logging client IPs when running behind non-Zimbra nginx HTTP proxy

[bradfritz]

I have a test installation of ZCS running behind a non-Zimbra nginx
HTTP proxy on a separate host:

Internet --> Firewall (w/ public IP) --> nginx (172.x.x.10:443)
--> ZCS (172.x.x.113:443)

Is it possible to configure Zimbra so it trusts the reverse proxy
(172.x.x.10) and uses the X-Forwarded-For values provided by the
proxy server in mailbox.log and audit.log ?

Basically what I'm looking for is the mod_rpaf for Apache
equivalent for Zimbra.

Thanks for any help!

--Brad

[j2b]

Have you managed to solve this issue? Looking for similar solutions.

[bradfritz]

Quote:

Originally Posted by j2b

Have you managed to solve this issue? Looking for similar solutions.

No, I have not...but I have not spent much time investigating since
I posted either. (My Zimbra install is for evaluation purposes and
my production mail service uses Postfix+Courier+SquirrelMail.)

--Brad

[j2b]

Yesterday I found an answer. Tested - and it works as far as I need this implementation. The only thing to remember is to manually make these changes after ZCS updates/upgrades, as all configuration files are overwritten.
Here is the link on forum article: [SOLVED] Nessus Security Scan Fail - Internal IP in HTTP Header

Read comment #4

[arifsaha]

Quote:

Originally Posted by j2b

and it works as far as I need this implementation. The only thing to remember is to manually make these changes after ZCS updates/upgrades, as all configuration files are overwritten.
Here is the link on forum article: [SOLVED] Nessus Security Scan Fail - Internal IP in HTTP Header
Read comment #4

Sorry to raise an old thread, but I am wondering whether this change will allow the IP address of the client show in mailbox.log and audit.log of Zimbra behind nginx http proxies?

For example, an failed login from IP address 99,98.97.96 which connect to proxy 111.112.113.114 will show up as a log entry like this:

Code:

2011-04-13 20:37:39,694 INFO  [btpool0-36341] [name=anaccount@mydomain.tld;oip=111.112.113.114;ua=zclient/5.0.11_GA_2695.RHEL5_64;] SoapEngine - handler exception: authentication failed for anaccount, invalid password

As the actual address 99,98.97.96 does not show at all. With the change from that other forum will allow your the log entries to show the actual client IP address in that log entry?

Thanks!

[j2b]

Sorry arifsaha for late answer, but probably you've figured that out by yourself. Yes, changes in jetty.xml.in file in mailbox server changes situation in audit.log and mailbox.log files, showing original visitor IP adress, instead of Proxy server address.

To note: without these changes and if Proxy server is used for IMAP/POP connections too, original user IPs are shown by default, or to be more specific - it shows IP and OIP, where IP is proxy IP, if you scale proxy stack.

My wish. I tested this on ZCS OS v7.1.1 and it works, although I wish to get this functionality implemented in ZCS installation via Admin GUI or CLI to be set. Since v5.x I do this manually all the time.

And more to remember:
- you have to make changes to jetty.xml.in file, not jetty.xml, as former is the source of jetty.xml on each ZCS restart.
- you have to manually ammend jetty.xml.in file after each ZCS upgrade procedure!

Hope this helps.