NGINX proxy issue
-
I have been busy with setting up the kopano webapp and webmeeting and everything works fine. Except that when I go browse to https://[ip-address]/webapp I get the login screen from the webapp, but after I entered my credentials en press enter it redirects to https://[ip-adres]:8000/webapp and it shows the login screen again. It shouldn’t redirect to 8000. I used the NGINX config from the kopano documentation and the Apacheis also configured according to the kopano documentation. The setup consists of Apache(with the webapp running on it) behind a NGINX (with webmeeting running on it)
-
Hi BigCheese,
Please do not create multiple threads in different categories, i deleted the other one.
Can you paste the Nginx and Apache configs
Kind regards,
Robin
Regards Robin,
Need support?
Have a look at https://kopano.com/support/ for options.Helpful resources:
https://kopano.com/blog/how-to-get-kopano/
https://documentation.kopano.io/
https://kb.kopano.io/ -
-
@robing these are my configs and i also noticed the following error in chrome
-
Can you change the ports.conf in the apache directory to
NameVirtualHost *:8000 Listen 127.0.0.1:8000 <IfModule ssl_module> </IfModule> <IfModule mod_gnutls.c> </IfModule>And change the proxy pass address to http instead of https
proxy_pass http://127.0.0.1:8000; -
@robing said in NGINX proxy issue:
you change the ports.conf in the apache directory to
if i change the port.conf to what you suggested it still redirects me to port 8000 in the webbrowser. I only see ‘This website is not available’. But I don’t think I should make http out of that https because SSL is enabled so it will cause a ‘error 400 Bad Request’. If I cut the 'Listen 127.0.0.1:8000 and paste it between the ssl_module, then the following happens. I go to the webapp en try to login -> it redirects to port 8000, but if you remove the 8000 from the url it logs in and it works. Logout will log the user off and redirects you to port 8000 again
-
Your site is using SSL but that doesn’t mean you can’t use http for your proxy.
-
okay but it will then say this
-
Can you also send the apache config of webapp and if possible not as screenshot, it is difficult to use the search function then
-
@robing said in NGINX proxy issue:
config of webapp
Alias /webapp /usr/share/kopano-webapp ProxyPass /webapp/presence http://192.168.8.27:1234/ ProxyPassReverse /webapp/presence http://192.168.8.27:1234/ # Modules to enable for the caching instructions to work: # mod_expires # mod_headers # mod_setenvif - for Internet Explorer quirks # # For compression: # mod_deflate <Directory /usr/share/kopano-webapp/> DirectoryIndex index.php Options -Indexes +FollowSymLinks <IfVersion < 2.4> Allow from all AllowOverride Options Limit Order allow,deny </IfVersion> <IfVersion >= 2.4> AllowOverride Options Limit Authconfig Require all granted </IfVersion> FileETag All # Uncomment to enhance security of WebApp by restricting cookies to only # be provided over HTTPS connections # php_flag session.cookie_secure on # php_flag session.cookie_httponly on # Manipulate the cache control headers if mod_expires and # mod_headers are both enabled; otherwise the client will depend # on the ETag header. However, you can set FileETag to "None" if # you have multiple servers serving WebApp to the same user. In # that case, apache will fall back to the config below so make # sure these two modules are loaded! <IfModule expires_module> <IfModule headers_module> ExpiresActive On ExpiresDefault "now" <filesMatch "\.(jpg|gif|png)$"> # All (static) resources set to 2 months expiration time. ExpiresDefault "access plus 2 months" Header append Cache-Control "public" </filesMatch> <FilesMatch "\.(js|css)$"> # All non-dynamic files set to 2 weeks expiration time. ExpiresDefault "access plus 2 weeks" # User agents are requested to revalidate for each resource # so that the server can always serve a newer version if # necessary. Header append Cache-Control "no-cache, must-revalidate" # Treat IE a little differently due to the remarks on no-cache # on http://support.microsoft.com/kb/234067 <IfModule setenvif_module> BrowserMatch MSIE ie_bug </IfModule> Header set Cache-Control "must-revalidate, private" env=ie_bug </FilesMatch> <filesMatch "\.(php)$"> # PHP files must always be retrieved from the server. ExpiresActive Off Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform" Header set Pragma "no-cache" </filesMatch> </IfModule> </IfModule> # Enable gzip compression if the module is available <IfModule deflate_module> <filesMatch "\.(js|css)$"> SetOutputFilter DEFLATE </filesMatch> </IfModule> </Directory>config port.conf apache
# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default.conf NameVirtualHost *:8000 #Listen 127.0.0.1:8000 <IfModule ssl_module> listen 127.0.0.1:8000 </IfModule> <IfModule mod_gnutls.c> Listen 127.0.0.1:8000 </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noetconfig: nginx config
server { listen 192.168.8.27:443 ssl; server_name 192.168.8.27; ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256:AES128:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK; ssl_prefer_server_ciphers on; # # ssl_dhparam require you to create a dhparam.pem, this takes a long time ssl_dhparam /etc/ssl/certs/dhparam.pem; # location /webmeetings { proxy_pass https://127.0.0.1:8090; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /webapp { proxy_pass https://127.0.0.1:8000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } map $http_upgrade $connection_upgrade { default upgrade; '' close; } proxy_buffering on; proxy_ignore_client_abort off; proxy_redirect off; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;netstat
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1012/mysqld tcp 0 0 0.0.0.0:236 0.0.0.0:* LISTEN 3803/kopano-server tcp 0 0 0.0.0.0:237 0.0.0.0:* LISTEN 3803/kopano-server tcp 0 0 192.168.8.27:1234 0.0.0.0:* LISTEN 764/python tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 936/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1321/master tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 1423/0 tcp 0 0 127.0.0.1:8090 0.0.0.0:* LISTEN 1092/kopano-webmeet tcp 0 0 192.168.8.27:443 0.0.0.0:* LISTEN 3633/nginx -g daemo tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 3763/apache2 tcp6 0 0 :::110 :::* LISTEN 719/kopano-gateway tcp6 0 0 :::143 :::* LISTEN 719/kopano-gateway tcp6 0 0 :::8080 :::* LISTEN 775/kopano-ical tcp6 0 0 :::2003 :::* LISTEN 708/kopano-dagent tcp6 0 0 :::21 :::* LISTEN 961/vsftpd tcp6 0 0 :::22 :::* LISTEN 936/sshd tcp6 0 0 :::25 :::* LISTEN 1321/master tcp6 0 0 ::1:6010 :::* LISTEN 1423/0 -
You are still using SSL for apache, don’t do that
The following config should work and make sure the SSL module is disable in ApacheNameVirtualHost *:8000 Listen 127.0.0.1:8000server { listen 192.168.8.27:443 ssl; server_name 192.168.8.27; ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256:AES128:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK; ssl_prefer_server_ciphers on; # # ssl_dhparam require you to create a dhparam.pem, this takes a long time ssl_dhparam /etc/ssl/certs/dhparam.pem; # location /webmeetings { proxy_pass http://127.0.0.1:8090; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /webapp { proxy_pass http://127.0.0.1:8000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } proxy_buffering on; proxy_ignore_client_abort off; proxy_redirect off; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; -
Okay the webapp stays at https://192.168.8.27/webapp but my webmeetings is complete unreachable any idea how to solve this new issue. It might have something to do with disabling ssl on apache or the fact that webmeeting uses https (configured in /etc/kopano/webmeetings.cfg) Anyhow the browser gives the follow reply if I request webmeetings: “502 Bad Gateway”
-
Webmeetings in not using apache at all.
Is kopano-webmeeting running and/or are the any errors in the logPlease ignore the https part in the config and only use the http part you are only listing on 127.0.0.1 so https is not needed
tcp 0 0 127.0.0.1:8090 0.0.0.0:* LISTEN 1092/kopano-webmeetDo you get the error on https://192.168.8.27/webmeetings ?
If not than probably your secret keys are no correct.
Please take a look at the last page of the webmeetings documentation , there is a table that explains which key should match. -
okay it work but there is one issue when it used to forward you to port 8000 it now says “this site is not available” (after you log in) if you reload the page your in. Same with logging out, press logout -> “this site is not available” -> reload the page and your back at the login. So in short you go to https://192.168.8.27/webapp it still redirects but this time to http://192.168.8.27
-
That is an issue with the WebApp itself just add this to your Nginx config
server { listen 80 ; listen [::]:80 ; server_name _; return 301 https://$host$request_uri; }Regards Robin,
Need support?
Have a look at https://kopano.com/support/ for options.Helpful resources:
https://kopano.com/blog/how-to-get-kopano/
https://documentation.kopano.io/
https://kb.kopano.io/ -
@robing said in NGINX proxy issue:
server {
listen 80 ;
listen [::]:80 ;
server_name _;
return 301 https://$host$request_uri;
} -
