Webapp behind NGINX-Proxy



  • Hi all,

    I’m quite closed to finish my first serious Kopano setup.
    The last issue - for now - is Kopano WebbApp behind a NGINX-Proxy.

    The direkt acces at the Kopano host works perfect. The access at the proxy shows the login screen.
    The password validation works (wrong user/password) reports an error, but after entering a valid usernam/password cobination nothing happens anymore.
    The error message at hte proxy server is:

    2019/04/06 10:11:52 [error] 1901#1901: *14014 access forbidden by rule, client: client_IP, server: external_FQDN, request: "GET /webapp/index.php?version=3.5.5.2236+1248.1&load=translations.js&lang=de_DE.UTF-8 HTTP/1.1", host: "external_FQDN", referrer: "https://external_FQDN/webapp/"
    2019/04/06 10:11:53 [error] 1901#1901: *14016 access forbidden by rule, client: client_IP, server: external_FQDN, request: "POST /webapp/kopano.php?service=fingerprint HTTP/1.1", host: "external_FQDN", referrer: "https://external_FQDN/webapp/"
    2019/04/06 10:11:53 [error] 1901#1901: *14015 access forbidden by rule, client: client_IP, server: external_FQDN, request: "POST /webapp/kopano.php?service=fingerprint&type=keepalive HTTP/1.1", host: "external_FQDN", referrer: "https://external_FQDN/webapp/"
    

    The nginx configuration at the NGINX proxy is:
    (everything on top location /webapp is auto generated by the ispconfig hosting panel)

    server {
            listen *:80;
    
            listen *:443 ssl;
    		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_certificate /path_to_letsencrypt.crt;
            ssl_certificate_key /path_to_letsencrypt.key;
    
            server_name external_FQDN ;
    
            root   /var/www/external_FQDN/HOSTNAME;
    
            if ($scheme != "https") {
                rewrite ^ https://$http_host$request_uri? permanent;
            }
    
    
            index index.html index.htm index.php index.cgi index.pl index.xhtml;
    
    
    
            error_log /var/log/ispconfig/httpd/external_FQDN/error.log;
            access_log /var/log/ispconfig/httpd/external_FQDN/access.log combined;
    
            location ~ /\. {
    			deny all;
            }
    
            location ^~ /.well-known/acme-challenge/ {
    			access_log off;
    			log_not_found off;
    			root /usr/local/ispconfig/interface/acme/;
    			autoindex off;
    			index index.html;
    			try_files $uri $uri/ =404;
            }
    
            location = /favicon.ico {
                log_not_found off;
                access_log off;
                expires max;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            }
    
            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }
    
            location /stats/ {
    
                index index.html index.php;
                auth_basic "Members Only";
                auth_basic_user_file /var/www/clients/client1/web10/web/stats/.htpasswd_stats;
            }
    
            location ^~ /awstats-icon {
                alias /usr/share/awstats/icon;
            }
    
            location ~ \.php$ {
                try_files /f0ddc163b066ee839103875f35fc17ed.htm @php;
            }
    
    
            location @php {
                deny all;
            }
    
    
    
    
    
            location /webapp {
                            proxy_pass https://internal_FQDN;
                            proxy_http_version 1.1;
                            proxy_set_header Upgrade $http_upgrade;
                            proxy_set_header X-Forwarded-Proto $scheme;
                            proxy_set_header Host $http_host;
                            proxy_set_header X-Real-IP $remote_addr;
                            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
    
            location ~*^/test {
                           proxy_pass http://internal_FQDN;
            }
    
    
            proxy_buffering on;
            proxy_ignore_client_abort off;
            proxy_redirect off;
            proxy_connect_timeout 90;
            proxy_send_timeout 90;
            proxy_read_timeout 90;
            proxy_buffer_size 4k;
            proxy_buffers 4 32k;
            proxy_busy_buffers_size 64k;
            proxy_temp_file_write_size 64k;
            proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
    
    
    
    }
    

    Any idea which “rule” could prevent the further access?

    regards
    Robert


Log in to reply