1

Topic: Problems with access to Web Services

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.1
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version:  U18.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello Zhang and iRedMail team.

I have been happily running iRedMail since version 0.96.  Right now I need to make changes to the infrastructure and because of this I am testing 1.3.1 on a separate fresh VM with Ubuntu 18.04.  The virtual machine is behind an external firewall (pFsense) with HAProxy in place.

I have a wildcard Let’s Encrypt certificate for the domain I am testing with.  The certificate on the mail server is iredmail self-signed.  HAProxy is handling requests on WAN port 443 and redirects them to port 443 on the iRedMail host without origin server certificate validation.

When I try to get to any webservice (Roundcube, SOGO, iRedAdmin) I get a page with valid certificate, so no SSL errors, however the page loads with 503 error (503 Service Unavailable No server is available to handle this request.)

I can access all webservices on HTTPS on internal IP address though, naturally, with certificate error.
I checked and I see that UFW is disabled.  I did not change a single line in the Nginx configuration files.  Nginx access log keeps inserting lines with "OPTIONS / HTTP/1.0 " 400 264 "_" "_" data.

What can be the problem?  Please offer any suggestion you may have.
Thanks in advance for your help

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Problems with access to Web Services

Since you handle all TLS/SSL connections in HAProxy, the best option might be using http and insecure connections between HAProxy and iRedMail server, this way you don't need to handle SSL cert on iRedMail server and get slightly better performance (due to avoid ssl related things).

Note: this is only applicable when no direct access to iRedMail server.