NGINX proxy issue



  • I have been busy with setting up the kopano webapp and webmeeting and everything works fine. Except that when I go browse to https://[ip-address]/webapp I get the login screen from the webapp, but after I entered my credentials en press enter it redirects to https://[ip-adres]:8000/webapp and it shows the login screen again. It shouldn’t redirect to 8000. I used the NGINX config from the kopano documentation and the Apacheis also configured according to the kopano documentation. The setup consists of Apache(with the webapp running on it) behind a NGINX (with webmeeting running on it)


  • Kopano

    Hi BigCheese,

    Please do not create multiple threads in different categories, i deleted the other one.

    Can you paste the Nginx and Apache configs

    Kind regards,

    Robin



  • 0_1502967378207_Knipsel.PNG 0_1502967382238_nginx config.PNG 0_1502967384940_port.conf.PNG



  • @robing these are my configs and i also noticed the following error in chrome 0_1502970176912_Knipsel2.PNG


  • Kopano

    Can you change the ports.conf in the apache directory to

    NameVirtualHost *:8000
    Listen 127.0.0.1:8000
    <IfModule ssl_module>
    </IfModule>
    
    <IfModule mod_gnutls.c>
    </IfModule>
    

    And change the proxy pass address to http instead of https
    proxy_pass http://127.0.0.1:8000;



  • @robing said in NGINX proxy issue:

    you change the ports.conf in the apache directory to

    if i change the port.conf to what you suggested it still redirects me to port 8000 in the webbrowser. I only see ‘This website is not available’. But I don’t think I should make http out of that https because SSL is enabled so it will cause a ‘error 400 Bad Request’. If I cut the 'Listen 127.0.0.1:8000 and paste it between the ssl_module, then the following happens. I go to the webapp en try to login -> it redirects to port 8000, but if you remove the 8000 from the url it logs in and it works. Logout will log the user off and redirects you to port 8000 again


  • Kopano

    Your site is using SSL but that doesn’t mean you can’t use http for your proxy.



  • okay but it will then say this0_1502973106628_Knipsel3.PNG


  • Kopano

    Can you also send the apache config of webapp and if possible not as screenshot, it is difficult to use the search function then



  • @robing said in NGINX proxy issue:

    config of webapp

    Alias /webapp /usr/share/kopano-webapp
    ProxyPass /webapp/presence http://192.168.8.27:1234/
    ProxyPassReverse /webapp/presence http://192.168.8.27:1234/
    
    # Modules to enable for the caching instructions to work:
    #   mod_expires
    #   mod_headers
    #   mod_setenvif - for Internet Explorer quirks
    #
    # For compression:
    #   mod_deflate
    <Directory /usr/share/kopano-webapp/>
        DirectoryIndex index.php
        Options -Indexes +FollowSymLinks
    
        <IfVersion < 2.4>
            Allow from all
            AllowOverride Options Limit
            Order allow,deny
        </IfVersion>
    
        <IfVersion >= 2.4>
            AllowOverride Options Limit Authconfig
            Require all granted
        </IfVersion>
    
        FileETag All
    
        # Uncomment to enhance security of WebApp by restricting cookies to only
        # be provided over HTTPS connections
        # php_flag session.cookie_secure on
        # php_flag session.cookie_httponly on
    
        # Manipulate the cache control headers if mod_expires and
        # mod_headers are both enabled; otherwise the client will depend
        # on the ETag header.  However, you can set FileETag to "None" if
        # you have multiple servers serving WebApp to the same user.  In
        # that case, apache will fall back to the config below so make
        # sure these two modules are loaded!
        <IfModule expires_module>
            <IfModule headers_module>
                ExpiresActive On
                ExpiresDefault "now"
    
                <filesMatch "\.(jpg|gif|png)$">
                    # All (static) resources set to 2 months expiration time.
                    ExpiresDefault "access plus 2 months"
                    Header append Cache-Control "public"
                </filesMatch>
    
                <FilesMatch "\.(js|css)$">
                    # All non-dynamic files set to 2 weeks expiration time.
                    ExpiresDefault "access plus 2 weeks"
                    # User agents are requested to revalidate for each resource
                    # so that the server can always serve a newer version if
                    # necessary.
                    Header append Cache-Control "no-cache, must-revalidate"
    
                    # Treat IE a little differently due to the remarks on no-cache
                    # on http://support.microsoft.com/kb/234067
                    <IfModule setenvif_module>
                        BrowserMatch MSIE ie_bug
                    </IfModule>
                    Header set Cache-Control "must-revalidate, private" env=ie_bug
                </FilesMatch>
    
                <filesMatch "\.(php)$">
                    # PHP files must always be retrieved from the server.
                    ExpiresActive Off
                    Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
                    Header set Pragma "no-cache"
                </filesMatch>
            </IfModule>
        </IfModule>
    
        # Enable gzip compression if the module is available
        <IfModule deflate_module>
            <filesMatch "\.(js|css)$">
                SetOutputFilter DEFLATE
            </filesMatch>
        </IfModule>
    </Directory>
    

    config port.conf apache

    # If you just change the port or add more ports here, you will likely also
    # have to change the VirtualHost statement in
    # /etc/apache2/sites-enabled/000-default.conf
    
    NameVirtualHost *:8000
    #Listen 127.0.0.1:8000
    
    <IfModule ssl_module>
            listen 127.0.0.1:8000
    </IfModule>
    
    <IfModule mod_gnutls.c>
            Listen 127.0.0.1:8000
    </IfModule>
    
    
    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
    
    

    config: nginx config

    server {
            listen 192.168.8.27:443 ssl;
            server_name 192.168.8.27;
    
            ssl on;
            ssl_certificate /etc/nginx/ssl/nginx.crt;
            ssl_certificate_key /etc/nginx/ssl/nginx.key;
            ssl_session_cache shared:SSL:1m;
            ssl_session_timeout 5m;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256:AES128:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
            ssl_prefer_server_ciphers on;
            #
            # ssl_dhparam require you to create a dhparam.pem, this takes a long time
            ssl_dhparam /etc/ssl/certs/dhparam.pem;
            #
            location /webmeetings {
                   proxy_pass https://127.0.0.1:8090;
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection $connection_upgrade;
                   proxy_set_header X-Forwarded-Proto $scheme;
                   proxy_set_header Host $http_host;
                   proxy_set_header X-Real-IP $remote_addr;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
            }
            location /webapp {
                    proxy_pass https://127.0.0.1:8000;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection $connection_upgrade;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_set_header Host $http_host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
            }
    
    }
    map $http_upgrade $connection_upgrade {
            default upgrade;
            '' close;
    }
    
    proxy_buffering on;
    proxy_ignore_client_abort off;
    proxy_redirect off;
    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_read_timeout 90;
    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
    

    netstat

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1012/mysqld
    tcp        0      0 0.0.0.0:236             0.0.0.0:*               LISTEN      3803/kopano-server
    tcp        0      0 0.0.0.0:237             0.0.0.0:*               LISTEN      3803/kopano-server
    tcp        0      0 192.168.8.27:1234       0.0.0.0:*               LISTEN      764/python
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      936/sshd
    tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1321/master
    tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      1423/0
    tcp        0      0 127.0.0.1:8090          0.0.0.0:*               LISTEN      1092/kopano-webmeet
    tcp        0      0 192.168.8.27:443        0.0.0.0:*               LISTEN      3633/nginx -g daemo
    tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      3763/apache2
    tcp6       0      0 :::110                  :::*                    LISTEN      719/kopano-gateway
    tcp6       0      0 :::143                  :::*                    LISTEN      719/kopano-gateway
    tcp6       0      0 :::8080                 :::*                    LISTEN      775/kopano-ical
    tcp6       0      0 :::2003                 :::*                    LISTEN      708/kopano-dagent
    tcp6       0      0 :::21                   :::*                    LISTEN      961/vsftpd
    tcp6       0      0 :::22                   :::*                    LISTEN      936/sshd
    tcp6       0      0 :::25                   :::*                    LISTEN      1321/master
    tcp6       0      0 ::1:6010                :::*                    LISTEN      1423/0
    
    

  • Kopano

    You are still using SSL for apache, don’t do that
    The following config should work and make sure the SSL module is disable in Apache

    NameVirtualHost *:8000
    Listen 127.0.0.1:8000
    
    server {
            listen 192.168.8.27:443 ssl;
            server_name 192.168.8.27;
    
            ssl on;
            ssl_certificate /etc/nginx/ssl/nginx.crt;
            ssl_certificate_key /etc/nginx/ssl/nginx.key;
            ssl_session_cache shared:SSL:1m;
            ssl_session_timeout 5m;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256:AES128:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
            ssl_prefer_server_ciphers on;
            #
            # ssl_dhparam require you to create a dhparam.pem, this takes a long time
            ssl_dhparam /etc/ssl/certs/dhparam.pem;
            #
            location /webmeetings {
                   proxy_pass http://127.0.0.1:8090;
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection $connection_upgrade;
                   proxy_set_header X-Forwarded-Proto $scheme;
                   proxy_set_header Host $http_host;
                   proxy_set_header X-Real-IP $remote_addr;
                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
            location /webapp {
                    proxy_pass http://127.0.0.1:8000;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection $connection_upgrade;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_set_header Host $http_host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
            }
    
    map $http_upgrade $connection_upgrade {
            default upgrade;
            '' close;
    }
    
    proxy_buffering on;
    proxy_ignore_client_abort off;
    proxy_redirect off;
    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_read_timeout 90;
    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
    


  • Okay the webapp stays at https://192.168.8.27/webapp but my webmeetings is complete unreachable any idea how to solve this new issue. It might have something to do with disabling ssl on apache or the fact that webmeeting uses https (configured in /etc/kopano/webmeetings.cfg) Anyhow the browser gives the follow reply if I request webmeetings: “502 Bad Gateway”


  • Kopano

    Webmeetings in not using apache at all.
    Is kopano-webmeeting running and/or are the any errors in the log

    Please ignore the https part in the config and only use the http part you are only listing on 127.0.0.1 so https is not needed

    tcp        0      0 127.0.0.1:8090          0.0.0.0:*               LISTEN      1092/kopano-webmeet
    

    Do you get the error on https://192.168.8.27/webmeetings ?
    If not than probably your secret keys are no correct.
    Please take a look at the last page of the webmeetings documentation , there is a table that explains which key should match.



  • okay it work but there is one issue when it used to forward you to port 8000 it now says “this site is not available” (after you log in) if you reload the page your in. Same with logging out, press logout -> “this site is not available” -> reload the page and your back at the login. So in short you go to https://192.168.8.27/webapp it still redirects but this time to http://192.168.8.27


  • Kopano

    That is an issue with the WebApp itself just add this to your Nginx config

    server {
    	listen 80 ;
    	listen [::]:80 ;
    	server_name _;
    	return 301 https://$host$request_uri;
    }
    


  • @robing said in NGINX proxy issue:

    server {
    listen 80 ;
    listen [::]:80 ;
    server_name _;
    return 301 https://$host$request_uri;
    }



  • @robing THANK YOU SO MUCH @robing IT FINALLY WORKS THX


Log in to reply
 

Looks like your connection to Kopano Community Forum was lost, please wait while we try to reconnect.