Enhance mail module with access control like ngx_http_access_module module
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-module | Version: | 1.16.x |
Keywords: | Cc: | ||
uname -a: | |||
nginx -V: |
nginx version: nginx/1.16.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) built with OpenSSL 1.0.1e 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/opt/apps_install/nginx-1.16.1 --with-stream --with-stream_realip_module --with-mail --with-mail_ssl_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-pcre --with-ld-opt=-Wl,-rpath,/opt/nginx-1.16.1/lua/lib --add-module=../nginx-upload-progress-module --add-module=../ngx_cache_purge-2.3 --add-module=../headers-more-nginx-module --add-module=../nginx_upstream_check_module --with-openssl=../openssl-1.0.1e --with-zlib=../zlib-1.2.3 --add-module=../lua-nginx-module |
Description
We are running nginx as the mail proxy, but there are lots of invalid authentiations every day. We have got some ips to block, but found the mail module lacks deny/allow directives as ngx_http_access_module, so please add the feature.
By the way, we have tried the stream module as a proxy to mail block.
worker_processes 8; user root; events { use epoll; worker_connections 10240; } pid /opt/work/log/nginx_pop.pid; error_log /opt/work/log/error_pop.log error; mail { auth_http 127.0.0.1:8080/auth; timeout 5000; proxy on; xclient on; server { listen 127.0.0.1:1100; protocol pop3; } } stream { # deny IP include includes/deny_ip.conf; upstream @pop_up { server 127.0.0.1:1100; } # POP # ============================= server { listen 110; proxy_pass @pop_up; #proxy_pass 127.0.0.1:1100; } }
This method will not set the correct Client-IP header for the auth_http, all is 127.0.0.1, it impacts our analysis from the malicious flow.
Note:
See TracTickets
for help on using tickets.
By design of the mail module, access checks as well as various rate limits are expected to be done by the auth_http script along with authentication. As such, usefulness of access checks in the mail module itself is quite limited.