ZCS Administrator's Guide 7.2.3
ZCS Administrator's Guide 7.2.3
Open Source Edition


Working with Zimbra Proxy > Configuring ZCS HTTP Proxy

Configuring ZCS HTTP Proxy
In addition to IMAP/POP3 proxying, the Zimbra proxy package based on nginx is also able to reverse proxy HTTP requests to the right backend server.
Using an nginx-based reverse proxy for HTTP helps to hide names of backend mailbox servers from end users.
For example, users can always use their web browser to visit the proxy server at http://mail.example.com. The connection from users whose mailboxes live on mbs1. example.com is proxied to mbs1.example.com by the proxy running on the mail.example.com server. In addition to the ZCS web interface, clients such as REST and CalDAV clients, Zimbra Connector for Outlook, Zimbra Connector for BES, and Zimbra Mobile Sync devices are also supported by the proxy.
Note:
HTTP reverse proxy routes requests as follows:
*
If the request has an auth token cookie (ZM_AUTH_TOKEN), the request is routed to the backend mailbox server of the authenticated user.
*
*
Setting up HTTP Proxy after IMAP/POP Proxy is set up
Zimbra Proxy is installed with ZCS and is set up during Installation from the ZCS configuration menus. Zimbra proxy must be installed on the identified proxy nodes in order to set up HTTP proxy. No other configuration is usually required.
To set up HTTP(s) proxy after you have already installed Zimbra Proxy for IMAP/POP, set up the Zimbra mailbox server and the proxy node as described in the following two sections.
Note:
You can run the command as zmproxyconfig -r, to run against a remote host. Note that this requires the server to be properly configured in the LDAP master.
Setting Up HTTP Proxy With Separate Proxy Node
When your configuration includes a separate proxy server follow these steps.
Setup Zimbra Mailbox Servers
1.
/opt/zimbra/libexec/zmproxyconfig -e -w -H mailbox.node.service.hostname
This configures the following:
zimbraMailReferMode to reverse-proxied. See Note below.
zimbraMailPort to 8080, to avoid port conflicts.
zimbraMailSSLPort to 8443, to avoid port conflicts.
zimbraMailMode to http. This is the only supported mode.
2.
zmcontrol restart
3.
zmprov modifyDomain <domain.com> zimbraPublicServiceHostname <hostname.domain.com>
Setup Proxy Node
1.
/opt/zimbra/libexec/zmproxyconfig -e -w -H proxy.node.service.hostname
This configures the following:
zimbraMailReferMode to reverse-proxied. See Note below.
zimbraMailProxyPort to 80, to avoid port conflicts.
zimbraMailSSLProxyPort to 443, to avoid port conflicts.
zimbraReverseProxyHttpEnabled to TRUE to indicate that Web proxy is enabled.
zimbraReverseProxyMailMode defaults to HTTP.
If you want to set the proxy server mail mode, add to the command the -x option with the mode you desire: http, https, both, redirect, mixed.
Setting Up a Single Node for HTTP Proxy
When Zimbra proxy is installed along with ZCS on the same server, follow this step.
1.
/opt/zimbra/libexec/zmproxyconfig -e -w -H mailbox.node.service.hostname
This configures the following:
zimbraMailReferMode to reverse-proxied. See Note below.
zimbraMailPort to 8080, to avoid port conflicts.
zimbraMailSSLPort to 8443, to avoid port conflicts.
zimbraMailMode to http. This is the only supported mode.
zimbraMailProxyPort to 80, to avoid port conflicts.
zimbraMailSSLProxyPort to 443, to avoid port conflicts.
zimbraReverseProxyHttpEnabled to TRUE to indicate that Web proxy is enabled.
zimbraReverseProxyMailMode defaults to HTTP.
If you want to set the proxy server mail mode, add to the command the -x option with the mode you desire: http, https, both, redirect, mixed.
2.
zmcontrol restart
Configure each domain with the public service host name to be used for REST URLs, email and Briefcase folders. Type
zmprov modifyDomain <domain.com> zimbraPublicServiceHostname <hostname.domain.com>
REST URL Generation
When HTTP proxy is enabled, the following attributes can be set globally or by domain for REST URL:
When generating REST URL’s:
If domain.zimbraPublicServiceHostname is set, use zimbraPublicServiceProtocol + zimbraPublicServiceHostname + zimbraPublicServicePort
Note:
Why use zimbraMailReferMode - In earlier versions of Zimbra, a local config variable called zimbra_auth_always_send_refer was used to determine what the backend server did when a user whose mailbox did not reside on that server logged in on that server. the default value of FALSE meant that the backend server would only redirect the user if the user was logging in on the wrong backend host.
On a multi-server ZCS, however, if a load balanced name was needed to create a friendly landing page, a user would always have to be redirected. In that case, zimbra_auth_always_send_refer was set to TRUE.
Now with a full-fledged reverse proxy, users do not need to be redirected. The localconfig variable zimbraMailReferMode is used with nginx reverse proxy.
Setting Proxy Trusted IP Addresses
When proxy is configured with ZCS, each proxy server’s IP address must be configured in LDAP attribute zimbraMailTrustedIP to identify the proxy addresses as trusted when uses log in through the proxy. The proxy IP address is added to the X-Forwarded-For header information. The X-Forwarded-For header is automatically added to the localconfig zimbra_http_originating_ip_header attribute. When a user logs in, this IP address and the user’s address are verified in the Zimbra mailbox log.
You set each proxy IP address in the attribute. For example, if you have two proxy servers, you would run the command as follows:
 
Note:
To verify that X-Forwarded-For was correctly added to the localconfig, type zmlocalconfig | grep -i http. You should see zimbra_http originating_ip_header = X-Forwarded-For.
Copyright © 2013 VMware Inc.