roundcube/chwala interaction inconsistencies (and nginx?)

Enrico Tagliavini enrico.tagliavini at gmail.com
Thu Sep 25 15:32:02 CEST 2014


Hi Johannes,

I'm doing something quite similar to you, but with VMs instead of LXC
containers. I have one machine with nginx and a VM with the full kolab
install. All running on CentOS 6 though, not 7 and this is still kolab 3.2.
I have a difference between my config and yours:

        location /chwala {
                proxy_pass              http://<backend>/chwala;
                proxy_set_header        X-Real-IP $remote_addr;  # this is
not really needed
                proxy_set_header        X-Forwarded-For
$proxy_add_x_forwarded_for;
                proxy_set_header        Host $host;
                proxy_set_header        X-Forwarded-Proto $scheme;
        }

The X-Forwarded-Proto header is something not present in your config. That
said I don't remember anymore if this is just a try which I forgot to
remove or if it is something actually useful. Since the protocol is
hardcoded in the config file anyway this should not make a difference.
Nevertheless it is correct to add it.

Even with this Chwala doesn't work 100% behind a proxy for me. It lists
files and folders, I can upload and download them, but the preview is
broken. The preview generates some http:// URL for some odd reason I'm not
able to determine. Since I enable HSTS http:// traffic is not redirected to
HTTPS, the browser simply blocks it, as it should.

If you want to debug this issue further I would also recommend to use the
firefox builtin network analyser, the web-console and, if this is not
enough, the firebug addon (providing more or less the same functions, but
in a different way). You can look for client side errors or http:// URLs,
something not directly triggering errors

Unrelated note: RC4 ciphers are considered insecure. I would recommend
ECDHE based ciphers instead with higher priority. You might still need RC4
support for some very old (and now likely deprecated) clients.

Best regards.
Enrico


On 24 September 2014 11:59, Johannes Graumann <johannes_graumann at web.de>
wrote:

> Hello,
>
> I have a setup in which a centos lxc-container runs kolab and another
> (debian -based) lxc container runs nginx, proxying (https-rewriting) all
> http(s) traffic. I have attached the (slightly obfuscated) corresponding
> nginx configuration below - 10.10.10.4 is the address of the kolab-running
> container.
>
> With this setup, I have access to roundcube, kolab-webadmin, ActiveSync and
> Chwala (via explicit */chwala) just fine (the other protocols haven't been
> tested).
>
> For the "Files" tab in roundcube the default config doesn't work as
> everything is being rewritten to https ...
> When I edit (on the kolab server) "/etc/roundcubemail/kolab_files.inc.php"
> to
> >  $config['kolab_files_url'] = 'https://' . $_SERVER['HTTP_HOST'] .
> '/chwala/';
> and run "service httpd restart", a roundcube instance that was open/logged
> in before that shows the expected folder structure in "Files" - saving to
> cloud still fails with "Saving 1 file(s) failed.".
>
> Upon logging out of roundcube and logging back in, the "Files" tab is empty
> once more, not delivering the existing folder tree and restarting httpd
> does
> not bring it back.
>
> This is plain weird. Where is there caching going on here and why? I am
> unable to find any meaningful logging information accompanying these
> events.
>
> Any idea what's going on, what to try, where to look?
>
> Thanks, Joh
>
> > server {
> >         listen   80;
> >         # Rewrite to ssl (https)
> >         server_name  mail.<MYDOMAIN>.org www.mail.<MYDOMAIN>.org
> kolab.<MYDOMAIN>.org www.kolab.<MYDOMAIN>.org mail.MY.HOSTER.net
> www.mail.MY.HOSTER.net;
> >         #rewrite ^ https://$server_name$request_uri? permanent;
> >         rewrite ^ https://mail.MY.HOSTER.net$request_uri? permanent;
> > }
> > server {
> >         listen   443;
> >         server_name  mail.<MYDOMAIN>.org www.mail.<MYDOMAIN>.org
> kolab.<MYDOMAIN>.org www.kolab.<MYDOMAIN>.org mail.MY.HOSTER.net
> www.mail.MY.HOSTER.net;
> >         client_max_body_size 40M;
> >         # SSL is using CACert credentials
> >         ssl  on;
> >         ssl_certificate  /etc/ssl/private/cacert.<MYDOMAIN>.org.pem;
> >         ssl_certificate_key
> /etc/ssl/private/cacert.<MYDOMAIN>.org_privatkey.pem;
> >         ssl_session_timeout  5m;
> >         ssl_protocols  SSLv3 TLSv1;
> >         ssl_ciphers
> ALL:!ADH:!EXPORT56:!LOW:RC4+RSA:+HIGH:+MEDIUM:+SSLv3:
> +EXP;
> >         ssl_prefer_server_ciphers   on;
> >         # Proxy the "kolab.<MYDOMAIN>.org" lxc container
> >         location / {
> >                 proxy_pass http://10.10.10.14/roundcubemail/;
> >  #              proxy_pass http://10.10.10.14;
> >                 proxy_set_header Host $host;
> >                 proxy_set_header X-Real-IP $remote_addr;
> >                 proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> >         }
> >         location /kolab-webadmin/ {
> >                 proxy_pass http://10.10.10.14/kolab-webadmin/;
> >                 proxy_set_header Host $host;
> >                 proxy_set_header X-Real-IP $remote_addr;
> >                 proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> >         }
> >         location /freebusy/ {
> >                 proxy_pass http://10.10.10.14/freebusy/;
> >                 proxy_set_header Host $host;
> >                 proxy_set_header X-Real-IP $remote_addr;
> >                 proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> >         }
> >         location /chwala/ {
> >                 proxy_pass http://10.10.10.14/chwala/;
> >                 proxy_set_header Host $host;
> >                 proxy_set_header X-Real-IP $remote_addr;
> >                 proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> >         }
> >         location /iRony/ {
> >                 proxy_pass http://10.10.10.14/iRony/;
> >                 proxy_set_header Host $host;
> >                 proxy_set_header X-Real-IP $remote_addr;
> >                 proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> >         }
> >         location /Microsoft-Server-ActiveSync/ {
> >                 proxy_pass
> http://10.10.10.14/Microsoft-Server-ActiveSync/;
> >                 proxy_set_header Host $host;
> >                 proxy_set_header X-Real-IP $remote_addr;
> >                 proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> >         }
> > }
> >
>
>
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20140925/b7fe41ab/attachment.html>


More information about the users mailing list