DMZ reverse proxy to LAN zimbra

[jimmyk]

Hello Zimbra community,

I have installed zcs-6.0.10_GA_2692.RHEL5_64.20101215170845.tgz on Centos 5.5 64-bit and everything works well. However, the zimbra test machine is in an internal LAN and I would like to use a reverse proxy in a DMZ to enable remote web access.

I have used Debian Lenny with Nginx in the DMZ to do the reverse proxying and it works as it should for http web access, however when i move the zimbra web client to a non-standard port (:8180) the login and logout fail and i have to manually reinsert the port info into the url to get the web client to login (which it then does). I have spent hours adjusting the DMZ Nginx and trying different ports, but i cannot seem to slove this problem.

At first i thought that the problem was nothing to do with zimbra as i can log into zimbra fine on any port that i set the zimbra server on when i point my web browers straight at the zimbra server. The login problems exist only when i point my browser at the reverse proxy. After searching google i have seen comments relating zimbraPublicServiceHostname setting and now i'm not sure if the problem is with zimbra or nginx

Could anyone offer any assistance on how the get a DMZ reverse proxy to connect remote web users on a non standard to an LAN zimbra also on the same non-standard port (8180), or if it is actually possible?

If any of my configs are required i will be happy to post more info.

Jimmyk

[plamenflo]

Hi,

Do you really need to use this non-standard port (8180) for lan?
If no - just use DNAT - external port will be 8180 and internal (lan) 80.

Am I missing something?

[jimmyk]

I have only one static ip which is running a website on ports 80 and 443, which is why i changed zimbra to 8180http and 8181https (i have not even tried the https set-up yet!).

When i encountered this login problem i thought the same as you have. I then set everything back to port 80http and used my outer firewall to NAT my external WAN port:8180http to the DMZ Nginx server's ip at port:80http. Unfortunately, this had no effect and the login problem was just the same.

Jimmyk

[jimmyk]

The problem turned out to be the Nginx DMZ server in the end.

I added the $proxy_port string to the end of these settings on the Nginx DMZ reverse proxy and http on port 8180 started to log in and log out of the Zimbra server correctly

proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Real-IP $remote_addr:$proxy_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for:$proxy_port;

Please mark as solved.

JimmyK

[jimmyk]

Hello again Zimbra forum users,

Having solved my problem getting Nginx in a DMZ to do reverse proxying to a Zimbra LAN server via http i am now struggling to do the the same with the https protocol on port 8181.

Is it possible to use Nginx to reverse proxy an external https connection through to a Zimbra LAN machine as follows?

WAN---------->https---------->[Lenny/Nginx0.6.32]---------->https---------->[Centos5.5/Zimbra6.0.10]

or would i need to use the following setup (which i think i have managed to get working)?

WAN---------->https---------->[Lenny/Nginx0.6.32]---------->http---------->[Centos5.5/Zimbra6.0.10]

Any advice would be appreciated.

JimmyK

[mhaertjens]

If so, I'd be interested in hearing more about it.

[jimmyk]

Hello Mike,

I did manage to get my nginx reverse proxy sorted. Unfortunately, i got zero assistance from any of the forums i posted on - which was a bit of a supprised as you would have thought the this setup would interest anyone looking to enable web access to remote mail users!

Debian was a none starter in the end for me. I just could not get it to work. My guess is that the version of nginx available via the Lenny repo (which was the current debian stable at the time) was a little old.

My DMZ now uses a Centos xen dom0 with three Centos domU's on a mini-itx machine (it is only a small networks so i was looking for the lowest power setup i could construct). Switching to this setup meant that i ended up trying Nginx from the EPEL repo.

This repo installed (i think) version 0.8.??ish of nginx, and after a very long weekend of trial and error type testing of different config settings i got the reverse rproxy working sweet.

My external web access connections are done on the standard https port now as i got additional public routable ip's from my isp. However, the connection from the DMZ rproxy server to the Zimbra server in my lan/Semi-DMZ had to be done on a non-standard port due to a few issues with monowall which is being use to seperate the DMZ and the LAN/Semi-DMZ on my network.

I have your e-mail so i will forward my config settings to you via e-mail.

regards

jk

[Matti]

Jimmy any chance you could post / pm me the nginx config? I'm looking to do the same as you and running into problems.

Cheers

[jimmyk]

Hi Matti,

If you or anyone else would like to get a rough idea of my configs please view the following link:

Index of /centos5-5

These configs actually work with centos 5.6, but were initially tested with centos 5.5

The link shows my config notes for a store and forward mail (spamfiltering) gateway that passes e-mails to my Zimbra server as well as the a very rough setup for the nginx rproxy that enables the external web access to the Zimbra server that is located on my LAN/semi-DMZ.

Please note: that the mail gateway is based on the work of Gary V / mr88talent (Debian Anti-Spam Anti-Virus Gateway Email Server using Postfix, Amavisd-new, SpamAssassin, Razor, DCC, Pyzor, and ClamAV HOWTO). All i have done is convert the setup from Debian to Centos (Nothing against Debian - I have used Debian since etch, but Xen virtualization is easier with Centos).

An nginx reverse proxy howto is something that I personally feel should be detailed on the Zimbra wiki. It was a supprise to me that there wasn't something on the wiki about setting up a reverse reverse proxy. I don't think that putting a Zimbra server in a DMZ zone would be a shinning example of best practice, so a reverse proxy would probably be a necessity for most people looking to use a Zimbra server on their local network.

I hope this setup gives you some assistance, and if you or anyone else has any feedback please let me know.

Kind regards

James