How to access SOGo and ActiveSync not through SSL (i.e. port 80)

jonathan · May 26, 2019, 7:09pm

NethServer Version: 7.6.1810
Module: SOGo, ActiveSync

Hi All,

My NethServer install sits behind a firewall with a proxy (pfSense with HAProxy). Ideally, I would like to configure a vhost that can present the SOGo web interface and ActiveSync unencrypted on port 80.

I know this is probably going to involve some ‘e-smith’ templates but could someone help with some clear instructions?

Many Thanks,

Jonathan

stephdl · May 26, 2019, 7:38pm

First why?

This is really risky, your password will be sent in clear on the network

After that do you want to use sogo with a virtual host or not, without a virtualhost it will be simple

This is what it makes the redirection to 443

github.com

NethServer/nethserver-sogo/blob/master/root/etc/e-smith/templates/etc/httpd/conf.d/default-virtualhost.inc/30SOGo

#
# 30SOGo
#
{
    my $sogo_host = ($sogod{'VirtualHost'} || 'Default');
    if (! (($sogod{'status'} || '') eq 'enabled')) {
       $OUT.= "# SOGo webacces is disabled\n\n\n";
    } 
    elsif ($sogo_host ne 'Default'){
       $OUT.= "# SOGo webacces exclusive on $sogo_host\n\n\n";
    } 
    else { 
       $OUT.= "RewriteEngine On\n";
       $OUT.= "RewriteCond %{HTTPS} !=on\n";
       $OUT.= "RewriteRule ^/SOGo(/.*)?\$ https://%{HTTP_HOST}/SOGo\$1 [R=301,L]\n";

       if (($sogod{'Dav'} || 'disabled') eq 'enabled') {
          $OUT.= "RewriteRule ^/^(cal|card|dav)\$               https://%{HTTP_HOST}/SOGo/dav [R=301,L] \n";
          $OUT.= "RewriteRule ^/.well-known/^(caldav|carddav)\$ https://%{HTTP_HOST}/SOGo/dav [R=301,L] \n\n\n";

This file has been truncated. show original

pike · May 27, 2019, 3:37pm

Can’t help myself to agree…

jonathan · May 27, 2019, 7:32pm

Thanks for your help.

I do understand your point about it being risky but the NethServer is on a separate vlan connected only to the firewall so I feel that would be fairly safe. LAN and WAN hosts can only access my NetServer through the firewall (port 80 is blocked for them) and then only a non-standard port. Only the firewall will have access to port 80 and HAProxy allows me to easily deploy some extra filters. One of the things I have noticed is that Fail2ban does not ban repeated bad ActiveSync attempts.

Looking at the code snippet, this looks like the original template. If I comment out (or delete) the lines:
$OUT.= “RewriteCond %{HTTPS} !=on\n”;
$OUT.= “RewriteRule ^/SOGo(/.*)?$ https://%{HTTP_HOST}/SOGo$1 [R=301,L]\n”;
and regenerate the files with: signal-event nethserver-sogo-update
will that achieve what I am looking to do?
I just thought that having a new virtualhost would allow me to keep the existing default config and create a new one to play around with. In the first instance, just having ActiveSync on port 80 would be enough. I realise it will need to be SSLified to be used with client software but I thought that would be handled with HAProxy.

stephdl · May 27, 2019, 7:46pm

hum, indeed we have no jails for that, do you have something in log relative to this

stephdl · May 27, 2019, 7:52pm

Yes but you should create a custom-template, else the next update will overwrite your changes, for a vhost check the /etc/e-smith/templates/etc.httpd/conf.d/zzz_sogo.conf, you will find a redirection to redirect the 80 to 443

jonathan · May 27, 2019, 10:08pm

I have seen the info on creating custom templates and can handle that bit (I think!) I know that creating customised vhosts templates is more complicated so (at least to begin with) will just work with the default vhost. I get a bit lost with Apache directives and would be grateful for any help you can give on that part of the problem. default-virtalhost.inc has RewriteRule and zzz_SOGo.con has RequestHeader set. I did see this post:

which seems to be fairly close to what I am looking for but is a bit old. I thought that the actual redirect took place in 30SOGo part of default-virtualhost.inc. Nevertheless, I will give it a go and report back.

Thanks for your support and the great product that NethServer is!