Endless Redirect - SOGo behind Reverse Proxy

Simon.Glashauser · November 20, 2022, 9:38pm

NethServer Version: 7.9.2009
Module: SOGo 1.8.6

I am running NethServer on an Internal Network (VM’s behind Firewall), for all external accesse i have running an apache2 reverseproxy

In my internal network i can acceess SOGo with 10.10.0.7/SOGo
Now i want it accessible from mail.mydomain.tld/SOGo

With a simple ReverseProxy i can access the NethServer root page but SOGo redirects me back to my IP.
If i set
RequestHeader set Host “mail.mydomain.tld”
ProxyPreserveHost On
i get an endless redirect …

After some searching i found the official SOGo apache2 sample configuration (i think for docker)
With this config i have the same problem… endless redirect.

My config:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName mail.mydomain.de
        ServerAdmin support@mydomain.de

## MY OWN CONFIG 

#       RewriteEngine on

#        RequestHeader set X-Forwarded-Proto "https"
#        RequestHeader set X-Forwarded-Port "443"
#       RequestHeader set "x-webobjects-server-name" "mail.mydomain.de"
#       RequestHeader set "x-webobjects-server-url" "https://mail.mydomain.de/"
#       ProxyRequests Off
#       SetEnv proxy-nokeepalive 1
#        ProxyPass / http://10.10.0.7:80/ retry=0
#        ProxyPassReverse /SOGo http://10.10.0.7:80/SOGo
#       RequestHeader set Host "mail.mydomain.de"
#       ProxyPreserveHost On
 #       SSLProxyEngine On
  #      SSLProxyVerify none
   #     SSLProxyCheckPeerCN off
    #    SSLProxyCheckPeerName off
     #   SSLProxyCheckPeerExpire off


## SAMPLE CONFIG FROM ONLINE

Alias /SOGo.woa/WebServerResources/ \
      /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ \
      /usr/lib/GNUstep/SOGo/WebServerResources/

<Directory /usr/lib/GNUstep/SOGo/>
    AllowOverride None

    <IfVersion < 2.4>
        Order deny,allow
        Allow from all
    </IfVersion>
    <IfVersion >= 2.4>
     Require all granted
    </IfVersion>

    # Explicitly allow caching of static content to avoid browser specific behavior.
    # A resource's URL MUST change in order to have the client load the new version.
    <IfModule expires_module>
      ExpiresActive On
      ExpiresDefault "access plus 1 year"
    </IfModule>
</Directory>

## Uncomment the following to enable proxy-side authentication, you will then
## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and
## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section
## below.
#
## For full proxy-side authentication:
<Location /SOGo>
#  AuthType XXX
#  Require valid-user
  SetEnv proxy-nokeepalive 1
  Allow from all
</Location>
#
## For proxy-side authentication only for CardDAV and GroupDAV from external
## clients:
<Location /SOGo/dav>
#  AuthType XXX
#  Require valid-user
  SetEnv proxy-nokeepalive 1
  Allow from all
</Location>

ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On

# When using CAS, you should uncomment this and install cas-proxy-validate.py
# in /usr/lib/cgi-bin to reduce server overloading
#
# ProxyPass /SOGo/casProxy http://localhost/cgi-bin/cas-proxy-validate.py
# <Proxy http://localhost/app/cas-proxy-validate.py>
#   Order deny,allow
#   Allow from your-cas-host-addr
# </Proxy>

ProxyPass /SOGo http://10.10.0.7/SOGo retry=0

# Enable to use Microsoft ActiveSync support
# Note that you MUST have many sogod workers to use ActiveSync.
# See the SOGo Installation and Configuration guide for more details.
#
#ProxyPass /Microsoft-Server-ActiveSync \
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
# retry=60 connectiontimeout=5 timeout=360

<Proxy http://10.10.0.7/SOGo>
## adjust the following to your configuration
  RequestHeader set "x-webobjects-server-port" "443"
  RequestHeader set "x-webobjects-server-name" "mail.mydomain.de"
  RequestHeader set "x-webobjects-server-url" "https://mail.mydomain.de"

## When using proxy-side autentication, you need to uncomment and
## adjust the following line:
  RequestHeader unset "x-webobjects-remote-user"
#  RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" env=REMOTE_USER

  RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"

  AddDefaultCharset UTF-8

  Order allow,deny
  Allow from all
</Proxy>

# For Apple autoconfiguration
<IfModule rewrite_module>
  RewriteEngine On
  RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]
  RewriteRule ^/.well-known/carddav/?$ /SOGo/dav [R=301]
</IfModule>
</VirtualHost>
</IfModule>

Andy_Wismer · November 21, 2022, 4:15am

@Simon.Glashauser

Hi

I see and read you setting Apache reverse proxy and redirects - almost all DNS name based - but not one word about setting DNS anywhere…

It works for me, but then, I make sure an Internal host will always access an internal resource by an internal IP, not the same as external hosts, which get the correct external IP as resolution of DNS.

I think that’s your problem…

My 2 cents
Andy