roundcube/chwala interaction inconsistencies (and nginx?)

Johannes Graumann johannes_graumann at web.de
Fri Sep 26 14:40:39 CEST 2014 

Hello Enrico,

Thank you for your help. Sadly including the X-Forwarded-Proto bit does not 
fix my situation.

Would you be willing to share the content of your 
kolab_files.inc.php
config.inc.php
defaults.inc.php
(in an anonymized manner)?

Thank you fro your time and effort.

Sincerely, Joh

Enrico Tagliavini wrote:

> Hi Johannes,
> 
> I'm doing something quite similar to you, but with VMs instead of LXC
> containers. I have one machine with nginx and a VM with the full kolab
> install. All running on CentOS 6 though, not 7 and this is still kolab
> 3.2. I have a difference between my config and yours:
> 
>         location /chwala {
>                 proxy_pass              http://<backend>/chwala;
>                 proxy_set_header        X-Real-IP $remote_addr;  # this is
> not really needed
>                 proxy_set_header        X-Forwarded-For
> $proxy_add_x_forwarded_for;
>                 proxy_set_header        Host $host;
>                 proxy_set_header        X-Forwarded-Proto $scheme;
>         }
> 
> The X-Forwarded-Proto header is something not present in your config. That
> said I don't remember anymore if this is just a try which I forgot to
> remove or if it is something actually useful. Since the protocol is
> hardcoded in the config file anyway this should not make a difference.
> Nevertheless it is correct to add it.
> 
> Even with this Chwala doesn't work 100% behind a proxy for me. It lists
> files and folders, I can upload and download them, but the preview is
> broken. The preview generates some http:// URL for some odd reason I'm not
> able to determine. Since I enable HSTS http:// traffic is not redirected
> to HTTPS, the browser simply blocks it, as it should.
> 
> If you want to debug this issue further I would also recommend to use the
> firefox builtin network analyser, the web-console and, if this is not
> enough, the firebug addon (providing more or less the same functions, but
> in a different way). You can look for client side errors or http:// URLs,
> something not directly triggering errors
> 
> Unrelated note: RC4 ciphers are considered insecure. I would recommend
> ECDHE based ciphers instead with higher priority. You might still need RC4
> support for some very old (and now likely deprecated) clients.
> 
> Best regards.
> Enrico
> 
> 
> On 24 September 2014 11:59, Johannes Graumann <johannes_graumann at web.de>
> wrote:
> 
>> Hello,
>>
>> I have a setup in which a centos lxc-container runs kolab and another
>> (debian -based) lxc container runs nginx, proxying (https-rewriting) all
>> http(s) traffic. I have attached the (slightly obfuscated) corresponding
>> nginx configuration below - 10.10.10.4 is the address of the
>> kolab-running container.
>>
>> With this setup, I have access to roundcube, kolab-webadmin, ActiveSync
>> and Chwala (via explicit */chwala) just fine (the other protocols haven't
>> been tested).
>>
>> For the "Files" tab in roundcube the default config doesn't work as
>> everything is being rewritten to https ...
>> When I edit (on the kolab server)
>> "/etc/roundcubemail/kolab_files.inc.php" to
>> >  $config['kolab_files_url'] = 'https://' . $_SERVER['HTTP_HOST'] .
>> '/chwala/';
>> and run "service httpd restart", a roundcube instance that was
>> open/logged in before that shows the expected folder structure in "Files"
>> - saving to cloud still fails with "Saving 1 file(s) failed.".
>>
>> Upon logging out of roundcube and logging back in, the "Files" tab is
>> empty once more, not delivering the existing folder tree and restarting
>> httpd does
>> not bring it back.
>>
>> This is plain weird. Where is there caching going on here and why? I am
>> unable to find any meaningful logging information accompanying these
>> events.
>>
>> Any idea what's going on, what to try, where to look?
>>
>> Thanks, Joh
>>
>> > server {
>> >         listen   80;
>> >         # Rewrite to ssl (https)
>> >         server_name  mail.<MYDOMAIN>.org www.mail.<MYDOMAIN>.org
>> kolab.<MYDOMAIN>.org www.kolab.<MYDOMAIN>.org mail.MY.HOSTER.net
>> www.mail.MY.HOSTER.net;
>> >         #rewrite ^ https://$server_name$request_uri? permanent;
>> >         rewrite ^ https://mail.MY.HOSTER.net$request_uri? permanent;
>> > }
>> > server {
>> >         listen   443;
>> >         server_name  mail.<MYDOMAIN>.org www.mail.<MYDOMAIN>.org
>> kolab.<MYDOMAIN>.org www.kolab.<MYDOMAIN>.org mail.MY.HOSTER.net
>> www.mail.MY.HOSTER.net;
>> >         client_max_body_size 40M;
>> >         # SSL is using CACert credentials
>> >         ssl  on;
>> >         ssl_certificate  /etc/ssl/private/cacert.<MYDOMAIN>.org.pem;
>> >         ssl_certificate_key
>> /etc/ssl/private/cacert.<MYDOMAIN>.org_privatkey.pem;
>> >         ssl_session_timeout  5m;
>> >         ssl_protocols  SSLv3 TLSv1;
>> >         ssl_ciphers
>> ALL:!ADH:!EXPORT56:!LOW:RC4+RSA:+HIGH:+MEDIUM:+SSLv3:
>> +EXP;
>> >         ssl_prefer_server_ciphers   on;
>> >         # Proxy the "kolab.<MYDOMAIN>.org" lxc container
>> >         location / {
>> >                 proxy_pass http://10.10.10.14/roundcubemail/;
>> >  #              proxy_pass http://10.10.10.14;
>> >                 proxy_set_header Host $host;
>> >                 proxy_set_header X-Real-IP $remote_addr;
>> >                 proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> >         }
>> >         location /kolab-webadmin/ {
>> >                 proxy_pass http://10.10.10.14/kolab-webadmin/;
>> >                 proxy_set_header Host $host;
>> >                 proxy_set_header X-Real-IP $remote_addr;
>> >                 proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> >         }
>> >         location /freebusy/ {
>> >                 proxy_pass http://10.10.10.14/freebusy/;
>> >                 proxy_set_header Host $host;
>> >                 proxy_set_header X-Real-IP $remote_addr;
>> >                 proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> >         }
>> >         location /chwala/ {
>> >                 proxy_pass http://10.10.10.14/chwala/;
>> >                 proxy_set_header Host $host;
>> >                 proxy_set_header X-Real-IP $remote_addr;
>> >                 proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> >         }
>> >         location /iRony/ {
>> >                 proxy_pass http://10.10.10.14/iRony/;
>> >                 proxy_set_header Host $host;
>> >                 proxy_set_header X-Real-IP $remote_addr;
>> >                 proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> >         }
>> >         location /Microsoft-Server-ActiveSync/ {
>> >                 proxy_pass
>> http://10.10.10.14/Microsoft-Server-ActiveSync/;
>> >                 proxy_set_header Host $host;
>> >                 proxy_set_header X-Real-IP $remote_addr;
>> >                 proxy_set_header X-Forwarded-For
>> $proxy_add_x_forwarded_for;
>> >         }
>> > }
>> >
>>
>>
>> _______________________________________________
>> users mailing list
>> users at lists.kolab.org
>> https://lists.kolab.org/mailman/listinfo/users
>>

More information about the users mailing list