1

Topic: NginX reverse proxy with iRedMail Apache2

======================== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Ubuntu 13.10 x64
- Related log if you're reporting an issue:
====

Hi, 
On an empty VPS hosting, I managed to run the base iRedMail installation with Apache2 and LDAP and my roundcubemail was accessible at: 

then I installed NginX, shutdown Apache2, reconfigured iRedMail (without adding any extra A record in the DNS entry) and managed to run it on NginX base installation as well with roundcubemail accessible at: 

Now, I want to run NginX reverse proxy with the base iRedMail Apache2 installation with roundcubemail accessible at: 

 
and I'm kinda stuck with the following Apache2 config files: 

/etc/apache2/ports.conf

 Listen 8080

/etc/apahce2/sites-available/my-iredmail.conf

 <VirtualHost *:8080>  
   DocumentRoot /var/www/  
   ServerName mail.mydomain.com  

   Alias / "/usr/share/apache2/roundcubemail/"  
  <Directory "/usr/share/apache2/roundcubemail">  
     Options Indexes FollowSymlinks MultiViews  
     AllowOverride All  
     Order allow,deny  
     Allow from all  
  </Directory>  
 </VirtualHost>

and following NginX config file: 

/etc/nginx/sites-available/default

 server {  
        listen 80 default_server;  
        listen [::]:80;  

        root /usr/share/nginx/html;
        index index.html index.htm index.php;

        server_name mydomain.com www.mydomain.com mail.mydomain.com;

        location / {
                try_files $uri $uri/ /index.html;
        }

        location ~ \.php$ {
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header Host $host;
                proxy_pass [url]http://127.0.0.1:8080/;[/url]
        }

        location ~ /\.ht {
                deny all;
        }
}

server {  
        listen 443 ssl;

        root /var/www;
        index index.html index.htm index.php;

        server_name mydomain.com www.mydomain.com mail.mydomain.com;

        ssl                  on;
        ssl_certificate      /etc/ssl/certs/iRedMail_CA.pem;
        ssl_certificate_key  /etc/ssl/private/iRedMail.key;
        ssl_session_timeout  5m;
        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        location / {
                # Apache is listening here
                proxy_pass [url]http://127.0.0.1:8080/;[/url]
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

Hitting in browser: 

gives the usual

SSL Connection Error


Kindly advise.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: NginX reverse proxy with iRedMail Apache2

sim4life wrote:

                proxy_pass http://127.0.0.1:8080/;

Does the port 8080 serve https?

3 (edited by sim4life 2014-04-15 23:43:23)

Re: NginX reverse proxy with iRedMail Apache2

ZhangHuangbin wrote:
sim4life wrote:

                proxy_pass http://127.0.0.1:8080/;

Does the port 8080 serve https?

As you can see from my apache2 my-iredmail.conf file contents pasted above, it only serves http on port 8080. I didn't see any point in enabling SSL when both the NginX reverse proxy and Apache2 backend server reside on the same OS server and connect thru localhost.

4

Re: NginX reverse proxy with iRedMail Apache2

Thanks Zhang.
I've further simplified the settings to make basic NginX reverse proxy setup with Apache2 work:

/etc/apache2/ports.conf

Listen 127.0.0.1:8080

/etc/apache2/sites-available/my-iredmail.conf

<VirtualHost 127.0.0.1:8080>
   DocumentRoot /usr/share/apache2/roundcubemail/
   ServerName mail.mydomain.com
</VirtualHost>

unlinked both 000-default.conf and default-ssl.conf files.

/etc/nginx/sites-available/default.conf

server {
        listen 80 default_server;
        listen [::]:80;

        root /usr/share/nginx/html;
        index index.html index.htm index.php;

        server_name mydomain.com www.mydomain.com;

        location / {
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_pass http://127.0.0.1:8080;
        }

        location ~ /\.ht {
                deny all;
        }
}

again unlinked all other files in /etc/nginx/sites-enabled/

So now if I hit in the browser:
http://www.mydomain.com

I get the error on the browser:

SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.

However, if I add the following ssl configuration in the file:

/etc/nginx/sites-available/default.conf

server {
        listen 443;

        root /usr/share/nginx/html;
        index index.html index.htm index.php;
        server_name mydomain.com www.mydomain.com mail.mydomain.com;

        ssl                  on;
        ssl_certificate      /etc/ssl/certs/iRedMail_CA.pem;
        ssl_certificate_key  /etc/ssl/private/iRedMail.key;
        ssl_session_timeout  5m;
        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        location / {
                # Apache is listening here
                proxy_pass http://127.0.0.1:8080;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

On hitting in the browser:
https://www.mydomain.com

I get a different error on the browser:

This webpage has a redirect loop
The webpage at https://mail.mydomain.com/ has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.

/var/log/nginx/error.log

This is a bit old error
2014/04/17 04:10:43 [error] 11620#0: *1428 "/var/www/roundcubemail/vtigercrm/index.php" is not found (2: No such file or directory), client: 141.105.88.67, server: mail.mydomain.com, request: "GET /vtigercrm/ HTTP/1.1", host: "188.187.67.55"

/var/log/apache2/error.log

Thu Apr 17 17:41:19.353488 2014] [mpm_prefork:notice] [pid 10111] AH00169: caught SIGTERM, shutting down
[Thu Apr 17 17:41:20.526067 2014] [mpm_prefork:notice] [pid 10199] AH00163: Apache/2.4.6 (Ubuntu) OpenSSL/1.0.1e mod_wsgi/3.4 Python/2.7.5+ configured -- resuming normal operations
[Thu Apr 17 17:41:20.526144 2014] [core:notice] [pid 10199] AH00094: Command line: '/usr/sbin/apache2'

There seems to be some configuration done in pre-installed iRedMail Apache2 setup.
Can I kindly get some help?

5

Re: NginX reverse proxy with iRedMail Apache2

sim4life wrote:

2014/04/17 04:10:43 [error] 11620#0: *1428 "/var/www/roundcubemail/vtigercrm/index.php" is not found (2: No such file or directory), client: 141.105.88.67, server: mail.mydomain.com, request: "GET /vtigercrm/ HTTP/1.1", host: "188.187.67.55"

*) Why does it try to access /var/www/roundcubemail/vtigercrm/index.php?
*) iRedMail adds a redirect directive in file /var/www/index.html. You can remove this file if you want.

6 (edited by sim4life 2014-04-18 13:16:04)

Re: NginX reverse proxy with iRedMail Apache2

That NginX error of redirecting to

/var/www/roundcubemail/vtigercrm/index.php

was very old so it can be ignored.

I did remove /var/www/index.html but the errors remained the same. The reverse-proxy is working fine for other files and paths.
So I'm going to decommission the Apache2 setup for iRedMail for now and move it to NginX setup all together.