Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about pass

I have a mail server on my lan. It exposes a WebUI over SSL on
port:443.

It currently only has 1-step, password authentication. I want to add a
2nd layer of authentication, and put that mailserver behind an nginx
server that:

(1) adds BASIC authentication,
and
(2) after OK auth, transparently passes traffic to/from the mail
server

Here’s the nginx config I use to do this:


upstream mail-secure {
server mail.mydomain.com:443;
}

server {
server_name passthru.mydomain.com;
more_set_headers “Server: Secure WebMail”;
listen 1.2.3.4:12345 ssl spdy default_server;

    root                      /svr/data/passthru.mydomain.com;
    access_log
    /var/log/nginx/passthru.mydomain.com.12345.access.log main;
    error_log
    /var/log/nginx/passthru.mydomain.com.12345.error.log  error;
    rewrite_log               on;
    ssl                       on; include
    includes/ssl_protocol.conf;
    ssl_verify_client         off;
    ssl_certificate
    "/svr/sec/ssl/ComodoCert/mydomain.crt";
    ssl_certificate_key
    "/svr/sec/ssl/ComodoCert/mydomain.key";
    add_header Strict-Transport-Security "max-age=315360000;
    includeSubdomains";

    gzip              on;
    gzip_http_version 1.0;
    gzip_comp_level   6;
    gzip_proxied      any;
    gzip_min_length   1100;
    gzip_buffers 16   8k;
    gzip_types        text/plain text/css application/x-javascript
    text/xml application/xml application/xml+rss text/javascript;
    gzip_disable "MSIE [1-6].(?!.*SV1)";
    gzip_vary         on;

    add_header Vary   "Accept-Encoding";

    location / {
            auth_basic "Restricted Remote";
            auth_basic_user_file /svr/sec/auth/passwd.basic;
            proxy_pass        https://mail-secure;
            proxy_set_header  Host $host;
            proxy_set_header  X-Real-IP $remote_addr;
            proxy_set_header  X-Forwarded-For
            $proxy_add_x_forwarded_for;
    }

}------------------------------------

This works – mostly.

If I visit https://passthru.mydomain.com:12345, I get the Nginx BASIC
auth dialog, like you’d expect.

If I enter OK credentials, thru to the mail server. Except that the 1st
redirection from the server I get is to

https://passthru.mydomain.com/h/search?mesg=welcome&init=true

which fails because it’s at the wrong port. NOTE that there’s no
“:12345” in the URL.

If I simply mod that URL

https://passthru.mydomain.com/h/search?mesg=welcome&init=true

https://passthru.mydomain.com:12345/h/search?mesg=welcome&init=true

, adding the port, everything works after that. I can interact with &
use the mail server’s UI no problem.

I suspect I need to pass an additional header, proxy parameter, etc –
but have no clue yet what/which.

Any ideas/suggestions what’s missing or wrong here?

Thanks,

Jen

On Sun, Sep 22, 2013 at 10:11:50AM -0700, [email protected] wrote:

Hi there,

untested; and it may depend on exactly who is doing the redirecting,
but does replacing this line:

            proxy_set_header  Host $host;

with

proxy_set_header Host $host:12345;

change how it responds?

f

Francis D. [email protected]

Hi Francis,

On Sun, Sep 22, 2013, at 01:13 PM, Francis D. wrote:

untested; and it may depend on exactly who is doing the redirecting,
but does replacing this line:

            proxy_set_header  Host $host;

with

proxy_set_header Host $host:12345;

change how it responds?

That sounded promising, but, unfortunately … no.

Same beahvior – initial reponse is without the portnum; add it
manually, and all’s well.

Jen

I lied! Sort of …

After making your suggested change, and restarting nginx, no change.

BUT, after a machine reboot – it now works as expected. Actis like
something got stuck in some cache …

thanks a lot!

On Sun, Sep 22, 2013 at 01:28:02PM -0700, [email protected] wrote:

On Sun, Sep 22, 2013, at 01:13 PM, Francis D. wrote:

Hi there,

proxy_set_header Host $host:12345;

That sounded promising, but, unfortunately … no.

Same beahvior – initial reponse is without the portnum; add it
manually, and all’s well.

Fair enough.

Can you learn which part of the system creates the initial response? And
from what does it create it?

With that information, you may be able to learn what needs changing to
get the result you want.

What is the output of

curl -i https://passthru.mydomain.com:12345/

(possibly with a “-k” in there, if the cert is a problem)?

f

Francis D. [email protected]

Fair enough.

Our responses “crossed in the mail”! :slight_smile:

Thanks,

Jen

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs