zdesktop and reverse proxy

[pbruna]

I have installed zdesktop and it works ok when im in my office.
We have a Apache-Reverse-Proxy to the Zimbra Server, so when i access from the Internet, Apache responses to me.

Are any constrains about this setup, because zdesktop do not work when im outside.

[jjzhuang]

If you have a reverse proxy then it should work. Have you tried it? Are you having problems?

[SpEnTBoY]

Quote:

Originally Posted by pbruna

I have installed zdesktop and it works ok when im in my office.
We have a Apache-Reverse-Proxy to the Zimbra Server, so when i access from the Internet, Apache responses to me.

Are any constrains about this setup, because zdesktop do not work when im outside.

Are you proxying http or https? I've noticed some incidents with https that make life a little more complicated but it still should be possible. Can you give any more details as to what and how you are proxing but not use real IP's?

Here's a couple of example parameters I've needed to proxy for standard 80 and 443:

For 80 (in apache) I'll use Vhosts as an example:

Code:

<VirtualHost external.ip.address>
ServerName external.resolved.hostname
ServerAdmin someone@domain.com
NoCache *
ProxyVia on
ProxyPass         / http://<internal IP address being proxied to>/
ProxyPassReverse  / http://<internal IP address being proxied to>/
</VirtualHost>

HTTPS is a bit different:

Code:

<VirtualHost external.resolvable.ip:443>
ServerName external.resolvable.address
ProxyPreserveHost      On
ProxyTimeout    100
RedirectMatch ^/$ https://<proxied.to.resolvable.name>/
ProxyPass              /    https://<proxied.to.resolvable.name>/
ProxyPassReverse       /    https://<proxied.to.resolvable.name>/
SSLProxyEngine  On
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/key.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
</VirtualHost>

Ok I know this doesn't solve a problem but I can confirm that both of these configurations work for reverse proxy using apache externally proxying in to another machine/service using both SSL and standard HTTP. If you can confirm a similar setup it should be safe to assume the proxying is working and there might be another issue.

Can you access your webclient outside of work through the reverse proxy? (not using the Zimbra Desktop application)

Regards,
Lonny

[ekaftan]

Quote:

Originally Posted by jjzhuang

If you have a reverse proxy then it should work. Have you tried it? Are you having problems?

I am having the exact same problem. I have the real zimbra http on the same IP as apache but on port 7070. Web client access works perfectly, activesync also works ok, but zdesktop spits out java exceptions on mailbox.log.

Here is one:

2007-09-05 00:34:22,097 ERROR [Timer-Offline-Main] [] offline - failed to sync account eduardo@<mydomain>
com.zimbra.common.service.ServiceException: resource unreachable: Internal Server Error
at com.zimbra.common.service.ServiceException.RESOURC E_UNREACHABLE(ServiceException.java:197)
at com.zimbra.cs.service.UserServlet.getRemoteResourc eInternal(UserServlet.java:1076)
at com.zimbra.cs.service.UserServlet.getRemoteResourc e(UserServlet.java:1052)
at com.zimbra.cs.mailbox.InitialSync.syncMessage(Init ialSync.java:817)
at com.zimbra.cs.mailbox.InitialSync.syncMessagelikeI tems(InitialSync.java:317)
at com.zimbra.cs.mailbox.InitialSync.initialFolderSyn c(InitialSync.java:233)
at com.zimbra.cs.mailbox.InitialSync.prioritySync(Ini tialSync.java:283)
at com.zimbra.cs.mailbox.InitialSync.initialFolderSyn c(InitialSync.java:261)
at com.zimbra.cs.mailbox.InitialSync.initialFolderSyn c(InitialSync.java:272)
at com.zimbra.cs.mailbox.InitialSync.resume(InitialSy nc.java:175)
at com.zimbra.cs.mailbox.InitialSync.resume(InitialSy nc.java:163)
at com.zimbra.cs.mailbox.OfflineMailboxManager$SyncTa sk.sync(OfflineMailboxManager.java:128)
at com.zimbra.cs.mailbox.OfflineMailboxManager$SyncTa sk.run(OfflineMailboxManager.java:98)
at java.util.TimerThread.mainLoop(Unknown Source)
at java.util.TimerThread.run(Unknown Source)

Apache logs at the same time shows this request:

24.232.34.202 - - [05/Sep/2007:00:39:28 -0400] "GET /home/~/?fmt=sync&nohdr=1&id=47903 HTTP/1.1" 500 1682


Thanks.

[jjzhuang]

If it gets that far in the zdesktop log, that means your reverse proxy already works for some URLs but not all. It's choking on the URL /home*. This is not that uncommon because apache mod_proxy config can be very URL specific.

You can try this. After using webclient to login, in the browser window try this URL:

http://<proxy-host-port>/home/~/?fmt=sync&nohdr=1&id=47903

It will probably choke the same way.

[ekaftan]

Quote:

Originally Posted by jjzhuang

If it gets that far in the zdesktop log, that means your reverse proxy already works for some URLs but not all. It's choking on the URL /home*. This is not that uncommon because apache mod_proxy config can be very URL specific.

You can try this. After using webclient to login, in the browser window try this URL:

http://<proxy-host-port>/home/~/?fmt=sync&nohdr=1&id=47903

It will probably choke the same way.

you were right... zimbra chokes and an error 500 appears on the browser window:

java.lang.StringIndexOutOfBoundsException: String index out of range: 4
java.lang.String.substring(String.java:1765)
com.zimbra.cs.service.UserServlet$Context.<init>(U serServlet.java:616)
com.zimbra.cs.service.UserServlet.doGet(UserServle t.java:255)
javax.servlet.http.HttpServlet.service(HttpServlet .java:689)
com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:162)
javax.servlet.http.HttpServlet.service(HttpServlet .java:802)
com.zimbra.webClient.filters.SetHeaderFilter.doFil ter(SetHeaderFilter.java:286)

But apache is correctly proxying the request, zimbra gets it, but something gets changed by apache. The same request, with ':7070' added works fine.

Somehow it does not look like an apache misconfiguration...

[ekaftan]

Quote:

Originally Posted by ekaftan

you were right... zimbra chokes and an error 500 appears on the browser window:

java.lang.StringIndexOutOfBoundsException: String index out of range: 4
java.lang.String.substring(String.java:1765)
com.zimbra.cs.service.UserServlet$Context.<init>(U serServlet.java:616)
com.zimbra.cs.service.UserServlet.doGet(UserServle t.java:255)
javax.servlet.http.HttpServlet.service(HttpServlet .java:689)
com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:162)
javax.servlet.http.HttpServlet.service(HttpServlet .java:802)
com.zimbra.webClient.filters.SetHeaderFilter.doFil ter(SetHeaderFilter.java:286)

But apache is correctly proxying the request, zimbra gets it, but something gets changed by apache. The same request, with ':7070' added works fine.

Somehow it does not look like an apache misconfiguration...

ah... when that error 500 appears, this gets logged in /opt/zimbra/log/mailbox.log:

2007-09-05 01:03:39,433 ERROR [http-7070-Processor99] [name=ekaftan@<mydomain>;mid=2;ip=24.232.34.202;] [UserServlet] - Servlet.service() for servlet UserServlet threw exception
java.lang.StringIndexOutOfBoundsException: String index out of range: 4
at java.lang.String.substring(String.java:1765)
at com.zimbra.cs.service.UserServlet$Context.<init>(U serServlet.java:616)
at com.zimbra.cs.service.UserServlet.doGet(UserServle t.java:255)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:689)
at com.zimbra.cs.servlet.ZimbraServlet.service(Zimbra Servlet.java:162)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:802)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:252)

[jjzhuang]

Most likely this is caused by mod_proxy rewriting the URL then. It's common for proxy code to rewrite URL for various purposes. There is usually a way to turn off URL rewriting in proxy, but I'm not familiar with apache enough to tell you exactly what to do. Hope you can find the document on that and turn that off.

There's probably something wrong with UserServlet (part of zimbra code) as well where the code was not written defensively. That's why it doesn't like the rewritten URL. If you figure out what the rewritten URL is, let us know and that will help us see what's wrong with UserServlet. Thanks!

[Roddles]

Has there been any updates on this problem?

I have the exact same scenario - zimbra mail server (which works brilliantly) running on Ubuntu LTS 6.06.

The web mail client works well through the apache reverse proxy, but the zimbra desktop client has trouble synchronizing with the above mentioned java error messages.

Has there been any updates to the UserServlet?

I dont have the mod_proxy rewrites turned on as far as i can see, just the proxypass and proxyreversepass in apache.