Access to Administration Console by Zimbra Proxy ?an

[spinnaker]

Hi all.
I have a question about the possibility to get access to admin console via the standard zimbra proxy host.

We have made an installation with the large schema ad we use two ldap, two mta and one mailboxd server.
Our lan, for a better security, is setted up to have two separated vlan, one for the mta servers and one for the ldap servers and the mailboxd server.
I have noted that to get access to Administration Console I have to make a https connection on port 7071 directly to the mailboxd server...so we have to assign a public ip to that host.

If I have choose to setup the Zimbra proxy host for normal http(s) connenction to webmail interface in order to not expose directly the mailboxd server host to the web...in this way - if I have to get access to admin consol - this schema have to be bypassed and the mailboxd server is exposed on the net anyway.

Have you some suggestion?
Is still not possible to get access to admin console via normal zimbra proxy? Maybe we have to setup a different proxy only for admin consol connetion?

[spinnaker]

Anyone have had the same problem?

[spinnaker]

Ok. I have solved this "problem" by using a workaround solutions.
Anyway I renew my question and I would like to have an answer by the Zimbra engineers who read (and I suppose to) this forum because I think that the proxy system implemented in Zimbra is not still functional or not ??

[lmthong]

I think you can not access to admin page throught any proxy, not only zimbra_http_proxy, just because you can not "proxy" any https or any secure port (admin-page always runs with https). If you can do it, the data from end-user to destination server will be un-guaranteed!!!

What you see on zimbra_http_proxy, if https, just encrypt the data from client to proxy-server. Acctually, proxy-server and hidden server communicates with http.

[veronica]

I think your statement "because you can not "proxy" any https or any secure port" is totally wrong. If you couldnot proxy https port it doesnot mean its not possible in zimbra.

[spinnaker]

Quote:

Originally Posted by veronica

I think your statement "because you can not "proxy" any https or any secure port" is totally wrong. If you couldnot proxy https port it doesnot mean its not possible in zimbra.

Yes I agree.

[peter@mxtoolbox.com]

I am also looking for a way to access the Admin Console through a proxy server.

[peter@mxtoolbox.com]

I was told that Zimbra doesn't support modifying nginx to support this and that it would probably be simpler and easier to setup a manual redirect to a mail store. Here is how I quickly achieved this on my Ubuntu proxy node

apt-get install lighttpd
edit your /etc/lighttpd/lighttpd.conf file. Here's a diff between the stock and my modified one. This conf will take ANY request on port 7071 and redirect to https://zimbra.mailstore.com:7071/zimbraAdmin/

Code:

18c18
<            "mod_redirect",
---
> #           "mod_redirect",
65c65
<  server.port               = 7071
---
> # server.port               = 81
111d110
< url.redirect                = ( "^.*$"                    => "https://zimbra.mailstore.com:7071/zimbraAdmin/" )
167,168d165
< ssl.engine = "enable"
< ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"

Lastly you will want to install your cert. I have a commercial cert on my proxy so I made a copy like this
mkdir /etc/conf/lighttpd/certs
cat /opt/zimbra/ssl/zimbra/commercial/commercial.key >/etc/conf/lighttpd/certs/lighttpd.pem
cat /opt/zimbra/ssl/zimbra/commercial/commercial.crt >>/etc/conf/lighttpd/certs/lighttpd.pem

/etc/init.d/lighttpd restart and you should be in business.