Egregoros · Phoenix Framework

Post

Remote status

Context

feld

@mWare I've removed the archiveopteryx-devel FreeBSD port and moved the regular one to track the latest git commit. It has the TLS fixes.

From what I can tell, the TLS fixes worked. I haven't seen any hung connections etc everything seems to be working great

Next: make it possible to configure the protocols and ciphers as we have no control over that right now. I have a patch to do it, but haven't fully tested it yet.

Mikey!

@mWare@ottawa.place remote

@feld I'm not recalling the TLS fixes, but it's rather moot since I'm running haproxy for IMAPS/Submission

feld

@feld@friedcheese.us remote

@mWare they were committed back to October without any announcements.

https://github.com/aox/aox/commit/39f246eab831c54e28c6be0fd5958d0f58b321c5

https://github.com/aox/aox/commit/f8559477dc462559b58bce6642b7ef983d13d8b3

Replying to @feld@friedcheese.us

feld

@feld@friedcheese.us remote

@mWare I've also submitted a patch that exposes configuration of the TLS ciphers and protocols. We'll see if they merge it. That removes one of the last reasons to use something like haproxy

one of the things that kinda sucks about using haproxy here is that you lose the client IP address. The connections table logs all of the sessions to the server and you'll just have the haproxy IP in there for everyone instead of the real IP address of the user. I doubt many people look at this, but it is a nice audit trail...

Replies

Replying to @feld@friedcheese.us

Mikey!

@mWare@ottawa.place remote

@feld https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address

I’d love support this anyway

Replying to @mWare@ottawa.place

feld

@feld@friedcheese.us remote

@mWare that's an interesting idea and i think it wouldn't be too hard