NGINX proxy issue
-
Your site is using SSL but that doesn’t mean you can’t use http for your proxy.
-
okay but it will then say this
-
Can you also send the apache config of webapp and if possible not as screenshot, it is difficult to use the search function then
-
@robing said in NGINX proxy issue:
config of webapp
Alias /webapp /usr/share/kopano-webapp ProxyPass /webapp/presence http://192.168.8.27:1234/ ProxyPassReverse /webapp/presence http://192.168.8.27:1234/ # Modules to enable for the caching instructions to work: # mod_expires # mod_headers # mod_setenvif - for Internet Explorer quirks # # For compression: # mod_deflate <Directory /usr/share/kopano-webapp/> DirectoryIndex index.php Options -Indexes +FollowSymLinks <IfVersion < 2.4> Allow from all AllowOverride Options Limit Order allow,deny </IfVersion> <IfVersion >= 2.4> AllowOverride Options Limit Authconfig Require all granted </IfVersion> FileETag All # Uncomment to enhance security of WebApp by restricting cookies to only # be provided over HTTPS connections # php_flag session.cookie_secure on # php_flag session.cookie_httponly on # Manipulate the cache control headers if mod_expires and # mod_headers are both enabled; otherwise the client will depend # on the ETag header. However, you can set FileETag to "None" if # you have multiple servers serving WebApp to the same user. In # that case, apache will fall back to the config below so make # sure these two modules are loaded! <IfModule expires_module> <IfModule headers_module> ExpiresActive On ExpiresDefault "now" <filesMatch "\.(jpg|gif|png)$"> # All (static) resources set to 2 months expiration time. ExpiresDefault "access plus 2 months" Header append Cache-Control "public" </filesMatch> <FilesMatch "\.(js|css)$"> # All non-dynamic files set to 2 weeks expiration time. ExpiresDefault "access plus 2 weeks" # User agents are requested to revalidate for each resource # so that the server can always serve a newer version if # necessary. Header append Cache-Control "no-cache, must-revalidate" # Treat IE a little differently due to the remarks on no-cache # on http://support.microsoft.com/kb/234067 <IfModule setenvif_module> BrowserMatch MSIE ie_bug </IfModule> Header set Cache-Control "must-revalidate, private" env=ie_bug </FilesMatch> <filesMatch "\.(php)$"> # PHP files must always be retrieved from the server. ExpiresActive Off Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform" Header set Pragma "no-cache" </filesMatch> </IfModule> </IfModule> # Enable gzip compression if the module is available <IfModule deflate_module> <filesMatch "\.(js|css)$"> SetOutputFilter DEFLATE </filesMatch> </IfModule> </Directory>config port.conf apache
# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default.conf NameVirtualHost *:8000 #Listen 127.0.0.1:8000 <IfModule ssl_module> listen 127.0.0.1:8000 </IfModule> <IfModule mod_gnutls.c> Listen 127.0.0.1:8000 </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noetconfig: nginx config
server { listen 192.168.8.27:443 ssl; server_name 192.168.8.27; ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256:AES128:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK; ssl_prefer_server_ciphers on; # # ssl_dhparam require you to create a dhparam.pem, this takes a long time ssl_dhparam /etc/ssl/certs/dhparam.pem; # location /webmeetings { proxy_pass https://127.0.0.1:8090; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /webapp { proxy_pass https://127.0.0.1:8000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } map $http_upgrade $connection_upgrade { default upgrade; '' close; } proxy_buffering on; proxy_ignore_client_abort off; proxy_redirect off; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;netstat
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1012/mysqld tcp 0 0 0.0.0.0:236 0.0.0.0:* LISTEN 3803/kopano-server tcp 0 0 0.0.0.0:237 0.0.0.0:* LISTEN 3803/kopano-server tcp 0 0 192.168.8.27:1234 0.0.0.0:* LISTEN 764/python tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 936/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1321/master tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 1423/0 tcp 0 0 127.0.0.1:8090 0.0.0.0:* LISTEN 1092/kopano-webmeet tcp 0 0 192.168.8.27:443 0.0.0.0:* LISTEN 3633/nginx -g daemo tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 3763/apache2 tcp6 0 0 :::110 :::* LISTEN 719/kopano-gateway tcp6 0 0 :::143 :::* LISTEN 719/kopano-gateway tcp6 0 0 :::8080 :::* LISTEN 775/kopano-ical tcp6 0 0 :::2003 :::* LISTEN 708/kopano-dagent tcp6 0 0 :::21 :::* LISTEN 961/vsftpd tcp6 0 0 :::22 :::* LISTEN 936/sshd tcp6 0 0 :::25 :::* LISTEN 1321/master tcp6 0 0 ::1:6010 :::* LISTEN 1423/0 -
You are still using SSL for apache, don’t do that
The following config should work and make sure the SSL module is disable in ApacheNameVirtualHost *:8000 Listen 127.0.0.1:8000server { listen 192.168.8.27:443 ssl; server_name 192.168.8.27; ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256:AES128:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK; ssl_prefer_server_ciphers on; # # ssl_dhparam require you to create a dhparam.pem, this takes a long time ssl_dhparam /etc/ssl/certs/dhparam.pem; # location /webmeetings { proxy_pass http://127.0.0.1:8090; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /webapp { proxy_pass http://127.0.0.1:8000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } proxy_buffering on; proxy_ignore_client_abort off; proxy_redirect off; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; -
Okay the webapp stays at https://192.168.8.27/webapp but my webmeetings is complete unreachable any idea how to solve this new issue. It might have something to do with disabling ssl on apache or the fact that webmeeting uses https (configured in /etc/kopano/webmeetings.cfg) Anyhow the browser gives the follow reply if I request webmeetings: “502 Bad Gateway”
-
Webmeetings in not using apache at all.
Is kopano-webmeeting running and/or are the any errors in the logPlease ignore the https part in the config and only use the http part you are only listing on 127.0.0.1 so https is not needed
tcp 0 0 127.0.0.1:8090 0.0.0.0:* LISTEN 1092/kopano-webmeetDo you get the error on https://192.168.8.27/webmeetings ?
If not than probably your secret keys are no correct.
Please take a look at the last page of the webmeetings documentation , there is a table that explains which key should match. -
okay it work but there is one issue when it used to forward you to port 8000 it now says “this site is not available” (after you log in) if you reload the page your in. Same with logging out, press logout -> “this site is not available” -> reload the page and your back at the login. So in short you go to https://192.168.8.27/webapp it still redirects but this time to http://192.168.8.27
-
That is an issue with the WebApp itself just add this to your Nginx config
server { listen 80 ; listen [::]:80 ; server_name _; return 301 https://$host$request_uri; }Regards Robin,
Need support?
Have a look at https://kopano.com/support/ for options.Helpful resources:
https://kopano.com/blog/how-to-get-kopano/
https://documentation.kopano.io/
https://kb.kopano.io/ -
@robing said in NGINX proxy issue:
server {
listen 80 ;
listen [::]:80 ;
server_name _;
return 301 https://$host$request_uri;
} -
