From 06e64c585ccc03cd26b23d4625230b2f3565d727 Mon Sep 17 00:00:00 2001 From: Michael Kuron Date: Tue, 18 Apr 2017 20:24:43 +0200 Subject: [PATCH 1/3] Fix CalDAV/CardDAV URLs displayed in SOGo web interface when used behind a reverse proxy --- data/conf/nginx/site.conf | 39 +++++++++++++++++++++++++++++---------- docs/first_steps.md | 17 ++++++++++++++++- 2 files changed, 45 insertions(+), 11 deletions(-) diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf index a78c483f..debc9c5e 100644 --- a/data/conf/nginx/site.conf +++ b/data/conf/nginx/site.conf @@ -1,4 +1,23 @@ proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h max_size=1g; + +# use the non-standard X-Forwarded-* headers for WebObjects +map $http_x_forwarded_proto $maybe_real_scheme { + default $http_x_forwarded_proto; + '' $scheme; +} +map $http_x_forwarded_port $maybe_real_port { + default $http_x_forwarded_port; + '' $server_port; +} +map $realip_remote_addr $real_scheme { + default $scheme; + 172.22.1.1 $maybe_real_scheme; +} +map $realip_remote_addr $real_port { + default $server_port; + 172.22.1.1 $maybe_real_port; +} + server { include /etc/nginx/conf.d/listen_ssl.active; include /etc/nginx/mime.types; @@ -34,7 +53,7 @@ server { real_ip_recursive on; location = /principals/ { - rewrite ^ $scheme://$host:$server_port/SOGo/dav; + rewrite ^ $real_scheme://$host:$real_port/SOGo/dav; allow all; } @@ -100,8 +119,8 @@ server { proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_set_header x-webobjects-remote-host $remote_addr; proxy_set_header x-webobjects-server-name $server_name; - proxy_set_header x-webobjects-server-url $scheme://$host:$server_port; - proxy_set_header x-webobjects-server-port $server_port; + proxy_set_header x-webobjects-server-url $real_scheme://$host:$real_port; + proxy_set_header x-webobjects-server-port $real_port; client_body_buffer_size 128k; client_max_body_size 100m; } @@ -114,8 +133,8 @@ server { proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_set_header x-webobjects-remote-host $remote_addr; proxy_set_header x-webobjects-server-name $server_name; - proxy_set_header x-webobjects-server-url $scheme://$host:$server_port; - proxy_set_header x-webobjects-server-port $server_port; + proxy_set_header x-webobjects-server-url $real_scheme://$host:$real_port; + proxy_set_header x-webobjects-server-port $real_port; client_body_buffer_size 128k; client_max_body_size 100m; break; @@ -187,7 +206,7 @@ server { real_ip_recursive on; location = /principals/ { - rewrite ^ $scheme://$host:$server_port/SOGo/dav; + rewrite ^ $real_scheme://$host:$real_port/SOGo/dav; allow all; } @@ -253,8 +272,8 @@ server { proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_set_header x-webobjects-remote-host $remote_addr; proxy_set_header x-webobjects-server-name $server_name; - proxy_set_header x-webobjects-server-url $scheme://$host:$server_port; - proxy_set_header x-webobjects-server-port $server_port; + proxy_set_header x-webobjects-server-url $real_scheme://$host:$real_port; + proxy_set_header x-webobjects-server-port $real_port; client_body_buffer_size 128k; client_max_body_size 100m; } @@ -267,8 +286,8 @@ server { proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_set_header x-webobjects-remote-host $remote_addr; proxy_set_header x-webobjects-server-name $server_name; - proxy_set_header x-webobjects-server-url $scheme://$host:$server_port; - proxy_set_header x-webobjects-server-port $server_port; + proxy_set_header x-webobjects-server-url $real_scheme://$host:$real_port; + proxy_set_header x-webobjects-server-port $real_port; client_body_buffer_size 128k; client_max_body_size 100m; break; diff --git a/docs/first_steps.md b/docs/first_steps.md index ab7876dc..62773938 100644 --- a/docs/first_steps.md +++ b/docs/first_steps.md @@ -103,6 +103,8 @@ Recreate affected containers by running `docker-compose up -d`. ProxyPass / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/ ProxyPreserveHost Off + RequestHeader set X-Forwarded-Proto "https" + RequestHeader set X-Forwarded-Port "443" your-ssl-configuration-here [...] @@ -127,15 +129,28 @@ server { your-ssl-configuration-here location / { proxy_pass http://127.0.0.1:8080/; - proxy_redirect http://127.0.0.1:8080/ $scheme://$host:$server_port/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; } [...] } ``` +### HAProxy +``` +frontend https-in + bind :::443 v4v6 ssl crt mailcow.pem + default_backend mailcow + +backend mailcow + option forwardfor + http-request set-header X-Forwarded-Proto https + http-request set-header X-Forwarded-Port %[dst_port] + server mailcow 127.0.0.1:8080 check +``` + ## Optional: Setup a relayhost Insert these lines to `data/conf/postfix/main.cf`. "relayhost" does already exist (empty), just change its value. From d350c009b9d120f5c764e872f8f5cd6756526b49 Mon Sep 17 00:00:00 2001 From: Michael Kuron Date: Thu, 20 Apr 2017 19:53:56 +0200 Subject: [PATCH 2/3] Fix login redirect behind reverse proxy --- data/conf/nginx/site.conf | 20 ++++++++++++++------ docs/first_steps.md | 4 +++- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf index debc9c5e..145bef73 100644 --- a/data/conf/nginx/site.conf +++ b/data/conf/nginx/site.conf @@ -9,6 +9,10 @@ map $http_x_forwarded_port $maybe_real_port { default $http_x_forwarded_port; '' $server_port; } +map $http_x_forwarded_host $maybe_real_host { + default $http_x_forwarded_host; + '' $host:$real_port; +} map $realip_remote_addr $real_scheme { default $scheme; 172.22.1.1 $maybe_real_scheme; @@ -17,6 +21,10 @@ map $realip_remote_addr $real_port { default $server_port; 172.22.1.1 $maybe_real_port; } +map $realip_remote_addr $real_host { + default $scheme; + 172.22.1.1 $maybe_real_host; +} server { include /etc/nginx/conf.d/listen_ssl.active; @@ -53,7 +61,7 @@ server { real_ip_recursive on; location = /principals/ { - rewrite ^ $real_scheme://$host:$real_port/SOGo/dav; + rewrite ^ $real_scheme://$real_host/SOGo/dav; allow all; } @@ -119,7 +127,7 @@ server { proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_set_header x-webobjects-remote-host $remote_addr; proxy_set_header x-webobjects-server-name $server_name; - proxy_set_header x-webobjects-server-url $real_scheme://$host:$real_port; + proxy_set_header x-webobjects-server-url $real_scheme://$real_host; proxy_set_header x-webobjects-server-port $real_port; client_body_buffer_size 128k; client_max_body_size 100m; @@ -133,7 +141,7 @@ server { proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_set_header x-webobjects-remote-host $remote_addr; proxy_set_header x-webobjects-server-name $server_name; - proxy_set_header x-webobjects-server-url $real_scheme://$host:$real_port; + proxy_set_header x-webobjects-server-url $real_scheme://$real_host; proxy_set_header x-webobjects-server-port $real_port; client_body_buffer_size 128k; client_max_body_size 100m; @@ -206,7 +214,7 @@ server { real_ip_recursive on; location = /principals/ { - rewrite ^ $real_scheme://$host:$real_port/SOGo/dav; + rewrite ^ $real_scheme://$real_host/SOGo/dav; allow all; } @@ -272,7 +280,7 @@ server { proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_set_header x-webobjects-remote-host $remote_addr; proxy_set_header x-webobjects-server-name $server_name; - proxy_set_header x-webobjects-server-url $real_scheme://$host:$real_port; + proxy_set_header x-webobjects-server-url $real_scheme://$real_host; proxy_set_header x-webobjects-server-port $real_port; client_body_buffer_size 128k; client_max_body_size 100m; @@ -286,7 +294,7 @@ server { proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_set_header x-webobjects-remote-host $remote_addr; proxy_set_header x-webobjects-server-name $server_name; - proxy_set_header x-webobjects-server-url $real_scheme://$host:$real_port; + proxy_set_header x-webobjects-server-url $real_scheme://$real_host; proxy_set_header x-webobjects-server-port $real_port; client_body_buffer_size 128k; client_max_body_size 100m; diff --git a/docs/first_steps.md b/docs/first_steps.md index 62773938..b64e5618 100644 --- a/docs/first_steps.md +++ b/docs/first_steps.md @@ -101,8 +101,8 @@ Recreate affected containers by running `docker-compose up -d`. [...] # You should proxy to a plain HTTP session to offload SSL processing ProxyPass / http://127.0.0.1:8080/ - ProxyPassReverse / http://127.0.0.1:8080/ ProxyPreserveHost Off + RequestHeader set X-Forwarded-Host "mail.example.org" RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" your-ssl-configuration-here @@ -131,6 +131,7 @@ server { proxy_pass http://127.0.0.1:8080/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } @@ -146,6 +147,7 @@ frontend https-in backend mailcow option forwardfor + http-request set-header X-Forwarded-Host %[req.hdr(Host)] http-request set-header X-Forwarded-Proto https http-request set-header X-Forwarded-Port %[dst_port] server mailcow 127.0.0.1:8080 check From 55ad1a3d5c35603d89cb0b13b2bad3e51b8998bc Mon Sep 17 00:00:00 2001 From: Michael Kuron Date: Fri, 21 Apr 2017 18:15:28 +0200 Subject: [PATCH 3/3] Fix X-Forwarded-Host behind Apache reverse proxy --- docs/first_steps.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/first_steps.md b/docs/first_steps.md index b64e5618..509e0e78 100644 --- a/docs/first_steps.md +++ b/docs/first_steps.md @@ -102,9 +102,14 @@ Recreate affected containers by running `docker-compose up -d`. # You should proxy to a plain HTTP session to offload SSL processing ProxyPass / http://127.0.0.1:8080/ ProxyPreserveHost Off - RequestHeader set X-Forwarded-Host "mail.example.org" - RequestHeader set X-Forwarded-Proto "https" - RequestHeader set X-Forwarded-Port "443" + ProxyAddHeaders Off + RewriteEngine on + RewriteRule ^(.*) - [E=HOST_HEADER:%{HTTP_HOST},E=CLIENT_IP:%{REMOTE_ADDR},E=PORT_NUMBER:%{SERVER_PORT},L] + RequestHeader append X-Forwarded-For "%{CLIENT_IP}e" + RequestHeader set X-Forwarded-Host "%{HOST_HEADER}e" + RequestHeader set X-Forwarded-Proto "https" env=HTTPS + RequestHeader set X-Forwarded-Proto "http" env=!HTTPS + RequestHeader set X-Forwarded-Port "%{PORT_NUMBER}e" your-ssl-configuration-here [...] @@ -148,7 +153,8 @@ frontend https-in backend mailcow option forwardfor http-request set-header X-Forwarded-Host %[req.hdr(Host)] - http-request set-header X-Forwarded-Proto https + http-request set-header X-Forwarded-Proto https if { ssl_fc } + http-request set-header X-Forwarded-Proto http if !{ ssl_fc } http-request set-header X-Forwarded-Port %[dst_port] server mailcow 127.0.0.1:8080 check ```