Using PROXY protocol for tcp-services in Kubernetes
I have a Kubernetes cluster that uses nginx for handling inbound requests behind a DigitalOcean load balancer. Here’s what an inbound SMTP request (port 25) goes through to get to my Postfix server:
- DO Load Balancer
- Nginx k8s service/loadbalancer
- Nginx server
- Postfix k8s service
- Postfix pod
It works fine, but for one problem: the originating IP of the client is lost along the way, and gets replaced with the IP address of the nginx server (10.x.y.z). This means that things like SPF policy checks don’t work, because Postfix cannot determine the IP of the sender.
There’s a way to fix it though, and that’s to have nginx use the PROXY protocol when communicating with Postfix. To do that, one should configure Postfix to expect the PROXY protocol for inbound requests (easy), and tell nginx to use the Proxy protocol when communicating with Postfix. That hasn’t been easy.
Per the Documentation, I should configure nginx’s
tcp-services ConfigMap with a line like this (I think):
30025: mail/postfix:25, where
30025 is the NodePort that was assigned to the nginx load balancer, and
25 is the port that the Postfix k8s service is listening on.
When I configure it this way it correctly routes mail, but I’m still getting 10.x.y.z IP addresses in Postfix. Is this because the DigitalOcean load balancer isn’t using the PROXY protocol when communicating with nginx, and Postfix is seeing the internal IP address of the DO load balancer? Is there any way to configure the DO loadbalancer to use the PROXY protocol for non-HTTP services?