Zimbra https proxy with apache

[haensse]

Dear forum,

I'm running zimbra over https. For the access from the internet, the zimbra server is running behind an apache ssl proxy. I get errors like this in the zimbra ui when the webclient is idle for a couple of minutes. When accessing zimbra directly, there is no such error.

msg - Invalid SOAP PDU
code - INVALID_PDU
method - AjxSoapDoc.createFromXml:2
detail - undefined

Somewhere must be a connection timeout that causes zimbra to show errors like this?!

What is the meaning of this error on the zimbra side? Is this really a timeout?

This is my apache proxy setting. Is this correct?
Is there a better way to support zimbra behind a ssl proxy? As I would like to use virtual host also for https, I can't see a better way. I only have one ip for different urls!!

regards

Dani


NameVirtualHost *:443
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
#SSLCertificateKeyFile /etc/apache2/ssl/apache.key
#SSLCACertificatePath /etc/apache2/ssl/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl/ssl.crt/ca-bundle.crt
SSLProxyEngine On
ProxyPreserveHost On
ProxyPass / https://internal.foobar.com/
ProxyPassReverse / https://internal.foobar.com/
ProxyRequests Off
ProxyTimeout 3600
# Forward rules
SetOutputFilter proxy-html
ProxyHTMLURLMap https://internal.foobar.com/ https://external.foobar.com/
ProxyHTMLExtended On
# Compression off
RequestHeader unset Accept-Encoding
ServerName external.foobar.com
ServerAlias external.foobar.ch
ServerAdmin webmaster@foobar.com
ErrorLog /var/log/apache2/external.foobar.com-error_log
CustomLog /var/log/apache2/external.foobar.com-access_log common

[ronald_johnson]

I am also running zimbra behind a firewall and allowing remote access through an apache proxy, but I get the following error right after login:

msg - Invalid SOAP PDU
code - INVALID_PDU
method - AjxSoapDoc.createFromXml:2
detail - undefined

Dani, did you find an apache proxy setting that allowed you to get rid of the error?

Regards,
Ron

[haensse]

no, we just moved to scalix

sorry

best regards

Dani

[Klug]

These settings below should work.
The reverse proxy access the https part of Zimbra (if you're using a self-signed certificate you'll have to download and save as /etc/apache2/ssl/zimbra.crt).

Code:

<VirtualHost *:443> 
	
ServerName reverse.domain.tld

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/reverse.domain.tld.crt
SSLCertificateKeyFile /etc/apache2/ssl/reverse.domain.tld.key 
	
SSLProxyEngine on
SSLProxyCACertificateFile /etc/apache2/ssl/zimbra.crt 

RequestHeader set Front-End-Https On
ProxyRequests On
ProxyPreserveHost On
ProxyVia full 
	
<Proxy *>
  Order deny,allow 
  Allow from all
</Proxy>

ProxyPass        / https://internal-zimbra-server.domain/ 
ProxyPassReverse / https://internal-zimbra-server.domain/ 
	
</VirtualHost>

[randall]

Quote:

Originally Posted by haensse

no, we just moved to scalix

sorry

best regards

Dani

LOL , what's the point?

let's just try to be more helpful next time we post.

[ronald_johnson]

Thanks for the pointers Klug. I've tried the settings, but I still get the "Invalid SOAP PDU" error after authenticating. I know the SSL config is working as I have other services running through proxy already. This appears to be an issue with Tomcat and the apache proxy settings. I will keep working on it.

[Jinx]

Thanks Klug! That got HTTPS Proxying working on my Ubuntu Feisty mail server. It is proxying via a Ubuntu Feisty Apache2 server.

I copied the Zimbra server.key and server.crt from the mailserver's /opt/zimbra/ssl/ssl/server/ directory over to the Apache server's /etc/apache2/ssl dir.

Had to modify your config slightly, as "Proxy Via full" brought up an error. Used "ProxyVia full" and it seemed to be happy with that.

Made sure I had the proxy module enabled as well via "a2enmod proxy".

Thanks again, this has been a long standing issue for me, and one that isn't well documented on the Net (from what I can find anyways).

Cya round
Jinx

[Klug]

Quote:

Originally Posted by Jinx

Had to modify your config slightly, as "Proxy Via full" brought up an error. Used "ProxyVia full" and it seemed to be happy with that.

It's a cut/paste error in my post, I'm correcting it right now.

[m.a.g.]

Hello,

I have the very same error. I use Zimbra Opensource Edition 5.0.1. Both, Zimbra and Apache run on Debian Etch.

I did all the steps provided above. But I still get the very same error as in post #1 when logging on to Zimbra through Apache.

I guess, so far this thread was about Zimbra 4.5.x.
Are there any changes about that in 5.0.1?

Thanks for some hints!

[m.a.g.]

With 5.0.2 I still get the very same error...

What else can I try?

Thanks!