Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: [SOLVED] zimbra-proxy limitations

  1. #1
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default [SOLVED] zimbra-proxy limitations

    I've just tried to setup a zimbra-proxy (single mailbox server).

    The idea is to get zimbra-proxy in a DMZ for external access and the mailbox server on the LAN for internal access.

    LAN internal access is currently done through https and I don't want to change this (https and port 443).

    zimbra-proxy seems to be coded to talk to port 8080 by default (hope it's not hardcoded), how can we change this ?
    The config file is opt/zimbra/conf/nginx/includes/nginx.conf.web.https but get rewritten on zimbra-proxy start 8)
    What is the zmprov attribute for it ?

    In this config file, it's also stated zimbra-proxy only speaks http to the upstream mailbox servers... Why ?!
    Last edited by Klug; 08-08-2008 at 05:33 AM.

  2. #2
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    Answering to myself 8)

    It seems all this is related to zmproxyinit and the way it's launched.

    The doc says :
    Code:
    On each proxy node that has the proxy service installed, enable the proxy for the web. Type
    
    /opt/zimbra/libexec/zmproxyinit -e -w proxy.node.service.hostname
    I don't understand if "proxy.node.service.hostname" is the mailbox server you want to proxify or the proxy server you want to enable.

    It populates the LDAP in such way when you launch zimbra-proxy, /opt/zimbra/conf/nginx/includes/nginx.conf.web gets itself populated with the list of the back-end mailbox servers...

    Additional infos here : Bug 28083 – Improvements to zmproxyinit

    Next step is to find a way to remove the proxy server from the upstream servers ("zmproxyinit -d -w proxy.domain.tld" does not work) and populate this list with the ports I want (and not 8080).
    Last edited by Klug; 08-08-2008 at 05:37 AM.

  3. #3
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    Got worse.

    proxy.domain.tld:80 is now in "upstream zimbra"...
    No clue where the ":80" comes from, it changed from ":8080" to ":80" after I tried "/opt/zimbra/libexec/zmproxyinit -d -w proxy.domain.tld"...

    And trying to force the ports with "/opt/zimbra/libexec/zmproxyinit -e -w mailbox.domain.tld -a 80:80:443:443" does not work.
    I still have "mailbox.domain.tld:8080" in "upstream zimbra".

  4. #4
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    That's it, I'm mad.

    I ran "/opt/zimbra/libexec/zmproxyinit -e -w mailbox.domain.tld" (from the proxy server) because I want mailbox.domain.tld to be in the "zimbra upstream" list. But, as I did this, zimbra-proxy now tries to run on mailbox.domain.tld while I don't want it to run here !

    If I run "/opt/zimbra/libexec/zmproxyinit -d -w proxy.domain.tld", there's no more the web proxy running on the proxy server and the proxy appears in the "upstream zimbra" (on port 80).

    If I run "/opt/zimbra/libexec/zmproxyinit -e -w proxy.domain.tld", web proxy runs on the proxy server but the proxy appears in the "upstream zimbra" (on port 8080) and it gives me a "502 Bad Gateway" (because nginx tries to connect to proxy.domain.tld:8080 while there's nothing on this).

    Is there any _correct_ documentation about setting up zimbra-proxy (and the _correct_ zmprov and zmproxyinit command to run) ?
    Last edited by Klug; 08-08-2008 at 05:39 AM.

  5. #5
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,271
    Rep Power
    10

    Default

    zmproxyinit needs to be run on each server you want to do the changes for, it queries the package DB to determine which operations to perform.

    i.e., if your proxy instance and your store instance are on separate servers, you'll need to run it on each of them.

    The requirement to run it on each of them separately will be resolved in 5.0.9, but you'll have to use an override flag to do it, and will still need to run it once for each host.

    This is because different things get set depending on which service is being dealt with (store or proxy).

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  6. #6
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    Thanks Quanah.

    So I'm supposed to run "/opt/zimbra/libexec/zmproxyinit -e -w mailbox.domain.tld" on the mailbox server then run "/opt/zimbra/libexec/zmproxyinit -e -w proxy.domain.tld" on the proxy server (we just want to proxify https) ?

    Will this correct the fact I ran it on the proxy server at first (because the documentation is wrong) ?

    If not, how can I fix it ?

    (We're trying to validate an infrastructure upgrade and I'd rather not wait for 5.0.9)

  7. #7
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,271
    Rep Power
    10

    Default

    Quote Originally Posted by Klug View Post
    Thanks Quanah.

    So I'm supposed to run "/opt/zimbra/libexec/zmproxyinit -e -w mailbox.domain.tld" on the mailbox server then run "/opt/zimbra/libexec/zmproxyinit -e -w proxy.domain.tld" on the proxy server (we just want to proxify https) ?

    Will this correct the fact I ran it on the proxy server at first (because the documentation is wrong) ?
    It's not order dependent, but you do need to run the exact same command on each. I.e., if you changed the default port settings (which you did in an invalid way in one of your posts, where you set 80:80...) they need to be set similarly on each system. Generally, unless you want to use very unusual ports, you don't specify those at all so you can just use the defaults.

    Generally, I'd advise setting up the http proxy via the installation menu rather than running zmproxyinit by hand. If you check zmsetup.pl, you'll see that it too runs zmproxyinit to configure the mail & web proxies. You only need to be touching zmproxyinit if you're enabling proxy after the fact.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  8. #8
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    Hmmm, it seemed to work, half of it 8)

    I can now connect to https://proxy.domain.tld and login to the infrastructure.
    After logon I'm getting the skin layout but it's empty (no text at all, no emails list, no folders, no minical, etc)...

    Edit a bit later
    Connecting to http://mailbox.domain.tld:8080 (or using its IP address as nginx does) gives the same result.

    Additionnaly /opt/zimbra/conf/nginx/includes/nginx.conf.web still contains proxy.domain.tld:8080 in the "upstream zimbra".
    Last edited by Klug; 08-08-2008 at 11:02 AM.

  9. #9
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,271
    Rep Power
    10

    Default

    Quote Originally Posted by Klug View Post
    Hmmm, it seemed to work, half of it 8)

    I can now connect to https://proxy.domain.tld and login to the infrastructure.
    After logon I'm getting the skin layout but it's empty (no text at all, no emails list, no folders, no minical, etc)...

    Additionnaly /opt/zimbra/conf/nginx/includes/nginx.conf.web still contains proxy.domain.tld:8080 in the "upstream zimbra".
    Did you restart both proxy and store after running? Restarting nginx should make it regenerate its config files.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  10. #10
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,316
    Rep Power
    13

    Default

    Quote Originally Posted by quanah View Post
    It's not order dependent, but you do need to run the exact same command on each. I.e., if you changed the default port settings (which you did in an invalid way in one of your posts, where you set 80:80...) they need to be set similarly on each system. Generally, unless you want to use very unusual ports, you don't specify those at all so you can just use the defaults.
    I'd like to use very usual ports 8)
    I'd like to keep http on port 80 and https on port 443 on the mailbox server and use the same ports on the proxy one...

    Quote Originally Posted by quanah View Post
    Generally, I'd advise setting up the http proxy via the installation menu rather than running zmproxyinit by hand. If you check zmsetup.pl, you'll see that it too runs zmproxyinit to configure the mail & web proxies. You only need to be touching zmproxyinit if you're enabling proxy after the fact.
    I missed that.
    Do you think I should "destroy" my current proxy server and re-set it up from scratch ?

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 8
    Last Post: 01-12-2012, 02:20 AM
  2. Replies: 12
    Last Post: 02-25-2008, 07:28 PM
  3. zmperditionctl start asking for password
    By k7sle in forum Administrators
    Replies: 32
    Last Post: 02-20-2008, 11:13 AM
  4. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 08:55 AM
  5. port 7071 not listening OS X install
    By leeimber in forum Installation
    Replies: 7
    Last Post: 03-21-2006, 10:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •