Welcome! Log In Create A New Profile

Advanced

Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about passing the port #

Anonymous User
September 22, 2013 01:14PM
I have a mail server on my lan. It exposes a WebUI over SSL on
port:443.

It currently only has 1-step, password authentication. I want to add a
2nd layer of authentication, and put that mailserver behind an nginx
server that:

(1) adds BASIC authentication,
and
(2) after OK auth, transparently passes traffic to/from the mail
server

Here's the nginx config I use to do this:

------------------------------------
upstream mail-secure {
server mail.mydomain.com:443;
}

server {
server_name passthru.mydomain.com;
more_set_headers "Server: Secure WebMail";
listen 1.2.3.4:12345 ssl spdy default_server;

root /svr/data/passthru.mydomain.com;
access_log
/var/log/nginx/passthru.mydomain.com.12345.access.log main;
error_log
/var/log/nginx/passthru.mydomain.com.12345.error.log error;
rewrite_log on;
ssl on; include
includes/ssl_protocol.conf;
ssl_verify_client off;
ssl_certificate
"/svr/sec/ssl/ComodoCert/mydomain.crt";
ssl_certificate_key
"/svr/sec/ssl/ComodoCert/mydomain.key";
add_header Strict-Transport-Security "max-age=315360000;
includeSubdomains";

gzip on;
gzip_http_version 1.0;
gzip_comp_level 6;
gzip_proxied any;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_types text/plain text/css application/x-javascript
text/xml application/xml application/xml+rss text/javascript;
gzip_disable "MSIE [1-6].(?!.*SV1)";
gzip_vary on;

add_header Vary "Accept-Encoding";

location / {
auth_basic "Restricted Remote";
auth_basic_user_file /svr/sec/auth/passwd.basic;
proxy_pass https://mail-secure;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
}

}------------------------------------

This works -- mostly.

If I visit https://passthru.mydomain.com:12345, I get the Nginx BASIC
auth dialog, like you'd expect.

If I enter OK credentials, thru to the mail server. Except that the 1st
redirection from the server I get is to

https://passthru.mydomain.com/h/search?mesg=welcome&init=true

which fails because it's at the wrong port. NOTE that there's no
":12345" in the URL.

If I simply mod that URL

-
https://passthru.mydomain.com/h/search?mesg=welcome&init=true
-
https://passthru.mydomain.com:12345/h/search?mesg=welcome&init=true

, adding the port, everything works after that. I can interact with &
use the mail server's UI no problem.

I suspect I need to pass an additional header, proxy parameter, etc --
but have no clue yet what/which.

Any ideas/suggestions what's missing or wrong here?

Thanks,

Jen

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about passing the port #

Anonymous User September 22, 2013 01:14PM

Re: Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about passing the port #

Francis Daly September 22, 2013 04:14PM

Re: Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about passing the port #

Anonymous User September 22, 2013 04:30PM

Re: Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about passing the port #

Anonymous User September 22, 2013 04:34PM

Re: Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about passing the port #

Francis Daly September 22, 2013 04:38PM

Re: Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about passing the port #

Anonymous User September 22, 2013 05:16PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 189
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready