[SOLVED] Zimbra redirects https to http when proxying

[Kallisti]

Hi guys!

I'm having problems proxying Zimbra. I have tried both with Apache and with nginx and with both I get the same problem. I want Zimbra to run only over SSL and I've set up a special domain z.domain.tld. When I go to https://z.domain.tld I want to get Zimbra and when going to http://z.domain.tld, https://*.domain.tld, http://*.domain.tld I want something else (i.e. Apache). It works as far as Zimbra login. After I have logged in Zimbra redirects me to http://z.domain.tld! If I again enter https://z.domain.tld I get logged in an can continue over SSL until I log out, which again redirects me to http.

I have tried this with both apache and nginx, different zmtlsctl settings, making Zimbra listen on https (9443) internally and http (9080), reconfiguring and reinstalling, but still the same problem. I can't really understand it and why Zimbra has to care about the domain-part after login and logout...

Anyone have any ideas on the reason for my problems? Or, if you would try to configure Zimbra to get the setup I outlined how would you do it, starting from scratch? I have reinstalled Zimbra so many times now, it's no problem to do it again!

Thanks!
/K

[tasis]

Quote:

Originally Posted by Kallisti

Hi guys!

I'm having problems proxying Zimbra. I have tried both with Apache and with nginx and with both I get the same problem. I want Zimbra to run only over SSL and I've set up a special domain z.domain.tld. When I go to https://z.domain.tld I want to get Zimbra and when going to http://z.domain.tld, https://*.domain.tld, http://*.domain.tld I want something else (i.e. Apache). It works as far as Zimbra login. After I have logged in Zimbra redirects me to http://z.domain.tld! If I again enter https://z.domain.tld I get logged in an can continue over SSL until I log out, which again redirects me to http.

I have tried this with both apache and nginx, different zmtlsctl settings, making Zimbra listen on https (9443) internally and http (9080), reconfiguring and reinstalling, but still the same problem. I can't really understand it and why Zimbra has to care about the domain-part after login and logout...

Anyone have any ideas on the reason for my problems? Or, if you would try to configure Zimbra to get the setup I outlined how would you do it, starting from scratch? I have reinstalled Zimbra so many times now, it's no problem to do it again!

Thanks!
/K

Hi, I ran exactly into the same problem that you mentioned. I wanted my reverse web proxy (pound) in my DMZ to take care of all the HTTPS SSL stuff and to communicate via simple HTTP to the actual Zimbra server in my LAN.

However, as you say this completely breaks down after logins and logouts as Zimbra hardcodes the url to http://...

I did not attempt to solve the problem but to eliminate it: I installed nginx side-by-side with pound on the reverse web proxy.

nginx listens on port 80 and just does a basic rewrite http:// -> https://
pound listens on port 443 and does its normal stuff (SSL negotiation and then forwards the request to port 80 of the internal zimbra server)

This works like a charm! Even when the internal zimbra server sends back an http:// url, nginx picks it up and rewrites it, and hands it over to pound as https:// as if it was originally sent like this from the browser.

I hope I have helped...

Tasis

[Kallisti]

Hi Tasis!

Thank you for your reply! I have actually solved this with a nginx-proxy in front, by updating some zimbra settings preventing it from redirecting me to http. I think the solution can be found in some other thread. I should have marked this as solved together with the solution so I'll do that as soon as possible.

Cheers,
/K

[veronica]

What is the value of :
zmprov gs `zmhostname ` | grep zimbraMailMode

[y@w]

FYI, you can also just set the zimbraPublicServiceProtocol to make the backend server return https as the protocol through the proxy as well. Near as I can tell, this is done on a per-domain basis.

[Kallisti]

Exactly as y@w writes. Setup zimbra using http and then make sure that the public variables, per domain, is correct:

[zimbra@domain] zmprov gd domain.tld | grep Public
zimbraPublicServiceHostname: z.domain.tld
zimbraPublicServicePort: 443
zimbraPublicServiceProtocol: https

/K

[tasis]

Quote:

Originally Posted by Kallisti

Exactly as y@w writes. Setup zimbra using http and then make sure that the public variables, per domain, is correct:

[zimbra@domain] zmprov gd domain.tld | grep Public
zimbraPublicServiceHostname: z.domain.tld
zimbraPublicServicePort: 443
zimbraPublicServiceProtocol: https
/K

Many thanks for all your help, can I please ask you for one clarification (just to make sure)?

By setting the "PublicService..." parameters as you specify, does Zimbra still communicate with the proxy using plain http?

I am asking because my aim is to always have this mode of operation:

Internet web client --https--> dmz proxy --http--> lan zimbra server

The reason behind this is to put as much as possible of the SSL effort on the reverse web proxy server. We are not so much concerned with the internal communication and we would leave it to plain http.

Thanks again,

Tasis

[y@w]

We set the mail mode of the backend mailbox servers to http which made sure that they weren't adding that extra SSL overhead between the proxy and the mail store host. I would imagine you could just set the zimbraReverseProxyMailMode as well, but I haven't tried it that way.

[Kallisti]

Quote:

Originally Posted by tasis

I am asking because my aim is to always have this mode of operation:

Internet web client --https--> dmz proxy --http--> lan zimbra server

Yes, this is exactly how I'm running my installation. Just set it up as you would a non-SSL server, add the Public stuff and put the proxy in front.

For zimbraadmin I have not been able to turn off SSL, so there I run https inside the server as well.
/K