Thread: [SOLVED] Zimbra 5 Mobile, sync using SSL and Apache Proxy does not work
View Single Post
  #1 (permalink)  
Old 01-02-2008, 09:16 PM
greenrenault greenrenault is offline
Partner (VAR/HSP)
  
Posts: 184
Smile [SOLVED] Zimbra 5 Mobile, sync using SSL and Apache Proxy does not work
G'day All

Just thought I'd post this solution to help anyone unable to sync Zimbra 5 using SSL when Zimbra is behind an Apache Proxy server.

We use Apache 2 to proxy requests to Zimbra and some other web servers in our network. After upgrading to Zimbra 5 we noticed that email was no longer syncing using SSL on our Nokia E61s using Mail for Exchange 2.02 (ie. it just failed with the error: 'Connection error'). It is important to note that webmail was working fine on both HTTP and HTTPS; and that syncing using a non-SSL connection was also working. Only sync using SSL was failing with this setup.

The following entries appear in the Apache Proxy server access log.
Code:
69.200.121.1 - - [03/Jan/2008:14:25:02 +1100] "OPTIONS /Microsoft-Server-ActiveSync?User=somedood%40something.net&DeviceId=IMEI356213
000206945&DeviceType=IMEI356213000206945 HTTP/1.1" 200 - "-" "NokiaE61/1.0"
69.200.121.1 - - [03/Jan/2008:14:25:02 +1100] "POST /Microsoft-Server-ActiveSync?User=somedood%40something.net&DeviceId=IMEI356213000
206945&DeviceType=IMEI356213000206945&Cmd=FolderSync HTTP/1.1" 502 - "-" "NokiaE61/1.0"
The following entries appear in the Apache Proxy server error log.
Code:
[Thu Jan 03 14:25:03 2008] [error] [client 69.200.121.1] proxy: error reading status line from remote server webmail.something.net
[Thu Jan 03 14:25:03 2008] [error] [client 69.200.121.1] proxy: Error reading from remote server returned by /Microsoft-Server-ActiveSync
[Thu Jan 03 14:25:03 2008] [error] [client 69.200.121.1] proxy: error reading status line from remote server webmail.something.net
[Thu Jan 03 14:25:03 2008] [error] [client 69.200.121.1] proxy: Error reading from remote server returned by /error/HTTP_BAD_GATEWAY.html.var
After a far amount of investigation I tracked the problem down to the way that requests were being proxied to the Zimbra server using SSL. Something has changed in Zimbra 5 which breaks the comms between the proxy server and Zimbra. There was nothing wrong with the Nokia, Mail for Exchange and anything in between. Googling found this post with a similar problem for another system, Using Apache with mod_proxy - Confluence 2.7 - Confluence

The solution is to use the following in the Apache proxy server as follows.
Code:
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
From mod_proxy - Apache HTTP Server
Quote:
For circumstances where mod_proxy is sending requests to an origin server that doesn't properly implement keepalives or HTTP/1.1, there are two environment variables that can force the request to use HTTP/1.0 with no keepalive. These are set via the SetEnv directive.
Code:
<Location /buggyappserver/>
ProxyPass http://buggyappserver:7001/foo/
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</Location>
Our original Apache proxy virtual host configuration (which did work with Zimbra 4.5 Mobile on SSL but does NOT work with Zimbra 5 Mobile SSL).

Code:
<VirtualHost *:443>
 ServerAdmin support@something.net
 DocumentRoot /srv/www/htdocs/gonzo
 ServerName webmail.something.net
 ErrorLog /var/log/apache2/webmail.something.net_ssl-error_log
 CustomLog /var/log/apache2/webmail.something.net_ssl-access_log combined
 SSLEngine On
 SSLCertificateFile /etc/apache2/ssl.crt/something.net.crt
 SSLCertificateKeyFile /etc/apache2/ssl.key/something.net.key
 SSLProxyEngine On
 SSLProxyVerify none
 ProxyPass / https://webmail.something.net/
 ProxyPassReverse /  https://webmail.something.net/
 ProxyRequests Off
 ProxyPreserveHost On
</VirtualHost>
And below is the updated Apache proxy virtual host configuration which now works with Zimbra 5 Mobile and SSL.
Code:
<VirtualHost *:443>
 ServerAdmin support@something.net
 DocumentRoot /srv/www/htdocs/gonzo
 ServerName webmail.something.net
 ErrorLog /var/log/apache2/webmail.something.net_ssl-error_log
 CustomLog /var/log/apache2/webmail.something.net_ssl-access_log combined
 SSLEngine On
 SSLCertificateFile /etc/apache2/ssl.crt/something.net.crt
 SSLCertificateKeyFile /etc/apache2/ssl.key/something.net.key
 SSLProxyEngine On
 SSLProxyVerify none
 ProxyPass / https://webmail.something.net/
 ProxyPassReverse /  https://webmail.something.net/
 ProxyRequests Off
 ProxyPreserveHost On
 <Proxy *>
  Order deny,allow
  Allow from all
 </Proxy>
 <Location />
  ProxyPass https://webmail.something.net
  SetEnv force-proxy-request-1.0 1
  SetEnv proxy-nokeepalive 1
 </Location>
</VirtualHost>
Hope this helps someone else (this took about 8 hours to solve).
Last edited by greenrenault : 01-03-2008 at 01:21 PM. Reason: Forgot to mention that proxying for webmail on http/https and non-ssl sync was still working
Reply With Quote