PMG behind HAPROXY

[BastienH]

Hi,

I have my Proxmox Mail Gateway (version 8.1.0) behind HAProxy (on pfSense) for the web interface only, and I’d like to set up Fail2Ban to protect it.

My problem is that the visible IP is the one from HAProxy, not the actual client, even though I’m using the forwardfor option.
I assume the IP being used is taken directly from the socket.

Is there a way to change this behavior, or is there another approach I could take ?

Thanks for your help.

 

[BastienH]

Hello,
Any ideas?
Anyone?
Thanks

 

[ronanc]

Install CSF in all PMG nodes and on your HA Proxy, then, configure the CSF Clustering, and voila, when you get an IP blocked in one PMG server, this ip will be blocked in all members of your CSF Cluster and on your HA Proxy, this will prevent abusive IPs to connect in your PMG servers, it will blocked in the frontend (HA Proxy).

 

[BastienH]

Hello,

Thanks for the feedback. I was thinking more of a configuration to do on Haproxy so that the IP seen by pmg is the attacker's public ip and not the Haproxy's private ip but I'll have a look at CSF.

If anyone has another idea don't hesitate

Thanks to all