Proxy Servers

• Table of Contents
• Is delivering through reverse-proxy servers supported?
• Is putting GreenArrow behind a reverse-proxy or load-balancer supported?

Is delivering through reverse-proxy servers supported?

We support both HAProxy and our own reverse-proxy server, GreenArrow Proxy.

Our cluster documentation describes both:

• Cluster architecture using HAProxy
• Cluster architecture using GreenArrow Proxy

GreenArrow Proxy provides additional functionality not available through HAProxy:

• Connection reuse is performed on the proxy, so a connection opened to perform a delivery needed by one MTA may be reused by another MTA to deliver to the same destination.

  • This is an advantage when delivering to destinations with very low concurrent connection limits and for clusters with large numbers of smaller MTAs. Without this behavior, a connection might not be able to deliver the maximum number of messages that are allowed by the connection reuse parameters, even if there are messages waiting on other MTAs in the cluster. When using STARTTLS there is an overhead for opening a new connection, so opening fewer new connections is better.

• Collaborative throttling decisions for IPs hosted on that reverse proxy are performed on that reverse proxy. This has advantages to other MTA’s collaborative throttling implementations:

  • There is no external service (such as Redis) that can act as a single-point-of-failure for the MTA cluster. The reverse proxy is already a single-point of failure for deliveries done from the IP addresses hosted on that reverse proxy, so making the throttle decisions on the same host does not add any new dependencies.

  • The full capacity of each throttling limit is fully available to every MTA in the cluster. Some implementations, for example, if there are five MTAs in a cluster, each MTA is configured to allow 1/5th of the overall throttling limit to each MTA. In this case, some MTAs can be saturated at their limits, and other MTAs could not have saturated their limit.

Is putting GreenArrow behind a reverse-proxy or load-balancer supported?

For SMTP, the PROXY protocol is supported, so that a load balancer can communicate the original source and destination IP address to GreenArrow. Please contact technical support for instructions on how to enable this.

For HTTP and HTTPS, both standard HTTP/HTTPS reverse proxies and Cloudflare are supported. This is documented on under Processing Clicks and Opens Behind a Proxy Server, although this information applies to all HTTP/HTTPS access to GreenArrow, including API access. Reverse proxies can be trusted by source IP using the http_trusted_proxy_ips directive or by a header using the http_trusted_proxy_auth_header directive.

For SMTP and HTTP/HTTPS, a Network Load Balancer that preserves the original source IP address of the TCP connection is, of course, supported.