How to reach SOGo3 webmail over a reverse proxy?

Support
,
1

NethServer Version: 7.5.1804 (rc)
Module: SOGo3

Hi,
the situation: NS “A” and NS “B” are placed into a DMZ behind a pfsense.

  • NS “A” is the Mailserver. SOGo3 runs on this machine. This machine is NOT directly available from the web: the port forwarding for “80” and “443” redirects to the machine NS “B”.
  • NS “B” is the Webserver and gets all the requests for port “80” and port “443”.

The target: I would like that the NS “B” redirects the requests “webmail.domain.tld” to “NS_A.domain.tld/SOGo” (this url tested from “inside” works well).

Therefore I set this into the “reverse proxy” of the server-manager of NS “B”.
“webmail.domain.tld” redirects the request but the displayed web page is totally destroyed: I can hardly recognize the login folders of SOGo webmail but thats all. The CSS seems to be not existing and the login doesn’t work.

“webmail.domain.tld”, “NS_A.domain.tld” and “NS_B.domain.tld” have a valid certificate from Letsencrypt.

Who has an idea? Who has already solved this?
Thanks.
Arnaud

2

Please have a look at the following link, it’s not a problem with sogo, but it could be similar to yours.

2 Likes
3

Hi Michael,
Many thanks for this link: you are right, it looks very close to what happens by me.
Unfortunately, I still haven’t had the possibility t(=“ich habe noch kein Möglichkeit gehabt” - for people who don’t understand my global English…:stuck_out_tongue:) to test it, maybe this WE with some luck.
I’ll report in any case.
Bye
Arnaud

3 Likes
4

Also, the reverse proxy module in nethserver has been updated and is much much more powerful. The only reason you would need to use the method described in that post is if you have options that are not available in the web gui. I have actually moved all my reverse proxy sites to the gui and it works very well! Let me know if you have any questions about it.

5 Likes
5

Yep I would love a piece of documentation on sogo and reverse proxy (need a PR on github), if some options lack please do a feature request.

6

I’m curious :innocent:

Do you have a list of webapps that work with it? It would be like gold here!!!

We could add it to the manual too…

7

Most things work, except sogo because of an ssl issue. But I am working on it! Plex, Nextcloud, PiHole, Subsonic, any remote server pretty much. The only thing that does not work properly is sogo and the actual gateway because of ssl. I will figure it out though, going to be installing a new nethserver instance on an APU2C4 box so it will be much more stable for me than it used to be.

5 Likes
8

Hi,
@Jclendineng many thanks for the spontaneous help !

I think that I will need it: even if the instructions look clear, I haven’t got it working.

For remembering:

  • NS1.domain.tld/SOGo is where sogo is running. Not directely from the WAN available
  • NS2.domain.tld is the reverse-proxy. From the WAN available
  • webmail.domain.tld is the wished url to use to reach sogo from the WAN

What I’ve done on NS2, according to your instructions:

  • creating /etc/httpd/sites-available and /etc/httpd/sites-enabled with reading permissions for all and creating the conf file webmail.domain.tld.conf in “sites-available”:
    # ls -l sites-available/ total 4 -rw-r--r-- 1 root root 664 Jun 14 21:09 webmail.domain.tld.conf
  • creating the link from sites-enabled:
    '# ls -l sites-enabled/
    total 0
    lrwxrwxrwx 1 root root 49 Jun 14 21:08 webmail.domain.tld.conf -> /etc/httpd/sites-available/webmail.domain.tld.conf`
  • entering into /etc/httpd/sites-available/webmail.domain.tld.conf:
[code]   
        RewriteEngine on
        RewriteCond %{HTTPS} !on
        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
        ProxyPreserveHost On
        ServerName webmail.domain.tld
        ProxyPass / http://IP_NS1/SOGo/
        ProxyPassReverse / http://IP_NS1/SOGo/
    

    
    #    RewriteEngine on
    #    RewriteCond %{HTTPS} !on
    #    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
    #    RewriteRule ^ https://%{INTERNAL_IP/}%{REQUEST_URI} [END,QSA,R=permanent]
        ProxyPreserveHost On
        ServerName webmail.domain.tld
        ProxyPass / https://IP_NS1/SOGo/
        ProxyPassReverse / https://IP_NS1/SOGo/
     [/code]
  • nano /etc/httpd/conf/httpd.conf and add at the end of the file:
    IncludeOptional sites-enabled/*.conf
  • systemctl restart httpd to restart apache

The result is an error of apache by calling “webmail.domain.tld”:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Entering “NS1.domain.tld” instead of the IP of NS1 doesn’t change anything.
=> I’ll try to find details into the logs of apache.

Bye
Arnaud

PS: how to disable the auto-format of the police for commands or conf files? I selected “preformated text” but it seems not to disable the function?

9

Into the logs of httpd/error of NS2 (=the reverse proxy) after calling “https://webmail.domain.tld”:
[Thu Jun 14 21:46:04.851063 2018] [ssl:error] [pid 6082] [remote IP_NS1:443] AH01961: SSL Proxy requested for NS1.domain.tld:80 but not enabled [Hint: SSLProxyEngine] [Thu Jun 14 21:46:04.851123 2018] [proxy:error] [pid 6082] AH00961: HTTPS: failed to enable ssl support for IP_NS1:443 (IP_NS1)

Edit:
the given manual configuration here http://docs.nethserver.org/en/v7/proxy_pass.html contains some setting about SSL:
SSLEngine On
SSLProxyEngine On

I’ll try this tomorrow.

Bye

10

you can make us of triple backticks:

```
content
```

or

```text
content
```

Here are other tips on formatting:

11

so, I’ve added the “SSL” parameters into the conf file => there is no error from apache any more, but I’ve the same result than using the “ReverseProxy” from the server-manager: I can hardly recognize the login screen of sogo because the css is completely destroyed.
Of course, as with the ReverseProxy, the login doesn’t work.

Question1: what should be done? Asking by sogo how to configure a reverse proxy?
Question2 : is it possible to set Sogo (installed as a module) having it’s web site available over another port?

Bye
Arnaud
PS: @dnutan thanks!

12

in the reverse proxy do you still use the /SOGo I know it is a mandatory

in fact reverse the domain name toto.com to sogoDomainName.com, do not add the /SOGo in the reverse proxy path, but use it in the url, eg

toto.com/SOGo

13

Yes I do:

[code]

    RewriteEngine on
    RewriteCond %{HTTPS} !on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
    ProxyPreserveHost On
    ServerName webmail.domain.tld
    ProxyPass / http://IP_NS1/SOGo/
    ProxyPassReverse / http://IP_NS1/SOGo/



#    RewriteEngine on
#    RewriteCond %{HTTPS} !on
#    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
#    RewriteRule ^ https://%{INTERNAL_IP/}%{REQUEST_URI} [END,QSA,R=permanent]

     SSLEngine On
     SSLProxyEngine On

    ProxyPreserveHost On
    ServerName webmail.domain.tld
    ProxyPass / https://IP_NS1/SOGo/
    ProxyPassReverse / https://IP_NS1/SOGo/

[/code]

EDIT: do you mean “webmail.domain.tld” should only point to “NS1.domain.tld” and then “webmail.domain.tld/SOGo” should be used to reach sogo?
I try immediately!

1 Like
14

YES!
I can login from LAN.
But from WAN with the smartphone, the password seems to be not accepted…
=>I must have a look again.

15

It works very well, even from the WAN!
Even with reverse proxy configured into the server-manager => no need to us the “sites-available”

Question: what about putting this trick into the wiki?

Many thanks @stephdl !

16

heu, could you explain more longer your full configuration

enfin à l’insu de mon plein grè

17

could you detail your solution

18

In other words: the issue war trying to point directly on "NS1.domain.tld/SOGo”.
As you wrote, “/SOGo” into the url seems to be necessary.

2 Likes
19

simple but efficient :smiley:

20

Hi Arnoud, a bit of cross posting, but could you test this

On the server (NS"A") SOGo runs?
where you have to substitute " webmail.domain.nl" with your “webmail.domain.tld