Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    NGINX proxy issue

    Kopano Meet & WebMeetings
    2
    17
    4265
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • robing
      robing Kopano (Inactive) last edited by

      Can you change the ports.conf in the apache directory to

      NameVirtualHost *:8000
      Listen 127.0.0.1:8000
      <IfModule ssl_module>
      </IfModule>
      
      <IfModule mod_gnutls.c>
      </IfModule>
      

      And change the proxy pass address to http instead of https
      proxy_pass http://127.0.0.1:8000;

      Regards Robin,

      Need support?
      Have a look at https://kopano.com/support/ for options.

      Helpful resources:
      https://kopano.com/blog/how-to-get-kopano/
      https://documentation.kopano.io/
      https://kb.kopano.io/

      1 Reply Last reply Reply Quote 0
      • BigCheese
        BigCheese last edited by BigCheese

        @robing said in NGINX proxy issue:

        you change the ports.conf in the apache directory to

        if i change the port.conf to what you suggested it still redirects me to port 8000 in the webbrowser. I only see ‘This website is not available’. But I don’t think I should make http out of that https because SSL is enabled so it will cause a ‘error 400 Bad Request’. If I cut the 'Listen 127.0.0.1:8000 and paste it between the ssl_module, then the following happens. I go to the webapp en try to login -> it redirects to port 8000, but if you remove the 8000 from the url it logs in and it works. Logout will log the user off and redirects you to port 8000 again

        1 Reply Last reply Reply Quote 0
        • robing
          robing Kopano (Inactive) last edited by

          Your site is using SSL but that doesn’t mean you can’t use http for your proxy.

          Regards Robin,

          Need support?
          Have a look at https://kopano.com/support/ for options.

          Helpful resources:
          https://kopano.com/blog/how-to-get-kopano/
          https://documentation.kopano.io/
          https://kb.kopano.io/

          1 Reply Last reply Reply Quote 0
          • BigCheese
            BigCheese last edited by

            okay but it will then say this0_1502973106628_Knipsel3.PNG

            1 Reply Last reply Reply Quote 0
            • robing
              robing Kopano (Inactive) last edited by

              Can you also send the apache config of webapp and if possible not as screenshot, it is difficult to use the search function then

              Regards Robin,

              Need support?
              Have a look at https://kopano.com/support/ for options.

              Helpful resources:
              https://kopano.com/blog/how-to-get-kopano/
              https://documentation.kopano.io/
              https://kb.kopano.io/

              1 Reply Last reply Reply Quote 0
              • BigCheese
                BigCheese last edited by BigCheese

                @robing said in NGINX proxy issue:

                config of webapp

                Alias /webapp /usr/share/kopano-webapp
                ProxyPass /webapp/presence http://192.168.8.27:1234/
                ProxyPassReverse /webapp/presence http://192.168.8.27:1234/
                
                # Modules to enable for the caching instructions to work:
                #   mod_expires
                #   mod_headers
                #   mod_setenvif - for Internet Explorer quirks
                #
                # For compression:
                #   mod_deflate
                <Directory /usr/share/kopano-webapp/>
                    DirectoryIndex index.php
                    Options -Indexes +FollowSymLinks
                
                    <IfVersion < 2.4>
                        Allow from all
                        AllowOverride Options Limit
                        Order allow,deny
                    </IfVersion>
                
                    <IfVersion >= 2.4>
                        AllowOverride Options Limit Authconfig
                        Require all granted
                    </IfVersion>
                
                    FileETag All
                
                    # Uncomment to enhance security of WebApp by restricting cookies to only
                    # be provided over HTTPS connections
                    # php_flag session.cookie_secure on
                    # php_flag session.cookie_httponly on
                
                    # Manipulate the cache control headers if mod_expires and
                    # mod_headers are both enabled; otherwise the client will depend
                    # on the ETag header.  However, you can set FileETag to "None" if
                    # you have multiple servers serving WebApp to the same user.  In
                    # that case, apache will fall back to the config below so make
                    # sure these two modules are loaded!
                    <IfModule expires_module>
                        <IfModule headers_module>
                            ExpiresActive On
                            ExpiresDefault "now"
                
                            <filesMatch "\.(jpg|gif|png)$">
                                # All (static) resources set to 2 months expiration time.
                                ExpiresDefault "access plus 2 months"
                                Header append Cache-Control "public"
                            </filesMatch>
                
                            <FilesMatch "\.(js|css)$">
                                # All non-dynamic files set to 2 weeks expiration time.
                                ExpiresDefault "access plus 2 weeks"
                                # User agents are requested to revalidate for each resource
                                # so that the server can always serve a newer version if
                                # necessary.
                                Header append Cache-Control "no-cache, must-revalidate"
                
                                # Treat IE a little differently due to the remarks on no-cache
                                # on http://support.microsoft.com/kb/234067
                                <IfModule setenvif_module>
                                    BrowserMatch MSIE ie_bug
                                </IfModule>
                                Header set Cache-Control "must-revalidate, private" env=ie_bug
                            </FilesMatch>
                
                            <filesMatch "\.(php)$">
                                # PHP files must always be retrieved from the server.
                                ExpiresActive Off
                                Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
                                Header set Pragma "no-cache"
                            </filesMatch>
                        </IfModule>
                    </IfModule>
                
                    # Enable gzip compression if the module is available
                    <IfModule deflate_module>
                        <filesMatch "\.(js|css)$">
                            SetOutputFilter DEFLATE
                        </filesMatch>
                    </IfModule>
                </Directory>
                

                config port.conf apache

                # If you just change the port or add more ports here, you will likely also
                # have to change the VirtualHost statement in
                # /etc/apache2/sites-enabled/000-default.conf
                
                NameVirtualHost *:8000
                #Listen 127.0.0.1:8000
                
                <IfModule ssl_module>
                        listen 127.0.0.1:8000
                </IfModule>
                
                <IfModule mod_gnutls.c>
                        Listen 127.0.0.1:8000
                </IfModule>
                
                
                # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
                
                

                config: nginx config

                server {
                        listen 192.168.8.27:443 ssl;
                        server_name 192.168.8.27;
                
                        ssl on;
                        ssl_certificate /etc/nginx/ssl/nginx.crt;
                        ssl_certificate_key /etc/nginx/ssl/nginx.key;
                        ssl_session_cache shared:SSL:1m;
                        ssl_session_timeout 5m;
                        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                        ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256:AES128:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
                        ssl_prefer_server_ciphers on;
                        #
                        # ssl_dhparam require you to create a dhparam.pem, this takes a long time
                        ssl_dhparam /etc/ssl/certs/dhparam.pem;
                        #
                        location /webmeetings {
                               proxy_pass https://127.0.0.1:8090;
                               proxy_http_version 1.1;
                               proxy_set_header Upgrade $http_upgrade;
                               proxy_set_header Connection $connection_upgrade;
                               proxy_set_header X-Forwarded-Proto $scheme;
                               proxy_set_header Host $http_host;
                               proxy_set_header X-Real-IP $remote_addr;
                               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                
                        }
                        location /webapp {
                                proxy_pass https://127.0.0.1:8000;
                                proxy_http_version 1.1;
                                proxy_set_header Upgrade $http_upgrade;
                                proxy_set_header Connection $connection_upgrade;
                                proxy_set_header X-Forwarded-Proto $scheme;
                                proxy_set_header Host $http_host;
                                proxy_set_header X-Real-IP $remote_addr;
                                proxy_set_header X-Forwarded-For $remote_addr;
                                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                
                        }
                
                }
                map $http_upgrade $connection_upgrade {
                        default upgrade;
                        '' close;
                }
                
                proxy_buffering on;
                proxy_ignore_client_abort off;
                proxy_redirect off;
                proxy_connect_timeout 90;
                proxy_send_timeout 90;
                proxy_read_timeout 90;
                proxy_buffer_size 4k;
                proxy_buffers 4 32k;
                proxy_busy_buffers_size 64k;
                proxy_temp_file_write_size 64k;
                proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
                

                netstat

                Active Internet connections (only servers)
                Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
                tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1012/mysqld
                tcp        0      0 0.0.0.0:236             0.0.0.0:*               LISTEN      3803/kopano-server
                tcp        0      0 0.0.0.0:237             0.0.0.0:*               LISTEN      3803/kopano-server
                tcp        0      0 192.168.8.27:1234       0.0.0.0:*               LISTEN      764/python
                tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      936/sshd
                tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1321/master
                tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      1423/0
                tcp        0      0 127.0.0.1:8090          0.0.0.0:*               LISTEN      1092/kopano-webmeet
                tcp        0      0 192.168.8.27:443        0.0.0.0:*               LISTEN      3633/nginx -g daemo
                tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      3763/apache2
                tcp6       0      0 :::110                  :::*                    LISTEN      719/kopano-gateway
                tcp6       0      0 :::143                  :::*                    LISTEN      719/kopano-gateway
                tcp6       0      0 :::8080                 :::*                    LISTEN      775/kopano-ical
                tcp6       0      0 :::2003                 :::*                    LISTEN      708/kopano-dagent
                tcp6       0      0 :::21                   :::*                    LISTEN      961/vsftpd
                tcp6       0      0 :::22                   :::*                    LISTEN      936/sshd
                tcp6       0      0 :::25                   :::*                    LISTEN      1321/master
                tcp6       0      0 ::1:6010                :::*                    LISTEN      1423/0
                
                
                1 Reply Last reply Reply Quote 0
                • robing
                  robing Kopano (Inactive) last edited by

                  You are still using SSL for apache, don’t do that
                  The following config should work and make sure the SSL module is disable in Apache

                  NameVirtualHost *:8000
                  Listen 127.0.0.1:8000
                  
                  server {
                          listen 192.168.8.27:443 ssl;
                          server_name 192.168.8.27;
                  
                          ssl on;
                          ssl_certificate /etc/nginx/ssl/nginx.crt;
                          ssl_certificate_key /etc/nginx/ssl/nginx.key;
                          ssl_session_cache shared:SSL:1m;
                          ssl_session_timeout 5m;
                          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                          ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256:AES128:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
                          ssl_prefer_server_ciphers on;
                          #
                          # ssl_dhparam require you to create a dhparam.pem, this takes a long time
                          ssl_dhparam /etc/ssl/certs/dhparam.pem;
                          #
                          location /webmeetings {
                                 proxy_pass http://127.0.0.1:8090;
                                 proxy_http_version 1.1;
                                 proxy_set_header Upgrade $http_upgrade;
                                 proxy_set_header Connection $connection_upgrade;
                                 proxy_set_header X-Forwarded-Proto $scheme;
                                 proxy_set_header Host $http_host;
                                 proxy_set_header X-Real-IP $remote_addr;
                                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                          }
                          location /webapp {
                                  proxy_pass http://127.0.0.1:8000;
                                  proxy_http_version 1.1;
                                  proxy_set_header Upgrade $http_upgrade;
                                  proxy_set_header Connection $connection_upgrade;
                                  proxy_set_header X-Forwarded-Proto $scheme;
                                  proxy_set_header Host $http_host;
                                  proxy_set_header X-Real-IP $remote_addr;
                                  proxy_set_header X-Forwarded-For $remote_addr;
                                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                  
                          }
                  
                  map $http_upgrade $connection_upgrade {
                          default upgrade;
                          '' close;
                  }
                  
                  proxy_buffering on;
                  proxy_ignore_client_abort off;
                  proxy_redirect off;
                  proxy_connect_timeout 90;
                  proxy_send_timeout 90;
                  proxy_read_timeout 90;
                  proxy_buffer_size 4k;
                  proxy_buffers 4 32k;
                  proxy_busy_buffers_size 64k;
                  proxy_temp_file_write_size 64k;
                  proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
                  

                  Regards Robin,

                  Need support?
                  Have a look at https://kopano.com/support/ for options.

                  Helpful resources:
                  https://kopano.com/blog/how-to-get-kopano/
                  https://documentation.kopano.io/
                  https://kb.kopano.io/

                  1 Reply Last reply Reply Quote 0
                  • BigCheese
                    BigCheese last edited by

                    Okay the webapp stays at https://192.168.8.27/webapp but my webmeetings is complete unreachable any idea how to solve this new issue. It might have something to do with disabling ssl on apache or the fact that webmeeting uses https (configured in /etc/kopano/webmeetings.cfg) Anyhow the browser gives the follow reply if I request webmeetings: “502 Bad Gateway”

                    1 Reply Last reply Reply Quote 0
                    • robing
                      robing Kopano (Inactive) last edited by

                      Webmeetings in not using apache at all.
                      Is kopano-webmeeting running and/or are the any errors in the log

                      Please ignore the https part in the config and only use the http part you are only listing on 127.0.0.1 so https is not needed

                      tcp        0      0 127.0.0.1:8090          0.0.0.0:*               LISTEN      1092/kopano-webmeet
                      

                      Do you get the error on https://192.168.8.27/webmeetings ?
                      If not than probably your secret keys are no correct.
                      Please take a look at the last page of the webmeetings documentation , there is a table that explains which key should match.

                      Regards Robin,

                      Need support?
                      Have a look at https://kopano.com/support/ for options.

                      Helpful resources:
                      https://kopano.com/blog/how-to-get-kopano/
                      https://documentation.kopano.io/
                      https://kb.kopano.io/

                      1 Reply Last reply Reply Quote 0
                      • BigCheese
                        BigCheese last edited by BigCheese

                        okay it work but there is one issue when it used to forward you to port 8000 it now says “this site is not available” (after you log in) if you reload the page your in. Same with logging out, press logout -> “this site is not available” -> reload the page and your back at the login. So in short you go to https://192.168.8.27/webapp it still redirects but this time to http://192.168.8.27

                        1 Reply Last reply Reply Quote 0
                        • robing
                          robing Kopano (Inactive) last edited by

                          That is an issue with the WebApp itself just add this to your Nginx config

                          server {
                          	listen 80 ;
                          	listen [::]:80 ;
                          	server_name _;
                          	return 301 https://$host$request_uri;
                          }
                          

                          Regards Robin,

                          Need support?
                          Have a look at https://kopano.com/support/ for options.

                          Helpful resources:
                          https://kopano.com/blog/how-to-get-kopano/
                          https://documentation.kopano.io/
                          https://kb.kopano.io/

                          BigCheese 1 Reply Last reply Reply Quote 0
                          • BigCheese
                            BigCheese last edited by BigCheese

                            @robing said in NGINX proxy issue:

                            server {
                            listen 80 ;
                            listen [::]:80 ;
                            server_name _;
                            return 301 https://$host$request_uri;
                            }

                            1 Reply Last reply Reply Quote 0
                            • BigCheese
                              BigCheese @robing last edited by

                              @robing THANK YOU SO MUCH @robing IT FINALLY WORKS THX

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post