ZCS Administrator's Guide 8.0.3
ZCS Administrator's Guide 8.0.3
Open Source Edition


Zimbra Proxy Server > Configure ZCS HTTP Proxy

Configure ZCS HTTP Proxy
Zimbra Proxy can reverse proxy HTTP requests to the right back-end server.
For example, users can use a web browser to connect to the proxy server at http://mail.example.com. The connection from users whose mailboxes live on mbs1. example.com is proxied to mbs1.example.com by the proxy running on the mail.example.com server,. REST and CalDAV clients, Zimbra Connector for Outlook, Zimbra Connector for BES, and Zimbra Mobile Sync devices are also supported by the proxy.
Note:
HTTP reverse proxy routes requests as follows:
*
*
If the request has an auth token cookie (ZM_AUTH_TOKEN), the request is routed to the backend mailbox server of the authenticated user.
*
Setting Up HTTP Proxy
To set up HTTP proxy, Zimbra Proxy must be installed on the identified nodes.
Note:
You can run the command as zmproxyconfig -r, to run against a remote host. Note that this requires the server to be properly configured in the LDAP master.
Set Up HTTP Proxy as a Separate Proxy Node
When your configuration includes a separate proxy server follow these steps.
1.
/opt/zimbra/libexec/zmproxyconfig -e -w -H mailbox.node.service.hostname
This configures the following:
zimbraMailReferMode to reverse-proxied. See Note below.
zimbraMailPort to 8080, to avoid port conflicts.
zimbraMailSSLPort to 8443, to avoid port conflicts.
zimbraMailMode to http. This is the only supported mode.
2.
zmcontrol restart
3.
zmprov modifyDomain <domain.com> zimbraPublicServiceHostname <hostname.domain.com>
Set Up Proxy Node
 
1.
/opt/zimbra/libexec/zmproxyconfig -e -w -H proxy.node.service.hostname
This configures the following:
zimbraMailReferMode to reverse-proxied. See Note below.
zimbraMailProxyPort to 80, to avoid port conflicts.
zimbraMailSSLProxyPort to 443, to avoid port conflicts.
zimbraReverseProxyHttpEnabled to TRUE to indicate that Web proxy is enabled.
zimbraReverseProxyMailMode defaults to HTTP.
To set the proxy server mail mode, add the -x option to the command with the specific mode: http, https, both, redirect, mixed.
Set Up a Single Node for HTTP Proxy
If Zimbra proxy is installed along with ZCS on the same server, follow this step.
1.
/opt/zimbra/libexec/zmproxyconfig -e -w -H mailbox.node.service.hostname
This configures the following:
zimbraMailReferMode to reverse-proxied. See Note below.
zimbraMailPort to 8080, to avoid port conflicts.
zimbraMailSSLPort to 8443, to avoid port conflicts.
zimbraMailMode to http. This is the only supported mode.
zimbraMailProxyPort to 80, to avoid port conflicts.
zimbraMailSSLProxyPort to 443, to avoid port conflicts.
zimbraReverseProxyHttpEnabled to TRUE to indicate that Web proxy is enabled.
zimbraReverseProxyMailMode defaults to HTTP.
To set the proxy server mail mode, add the -x option to the command with the specific mode: http, https, both, redirect, mixed.
2.
zmcontrol restart
Configure each domain with the public service host name to be used for REST URLs, email and Briefcase folders.
zmprov modifyDomain <domain.com> zimbraPublicServiceHostname <hostname.domain.com>
REST URL Generation
For REST URL, you set the host name, service protocol, and services port globally or for a specific domain from the following attributes.
When generating REST URL’s:
If domain.zimbraPublicServiceHostname is set, use zimbraPublicServiceProtocol + zimbraPublicServiceHostname + zimbraPublicServicePort
Note:
Why use zimbraMailReferMode - In earlier versions, a local config variable called zimbra_auth_always_send_refer determined which action the back-end server took when a user’s mailbox did not reside on the server that the user logged in to. The default value of FALSE redirected the user if the user was logging in on the wrong backend host.
On a multiserver ZCS, if a load balanced name was needed to create a friendly landing page, a user would always have to be redirected. In that case, zimbra_auth_always_send_refer was set to TRUE.
Now with a full-fledged reverse proxy, users do not need to be redirected. The localconfig variable zimbraMailReferMode is used with nginx reverse proxy.
Set Proxy Trusted IP Addresses
When a proxy is configured with ZCS, each proxy server’s IP address must be configured in LDAP attribute zimbraMailTrustedIP to identify the proxy addresses as trusted when users log in through the proxy. The proxy IP address is added to the X-Forwarded-For header information. The X-Forwarded-For header is automatically added to the localconfig zimbra_http_originating_ip_header attribute. When a user logs in, this IP address and the user’s address are verified in the Zimbra mailbox log.
Set each proxy IP address in the attribute. For example, if you have two proxy servers:
zmprov mcf +zimbraMailTrustedIP {IP of nginx-1} +zimbraMailTrustedIP {IP of nginx-2}
Note:
To verify that X-Forwarded-For was correctly added to the localconfig, type zmlocalconfig | grep -i http. You should see zimbra_http originating_ip_header = X-Forwarded-For.
Copyright © 2013 VMware Inc.