Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    Webapp behind NGINX-Proxy

    Kopano WebApp
    1
    1
    250
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Robert
      Robert last edited by

      Hi all,

      I’m quite closed to finish my first serious Kopano setup.
      The last issue - for now - is Kopano WebbApp behind a NGINX-Proxy.

      The direkt acces at the Kopano host works perfect. The access at the proxy shows the login screen.
      The password validation works (wrong user/password) reports an error, but after entering a valid usernam/password cobination nothing happens anymore.
      The error message at hte proxy server is:

      2019/04/06 10:11:52 [error] 1901#1901: *14014 access forbidden by rule, client: client_IP, server: external_FQDN, request: "GET /webapp/index.php?version=3.5.5.2236+1248.1&load=translations.js&lang=de_DE.UTF-8 HTTP/1.1", host: "external_FQDN", referrer: "https://external_FQDN/webapp/"
2019/04/06 10:11:53 [error] 1901#1901: *14016 access forbidden by rule, client: client_IP, server: external_FQDN, request: "POST /webapp/kopano.php?service=fingerprint HTTP/1.1", host: "external_FQDN", referrer: "https://external_FQDN/webapp/"
2019/04/06 10:11:53 [error] 1901#1901: *14015 access forbidden by rule, client: client_IP, server: external_FQDN, request: "POST /webapp/kopano.php?service=fingerprint&type=keepalive HTTP/1.1", host: "external_FQDN", referrer: "https://external_FQDN/webapp/"

      The nginx configuration at the NGINX proxy is:
      (everything on top location /webapp is auto generated by the ispconfig hosting panel)

      server {
        listen *:80;

        listen *:443 ssl;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_certificate /path_to_letsencrypt.crt;
        ssl_certificate_key /path_to_letsencrypt.key;

        server_name external_FQDN ;

        root   /var/www/external_FQDN/HOSTNAME;

        if ($scheme != "https") {
            rewrite ^ https://$http_host$request_uri? permanent;
        }


        index index.html index.htm index.php index.cgi index.pl index.xhtml;



        error_log /var/log/ispconfig/httpd/external_FQDN/error.log;
        access_log /var/log/ispconfig/httpd/external_FQDN/access.log combined;

        location ~ /\. {
			deny all;
        }

        location ^~ /.well-known/acme-challenge/ {
			access_log off;
			log_not_found off;
			root /usr/local/ispconfig/interface/acme/;
			autoindex off;
			index index.html;
			try_files $uri $uri/ =404;
        }

        location = /favicon.ico {
            log_not_found off;
            access_log off;
            expires max;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }

        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        location /stats/ {

            index index.html index.php;
            auth_basic "Members Only";
            auth_basic_user_file /var/www/clients/client1/web10/web/stats/.htpasswd_stats;
        }

        location ^~ /awstats-icon {
            alias /usr/share/awstats/icon;
        }

        location ~ \.php$ {
            try_files /f0ddc163b066ee839103875f35fc17ed.htm @php;
        }


        location @php {
            deny all;
        }





        location /webapp {
                        proxy_pass https://internal_FQDN;
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header X-Forwarded-Proto $scheme;
                        proxy_set_header Host $http_host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        location ~*^/test {
                       proxy_pass http://internal_FQDN;
        }


        proxy_buffering on;
        proxy_ignore_client_abort off;
        proxy_redirect off;
        proxy_connect_timeout 90;
        proxy_send_timeout 90;
        proxy_read_timeout 90;
        proxy_buffer_size 4k;
        proxy_buffers 4 32k;
        proxy_busy_buffers_size 64k;
        proxy_temp_file_write_size 64k;
        proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;



}

      Any idea which “rule” could prevent the further access?

      regards
      Robert

      1 Reply Last reply Reply Quote 0
      • First post
        Last post