==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.5.1 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: Ubu 20.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nx
- Manage mail accounts with iRedAdmin-Pro? Not yet
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I am a cloud solutions architect specializing in AWS design, development, maintenance and migrations.

I am building a new community and attempting to set up a secure, properly deployed iRedMail configuration using the OSE version before purchasing pro.  I have been unable to get things working properly behind CloudFront & EC2 application load balancer.

With properly configured SSL CloudFront (HTTPS only) connecting via HTTPS to ALB (with same AWS issued cert) and the target group using HTTP to talk to the instance (Nginx SSL config moved to the non-SSL config, cert lines & non-SSL redirects removed), I ran into a problem.

The iRedMail login page came up properly, but when I tried to login it tried posting via HTTP which was properly rejected by CloudFront.

I added 'proxy_set_header X-Forwarded-Proto https' to the Nginx config, but it seems this was not respected by iRedMail.

I then added a Let's Encrypt certificate to the instance and configured the target group to communicate w/the instance via HTTPS.  This resulted in a failure as well due to some kind of cipher mismatch.  I tried several combinations of SSL/TSL policies in CF & on the ALB to no avail.  This latter issue is rather esoteric and I while I might have been able to solve eventually, I didn't want to spend hours trying to figure it out.

Getting this working properly, in the way I have configured many other applications and web sites, is critical because I need to be able to use the power of AWS WAF, CloudFront, etc. to properly secure the system w/various rules, IP whitelists/blacklists and splitting traffic for the landing page to S3, blocking public access to /iRedMail and instead using a whitelist-controlled subdomain for administration.

My question, therefore, is how can I get iRedMail to respect X-Forwarded-Proto and use HTTPS links for form actions without hacking the code base?

I did search the forums and the net but did not discover anyone else putting iRedMail behind CloudFront or reverse proxies w/SSL-only configurations.

Thanks!