Results 1 to 9 of 9

Thread: [SOLVED] Zimbra redirects https to http when proxying

  1. #1
    Kallisti is offline Loyal Member
    Join Date
    Jan 2008
    Posts
    79
    Rep Power
    7

    Default [SOLVED] Zimbra redirects https to http when proxying

    Hi guys!

    I'm having problems proxying Zimbra. I have tried both with Apache and with nginx and with both I get the same problem. I want Zimbra to run only over SSL and I've set up a special domain z.domain.tld. When I go to https://z.domain.tld I want to get Zimbra and when going to http://z.domain.tld, https://*.domain.tld, http://*.domain.tld I want something else (i.e. Apache). It works as far as Zimbra login. After I have logged in Zimbra redirects me to http://z.domain.tld! If I again enter https://z.domain.tld I get logged in an can continue over SSL until I log out, which again redirects me to http.

    I have tried this with both apache and nginx, different zmtlsctl settings, making Zimbra listen on https (9443) internally and http (9080), reconfiguring and reinstalling, but still the same problem. I can't really understand it and why Zimbra has to care about the domain-part after login and logout...

    Anyone have any ideas on the reason for my problems? Or, if you would try to configure Zimbra to get the setup I outlined how would you do it, starting from scratch? I have reinstalled Zimbra so many times now, it's no problem to do it again!

    Thanks!
    /K

  2. #2
    tasis is offline Junior Member
    Join Date
    Jul 2009
    Location
    Athens Greece
    Posts
    7
    Rep Power
    6

    Default

    Quote Originally Posted by Kallisti View Post
    Hi guys!

    I'm having problems proxying Zimbra. I have tried both with Apache and with nginx and with both I get the same problem. I want Zimbra to run only over SSL and I've set up a special domain z.domain.tld. When I go to https://z.domain.tld I want to get Zimbra and when going to http://z.domain.tld, https://*.domain.tld, http://*.domain.tld I want something else (i.e. Apache). It works as far as Zimbra login. After I have logged in Zimbra redirects me to http://z.domain.tld! If I again enter https://z.domain.tld I get logged in an can continue over SSL until I log out, which again redirects me to http.

    I have tried this with both apache and nginx, different zmtlsctl settings, making Zimbra listen on https (9443) internally and http (9080), reconfiguring and reinstalling, but still the same problem. I can't really understand it and why Zimbra has to care about the domain-part after login and logout...

    Anyone have any ideas on the reason for my problems? Or, if you would try to configure Zimbra to get the setup I outlined how would you do it, starting from scratch? I have reinstalled Zimbra so many times now, it's no problem to do it again!

    Thanks!
    /K
    Hi, I ran exactly into the same problem that you mentioned. I wanted my reverse web proxy (pound) in my DMZ to take care of all the HTTPS SSL stuff and to communicate via simple HTTP to the actual Zimbra server in my LAN.

    However, as you say this completely breaks down after logins and logouts as Zimbra hardcodes the url to http://...

    I did not attempt to solve the problem but to eliminate it: I installed nginx side-by-side with pound on the reverse web proxy.

    nginx listens on port 80 and just does a basic rewrite http:// -> https://
    pound listens on port 443 and does its normal stuff (SSL negotiation and then forwards the request to port 80 of the internal zimbra server)

    This works like a charm! Even when the internal zimbra server sends back an http:// url, nginx picks it up and rewrites it, and hands it over to pound as https:// as if it was originally sent like this from the browser.

    I hope I have helped...

    Tasis

  3. #3
    Kallisti is offline Loyal Member
    Join Date
    Jan 2008
    Posts
    79
    Rep Power
    7

    Default

    Hi Tasis!

    Thank you for your reply! I have actually solved this with a nginx-proxy in front, by updating some zimbra settings preventing it from redirecting me to http. I think the solution can be found in some other thread. I should have marked this as solved together with the solution so I'll do that as soon as possible.

    Cheers,
    /K

  4. #4
    veronica is offline Outstanding Member
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    What is the value of :
    zmprov gs `zmhostname ` | grep zimbraMailMode

  5. #5
    y@w's Avatar
    y@w
    y@w is offline Moderator
    Join Date
    Jan 2008
    Posts
    658
    Rep Power
    8

    Default

    FYI, you can also just set the zimbraPublicServiceProtocol to make the backend server return https as the protocol through the proxy as well. Near as I can tell, this is done on a per-domain basis.

  6. #6
    Kallisti is offline Loyal Member
    Join Date
    Jan 2008
    Posts
    79
    Rep Power
    7

    Default

    Exactly as y@w writes. Setup zimbra using http and then make sure that the public variables, per domain, is correct:

    [zimbra@domain] zmprov gd domain.tld | grep Public
    zimbraPublicServiceHostname: z.domain.tld
    zimbraPublicServicePort: 443
    zimbraPublicServiceProtocol: https

    /K

  7. #7
    tasis is offline Junior Member
    Join Date
    Jul 2009
    Location
    Athens Greece
    Posts
    7
    Rep Power
    6

    Default

    Quote Originally Posted by Kallisti View Post
    Exactly as y@w writes. Setup zimbra using http and then make sure that the public variables, per domain, is correct:

    [zimbra@domain] zmprov gd domain.tld | grep Public
    zimbraPublicServiceHostname: z.domain.tld
    zimbraPublicServicePort: 443
    zimbraPublicServiceProtocol: https
    /K
    Many thanks for all your help, can I please ask you for one clarification (just to make sure)?

    By setting the "PublicService..." parameters as you specify, does Zimbra still communicate with the proxy using plain http?

    I am asking because my aim is to always have this mode of operation:

    Internet web client --https--> dmz proxy --http--> lan zimbra server

    The reason behind this is to put as much as possible of the SSL effort on the reverse web proxy server. We are not so much concerned with the internal communication and we would leave it to plain http.

    Thanks again,

    Tasis

  8. #8
    y@w's Avatar
    y@w
    y@w is offline Moderator
    Join Date
    Jan 2008
    Posts
    658
    Rep Power
    8

    Default

    We set the mail mode of the backend mailbox servers to http which made sure that they weren't adding that extra SSL overhead between the proxy and the mail store host. I would imagine you could just set the zimbraReverseProxyMailMode as well, but I haven't tried it that way.

  9. #9
    Kallisti is offline Loyal Member
    Join Date
    Jan 2008
    Posts
    79
    Rep Power
    7

    Default

    Quote Originally Posted by tasis View Post
    I am asking because my aim is to always have this mode of operation:

    Internet web client --https--> dmz proxy --http--> lan zimbra server
    Yes, this is exactly how I'm running my installation. Just set it up as you would a non-SSL server, add the Public stuff and put the proxy in front.

    For zimbraadmin I have not been able to turn off SSL, so there I run https inside the server as well.
    /K

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. slapd message error
    By smoke in forum Administrators
    Replies: 7
    Last Post: 04-27-2008, 03:23 PM
  2. Replies: 12
    Last Post: 02-24-2008, 12:16 AM
  3. upgrade woes -made into new thread
    By JustinHarlow in forum Installation
    Replies: 18
    Last Post: 06-08-2007, 12:11 PM
  4. huge log size
    By rmvg in forum Administrators
    Replies: 5
    Last Post: 01-02-2007, 10:39 AM
  5. Unable to start tomcat
    By chanck in forum Administrators
    Replies: 11
    Last Post: 06-11-2006, 12:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •