NGINX proxy issue

robing

Hi BigCheese,

Please do not create multiple threads in different categories, i deleted the other one.

Can you paste the Nginx and Apache configs

Kind regards,

Robin

BigCheese

0_1502967382238_nginx config.PNG 0_1502967384940_port.conf.PNG

BigCheese

@robing these are my configs and i also noticed the following error in chrome

robing

Can you change the ports.conf in the apache directory to

NameVirtualHost *:8000
Listen 127.0.0.1:8000
<IfModule ssl_module>
</IfModule>

<IfModule mod_gnutls.c>
</IfModule>

And change the proxy pass address to http instead of https
proxy_pass http://127.0.0.1:8000;

BigCheese

@robing said in NGINX proxy issue:

you change the ports.conf in the apache directory to

if i change the port.conf to what you suggested it still redirects me to port 8000 in the webbrowser. I only see ‘This website is not available’. But I don’t think I should make http out of that https because SSL is enabled so it will cause a ‘error 400 Bad Request’. If I cut the 'Listen 127.0.0.1:8000 and paste it between the ssl_module, then the following happens. I go to the webapp en try to login -> it redirects to port 8000, but if you remove the 8000 from the url it logs in and it works. Logout will log the user off and redirects you to port 8000 again

robing

Your site is using SSL but that doesn’t mean you can’t use http for your proxy.

BigCheese

okay but it will then say this

robing

Can you also send the apache config of webapp and if possible not as screenshot, it is difficult to use the search function then

BigCheese

@robing said in NGINX proxy issue:

config of webapp

Alias /webapp /usr/share/kopano-webapp
ProxyPass /webapp/presence http://192.168.8.27:1234/
ProxyPassReverse /webapp/presence http://192.168.8.27:1234/

# Modules to enable for the caching instructions to work:
#   mod_expires
#   mod_headers
#   mod_setenvif - for Internet Explorer quirks
#
# For compression:
#   mod_deflate
<Directory /usr/share/kopano-webapp/>
    DirectoryIndex index.php
    Options -Indexes +FollowSymLinks

    <IfVersion < 2.4>
        Allow from all
        AllowOverride Options Limit
        Order allow,deny
    </IfVersion>

    <IfVersion >= 2.4>
        AllowOverride Options Limit Authconfig
        Require all granted
    </IfVersion>

    FileETag All

    # Uncomment to enhance security of WebApp by restricting cookies to only
    # be provided over HTTPS connections
    # php_flag session.cookie_secure on
    # php_flag session.cookie_httponly on

    # Manipulate the cache control headers if mod_expires and
    # mod_headers are both enabled; otherwise the client will depend
    # on the ETag header.  However, you can set FileETag to "None" if
    # you have multiple servers serving WebApp to the same user.  In
    # that case, apache will fall back to the config below so make
    # sure these two modules are loaded!
    <IfModule expires_module>
        <IfModule headers_module>
            ExpiresActive On
            ExpiresDefault "now"

            <filesMatch "\.(jpg|gif|png)$">
                # All (static) resources set to 2 months expiration time.
                ExpiresDefault "access plus 2 months"
                Header append Cache-Control "public"
            </filesMatch>

            <FilesMatch "\.(js|css)$">
                # All non-dynamic files set to 2 weeks expiration time.
                ExpiresDefault "access plus 2 weeks"
                # User agents are requested to revalidate for each resource
                # so that the server can always serve a newer version if
                # necessary.
                Header append Cache-Control "no-cache, must-revalidate"

                # Treat IE a little differently due to the remarks on no-cache
                # on http://support.microsoft.com/kb/234067
                <IfModule setenvif_module>
                    BrowserMatch MSIE ie_bug
                </IfModule>
                Header set Cache-Control "must-revalidate, private" env=ie_bug
            </FilesMatch>

            <filesMatch "\.(php)$">
                # PHP files must always be retrieved from the server.
                ExpiresActive Off
                Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
                Header set Pragma "no-cache"
            </filesMatch>
        </IfModule>
    </IfModule>

    # Enable gzip compression if the module is available
    <IfModule deflate_module>
        <filesMatch "\.(js|css)$">
            SetOutputFilter DEFLATE
        </filesMatch>
    </IfModule>
</Directory>

config port.conf apache

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

NameVirtualHost *:8000
#Listen 127.0.0.1:8000

<IfModule ssl_module>
        listen 127.0.0.1:8000
</IfModule>

<IfModule mod_gnutls.c>
        Listen 127.0.0.1:8000
</IfModule>


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

config: nginx config

server {
        listen 192.168.8.27:443 ssl;
        server_name 192.168.8.27;

        ssl on;
        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256:AES128:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
        ssl_prefer_server_ciphers on;
        #
        # ssl_dhparam require you to create a dhparam.pem, this takes a long time
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        #
        location /webmeetings {
               proxy_pass https://127.0.0.1:8090;
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection $connection_upgrade;
               proxy_set_header X-Forwarded-Proto $scheme;
               proxy_set_header Host $http_host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        }
        location /webapp {
                proxy_pass https://127.0.0.1:8000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        }

}
map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
}

proxy_buffering on;
proxy_ignore_client_abort off;
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;

netstat

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1012/mysqld
tcp        0      0 0.0.0.0:236             0.0.0.0:*               LISTEN      3803/kopano-server
tcp        0      0 0.0.0.0:237             0.0.0.0:*               LISTEN      3803/kopano-server
tcp        0      0 192.168.8.27:1234       0.0.0.0:*               LISTEN      764/python
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      936/sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1321/master
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      1423/0
tcp        0      0 127.0.0.1:8090          0.0.0.0:*               LISTEN      1092/kopano-webmeet
tcp        0      0 192.168.8.27:443        0.0.0.0:*               LISTEN      3633/nginx -g daemo
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      3763/apache2
tcp6       0      0 :::110                  :::*                    LISTEN      719/kopano-gateway
tcp6       0      0 :::143                  :::*                    LISTEN      719/kopano-gateway
tcp6       0      0 :::8080                 :::*                    LISTEN      775/kopano-ical
tcp6       0      0 :::2003                 :::*                    LISTEN      708/kopano-dagent
tcp6       0      0 :::21                   :::*                    LISTEN      961/vsftpd
tcp6       0      0 :::22                   :::*                    LISTEN      936/sshd
tcp6       0      0 :::25                   :::*                    LISTEN      1321/master
tcp6       0      0 ::1:6010                :::*                    LISTEN      1423/0

robing

You are still using SSL for apache, don’t do that
The following config should work and make sure the SSL module is disable in Apache

NameVirtualHost *:8000
Listen 127.0.0.1:8000

server {
        listen 192.168.8.27:443 ssl;
        server_name 192.168.8.27;

        ssl on;
        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256:AES128:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
        ssl_prefer_server_ciphers on;
        #
        # ssl_dhparam require you to create a dhparam.pem, this takes a long time
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        #
        location /webmeetings {
               proxy_pass http://127.0.0.1:8090;
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection $connection_upgrade;
               proxy_set_header X-Forwarded-Proto $scheme;
               proxy_set_header Host $http_host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
        location /webapp {
                proxy_pass http://127.0.0.1:8000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        }

map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
}

proxy_buffering on;
proxy_ignore_client_abort off;
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;

BigCheese

Okay the webapp stays at https://192.168.8.27/webapp but my webmeetings is complete unreachable any idea how to solve this new issue. It might have something to do with disabling ssl on apache or the fact that webmeeting uses https (configured in /etc/kopano/webmeetings.cfg) Anyhow the browser gives the follow reply if I request webmeetings: “502 Bad Gateway”

robing

Webmeetings in not using apache at all.
Is kopano-webmeeting running and/or are the any errors in the log

Please ignore the https part in the config and only use the http part you are only listing on 127.0.0.1 so https is not needed

tcp        0      0 127.0.0.1:8090          0.0.0.0:*               LISTEN      1092/kopano-webmeet

Do you get the error on https://192.168.8.27/webmeetings ?
If not than probably your secret keys are no correct.
Please take a look at the last page of the webmeetings documentation , there is a table that explains which key should match.

BigCheese

okay it work but there is one issue when it used to forward you to port 8000 it now says “this site is not available” (after you log in) if you reload the page your in. Same with logging out, press logout -> “this site is not available” -> reload the page and your back at the login. So in short you go to https://192.168.8.27/webapp it still redirects but this time to http://192.168.8.27

robing

That is an issue with the WebApp itself just add this to your Nginx config

server {
	listen 80 ;
	listen [::]:80 ;
	server_name _;
	return 301 https://$host$request_uri;
}

BigCheese

@robing said in NGINX proxy issue:

server {
listen 80 ;
listen [::]:80 ;
server_name _;
return 301 https://$host$request_uri;
}

BigCheese

@robing THANK YOU SO MUCH @robing IT FINALLY WORKS THX