Merge pull request #212 from mkuron/reverseproxy

Fix CalDAV/CardDAV URLs displayed in SOGo web interface when used behind reverse proxy
2017-04-24 10:09:32 +02:00 · 2017-04-24 10:09:32 +02:00 · 0f3202109d
parent 166c710ff3 55ad1a3d5c
commit 0f3202109d
2 changed files with 62 additions and 12 deletions
--- a/data/conf/nginx/site.conf
+++ b/data/conf/nginx/site.conf
@ -1,4 +1,31 @@
 proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h  max_size=1g;
 # use the non-standard X-Forwarded-* headers for WebObjects
 map $http_x_forwarded_proto $maybe_real_scheme {
  default $http_x_forwarded_proto;
  ''      $scheme;
 }
 map $http_x_forwarded_port $maybe_real_port {
  default $http_x_forwarded_port;
  ''      $server_port;
 }
 map $http_x_forwarded_host $maybe_real_host {
  default $http_x_forwarded_host;
  ''      $host:$real_port;
 }
 map $realip_remote_addr $real_scheme {
  default $scheme;
  172.22.1.1 $maybe_real_scheme;
 }
 map $realip_remote_addr $real_port {
  default $server_port;
  172.22.1.1 $maybe_real_port;
 }
 map $realip_remote_addr $real_host {
  default $scheme;
  172.22.1.1 $maybe_real_host;
 }
 server {
  include /etc/nginx/conf.d/listen_ssl.active;
  include /etc/nginx/mime.types;
@ -34,7 +61,7 @@ server {
  real_ip_recursive on;
  location = /principals/ {
-    rewrite ^ $scheme://$host:$server_port/SOGo/dav;
+    rewrite ^ $real_scheme://$real_host/SOGo/dav;
    allow all;
  }
@ -100,8 +127,8 @@ server {
    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
    proxy_set_header x-webobjects-remote-host $remote_addr;
    proxy_set_header x-webobjects-server-name $server_name;
-    proxy_set_header x-webobjects-server-url $scheme://$host:$server_port;
+    proxy_set_header x-webobjects-server-url $real_scheme://$real_host;
-    proxy_set_header x-webobjects-server-port $server_port;
+    proxy_set_header x-webobjects-server-port $real_port;
    client_body_buffer_size 128k;
    client_max_body_size 100m;
  }
@ -114,8 +141,8 @@ server {
    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
    proxy_set_header x-webobjects-remote-host $remote_addr;
    proxy_set_header x-webobjects-server-name $server_name;
-    proxy_set_header x-webobjects-server-url $scheme://$host:$server_port;
+    proxy_set_header x-webobjects-server-url $real_scheme://$real_host;
-    proxy_set_header x-webobjects-server-port $server_port;
+    proxy_set_header x-webobjects-server-port $real_port;
    client_body_buffer_size 128k;
    client_max_body_size 100m;
    break;
@ -187,7 +214,7 @@ server {
  real_ip_recursive on;
  location = /principals/ {
-    rewrite ^ $scheme://$host:$server_port/SOGo/dav;
+    rewrite ^ $real_scheme://$real_host/SOGo/dav;
    allow all;
  }
@ -253,8 +280,8 @@ server {
    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
    proxy_set_header x-webobjects-remote-host $remote_addr;
    proxy_set_header x-webobjects-server-name $server_name;
-    proxy_set_header x-webobjects-server-url $scheme://$host:$server_port;
+    proxy_set_header x-webobjects-server-url $real_scheme://$real_host;
-    proxy_set_header x-webobjects-server-port $server_port;
+    proxy_set_header x-webobjects-server-port $real_port;
    client_body_buffer_size 128k;
    client_max_body_size 100m;
  }
@ -267,8 +294,8 @@ server {
    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
    proxy_set_header x-webobjects-remote-host $remote_addr;
    proxy_set_header x-webobjects-server-name $server_name;
-    proxy_set_header x-webobjects-server-url $scheme://$host:$server_port;
+    proxy_set_header x-webobjects-server-url $real_scheme://$real_host;
-    proxy_set_header x-webobjects-server-port $server_port;
+    proxy_set_header x-webobjects-server-port $real_port;
    client_body_buffer_size 128k;
    client_max_body_size 100m;
    break;
--- a/docs/first_steps.md
+++ b/docs/first_steps.md
@ -103,8 +103,15 @@ Recreate affected containers by running `docker-compose up -d`.
    [...]
    # You should proxy to a plain HTTP session to offload SSL processing
    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/
    ProxyPreserveHost Off
    ProxyAddHeaders Off
    RewriteEngine on
    RewriteRule ^(.*) - [E=HOST_HEADER:%{HTTP_HOST},E=CLIENT_IP:%{REMOTE_ADDR},E=PORT_NUMBER:%{SERVER_PORT},L]
    RequestHeader append X-Forwarded-For "%{CLIENT_IP}e"
    RequestHeader set X-Forwarded-Host "%{HOST_HEADER}e"
    RequestHeader set X-Forwarded-Proto "https" env=HTTPS
    RequestHeader set X-Forwarded-Proto "http" env=!HTTPS
    RequestHeader set X-Forwarded-Port "%{PORT_NUMBER}e"
    your-ssl-configuration-here
    [...]
@ -129,15 +136,31 @@ server {
    your-ssl-configuration-here
    location / {
        proxy_pass http://127.0.0.1:8080/;
        proxy_redirect http://127.0.0.1:8080/ $scheme://$host:$server_port/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
    }
    [...]
 }
 ```
 ### HAProxy
 ```
 frontend https-in
  bind :::443 v4v6 ssl crt mailcow.pem
  default_backend mailcow
 backend mailcow
  option forwardfor
  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  http-request set-header X-Forwarded-Port %[dst_port]
  server mailcow 127.0.0.1:8080 check
 ```
 ## Optional: Setup a relayhost
 Insert these lines to `data/conf/postfix/main.cf`. "relayhost" does already exist (empty), just change its value.