Forum: NGINX Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about pass

Cd29dda6a3f0227f89495f2279c9cec0?d=identicon&s=25 unknown (Guest)
on 2013-09-22 19:12
(Received via mailing list)
I have a mail server on my lan.  It exposes a WebUI over SSL on
port:443.

It currently only has 1-step, password authentication.  I want to add a
2nd layer of authentication, and put that mailserver behind an nginx
server that:

  (1) adds BASIC authentication,
and
  (2) after OK auth, transparently passes traffic to/from the mail
  server

Here's the nginx config I use to do this:

------------------------------------
upstream mail-secure {
    server mail.mydomain.com:443;
}

server {
        server_name passthru.mydomain.com;
        more_set_headers "Server: Secure WebMail";
        listen      1.2.3.4:12345 ssl spdy default_server;

        root                      /svr/data/passthru.mydomain.com;
        access_log
        /var/log/nginx/passthru.mydomain.com.12345.access.log main;
        error_log
        /var/log/nginx/passthru.mydomain.com.12345.error.log  error;
        rewrite_log               on;
        ssl                       on; include
        includes/ssl_protocol.conf;
        ssl_verify_client         off;
        ssl_certificate
        "/svr/sec/ssl/ComodoCert/mydomain.crt";
        ssl_certificate_key
        "/svr/sec/ssl/ComodoCert/mydomain.key";
        add_header Strict-Transport-Security "max-age=315360000;
        includeSubdomains";

        gzip              on;
        gzip_http_version 1.0;
        gzip_comp_level   6;
        gzip_proxied      any;
        gzip_min_length   1100;
        gzip_buffers 16   8k;
        gzip_types        text/plain text/css application/x-javascript
        text/xml application/xml application/xml+rss text/javascript;
        gzip_disable "MSIE [1-6].(?!.*SV1)";
        gzip_vary         on;

        add_header Vary   "Accept-Encoding";

        location / {
                auth_basic "Restricted Remote";
                auth_basic_user_file /svr/sec/auth/passwd.basic;
                proxy_pass        https://mail-secure;
                proxy_set_header  Host $host;
                proxy_set_header  X-Real-IP $remote_addr;
                proxy_set_header  X-Forwarded-For
                $proxy_add_x_forwarded_for;
        }

}------------------------------------

This works -- mostly.

If I visit https://passthru.mydomain.com:12345, I get the Nginx BASIC
auth dialog, like you'd expect.

If I enter OK credentials, thru to the mail server.  Except that the 1st
redirection from the server I get is to

  https://passthru.mydomain.com/h/search?mesg=welcom...

which fails because it's at the wrong port.  NOTE that there's no
":12345" in the URL.

If I simply mod that URL

  -
  https://passthru.mydomain.com/h/search?mesg=welcom...
  -
  https://passthru.mydomain.com:12345/h/search?mesg=...

, adding the port, everything works after that.  I can interact with &
use the mail server's UI no problem.

I suspect I need to pass an additional header, proxy parameter, etc --
but have no clue yet what/which.

Any ideas/suggestions what's missing or wrong here?

Thanks,

Jen
36a8284995fa0fb82e6aa2bede32adac?d=identicon&s=25 Francis Daly (Guest)
on 2013-09-22 22:14
(Received via mailing list)
On Sun, Sep 22, 2013 at 10:11:50AM -0700, jen142@promessage.com wrote:

Hi there,

untested; and it may depend on exactly who is doing the redirecting,
but does replacing this line:

>                 proxy_set_header  Host $host;

with

  proxy_set_header  Host $host:12345;

change how it responds?

  f
--
Francis Daly        francis@daoine.org
Cd29dda6a3f0227f89495f2279c9cec0?d=identicon&s=25 unknown (Guest)
on 2013-09-22 22:28
(Received via mailing list)
Hi Francis,

On Sun, Sep 22, 2013, at 01:13 PM, Francis Daly wrote:
> untested; and it may depend on exactly who is doing the redirecting,
> but does replacing this line:
>
> >                 proxy_set_header  Host $host;
>
> with
>
>   proxy_set_header  Host $host:12345;
>
> change how it responds?

That sounded promising, but, unfortunately ... no.

Same beahvior -- initial reponse is without the portnum; add it
manually, and all's well.


Jen
Cd29dda6a3f0227f89495f2279c9cec0?d=identicon&s=25 unknown (Guest)
on 2013-09-22 22:33
(Received via mailing list)
I lied! Sort of ...

After making your suggested change, and restarting nginx, no change.

BUT, after a machine reboot -- it now works as expected.  Actis like
something got stuck in some cache ...

thanks a lot!
36a8284995fa0fb82e6aa2bede32adac?d=identicon&s=25 Francis Daly (Guest)
on 2013-09-22 22:36
(Received via mailing list)
On Sun, Sep 22, 2013 at 01:28:02PM -0700, jen142@promessage.com wrote:
> On Sun, Sep 22, 2013, at 01:13 PM, Francis Daly wrote:

Hi there,

> >   proxy_set_header  Host $host:12345;

> That sounded promising, but, unfortunately ... no.
>
> Same beahvior -- initial reponse is without the portnum; add it
> manually, and all's well.

Fair enough.

Can you learn which part of the system creates the initial response? And
from what does it create it?

With that information, you may be able to learn what needs changing to
get the result you want.

What is the output of

 curl -i https://passthru.mydomain.com:12345/

(possibly with a "-k" in there, if the cert is a problem)?

  f
--
Francis Daly        francis@daoine.org
Cd29dda6a3f0227f89495f2279c9cec0?d=identicon&s=25 unknown (Guest)
on 2013-09-22 23:16
(Received via mailing list)
> Fair enough.

Our responses "crossed in the mail"!  :-)

Thanks,

Jen
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.