Results 1 to 7 of 7

Thread: logging client IPs when running behind non-Zimbra nginx HTTP proxy

Hybrid View

  1. #1
    Join Date
    Jul 2009
    Location
    Indianapolis, IN
    Posts
    2
    Rep Power
    6

    Default logging client IPs when running behind non-Zimbra nginx HTTP proxy

    I have a test installation of ZCS running behind a non-Zimbra nginx
    HTTP proxy on a separate host:

    Internet --> Firewall (w/ public IP) --> nginx (172.x.x.10:443)
    --> ZCS (172.x.x.113:443)

    Is it possible to configure Zimbra so it trusts the reverse proxy
    (172.x.x.10) and uses the X-Forwarded-For values provided by the
    proxy server in mailbox.log and audit.log ?

    Basically what I'm looking for is the mod_rpaf for Apache
    equivalent for Zimbra.

    Thanks for any help!

    --Brad

  2. #2
    Join Date
    Sep 2008
    Location
    Latvia
    Posts
    165
    Rep Power
    7

    Default

    Have you managed to solve this issue? Looking for similar solutions.

  3. #3
    Join Date
    Jul 2009
    Location
    Indianapolis, IN
    Posts
    2
    Rep Power
    6

    Default

    Quote Originally Posted by j2b View Post
    Have you managed to solve this issue? Looking for similar solutions.
    No, I have not...but I have not spent much time investigating since
    I posted either. (My Zimbra install is for evaluation purposes and
    my production mail service uses Postfix+Courier+SquirrelMail.)

    --Brad

  4. #4
    Join Date
    Sep 2008
    Location
    Latvia
    Posts
    165
    Rep Power
    7

    Default

    Yesterday I found an answer. Tested - and it works as far as I need this implementation. The only thing to remember is to manually make these changes after ZCS updates/upgrades, as all configuration files are overwritten.
    Here is the link on forum article: http://www.zimbra.com/forums/adminis...tp-header.html

    Read comment #4

  5. #5
    Join Date
    Apr 2010
    Posts
    14
    Rep Power
    5

    Question

    Quote Originally Posted by j2b View Post
    and it works as far as I need this implementation. The only thing to remember is to manually make these changes after ZCS updates/upgrades, as all configuration files are overwritten.
    Here is the link on forum article: http://www.zimbra.com/forums/adminis...tp-header.html
    Read comment #4
    Sorry to raise an old thread, but I am wondering whether this change will allow the IP address of the client show in mailbox.log and audit.log of Zimbra behind nginx http proxies?

    For example, an failed login from IP address 99,98.97.96 which connect to proxy 111.112.113.114 will show up as a log entry like this:
    Code:
    2011-04-13 20:37:39,694 INFO  [btpool0-36341] [name=anaccount@mydomain.tld;oip=111.112.113.114;ua=zclient/5.0.11_GA_2695.RHEL5_64;] SoapEngine - handler exception: authentication failed for anaccount, invalid password
    As the actual address 99,98.97.96 does not show at all. With the change from that other forum will allow your the log entries to show the actual client IP address in that log entry?

    Thanks!

  6. #6
    Join Date
    Sep 2008
    Location
    Latvia
    Posts
    165
    Rep Power
    7

    Default

    Sorry arifsaha for late answer, but probably you've figured that out by yourself. Yes, changes in jetty.xml.in file in mailbox server changes situation in audit.log and mailbox.log files, showing original visitor IP adress, instead of Proxy server address.

    To note: without these changes and if Proxy server is used for IMAP/POP connections too, original user IPs are shown by default, or to be more specific - it shows IP and OIP, where IP is proxy IP, if you scale proxy stack.

    My wish. I tested this on ZCS OS v7.1.1 and it works, although I wish to get this functionality implemented in ZCS installation via Admin GUI or CLI to be set. Since v5.x I do this manually all the time.

    And more to remember:
    - you have to make changes to jetty.xml.in file, not jetty.xml, as former is the source of jetty.xml on each ZCS restart.
    - you have to manually ammend jetty.xml.in file after each ZCS upgrade procedure!

    Hope this helps.

  7. #7
    Join Date
    Jan 2012
    Posts
    41
    Rep Power
    3

    Default

    I realize that this is an earlier post, but I'd like to share our case...

    We are running Zimbra 8.0.2 behind an Nginx reverse proxy...

    We had set all the headers and tried everything herein described.

    Well, it turns out that there is a combination of two things that has to be done.

    On the Reverse Proxy Nginx configuration file for the virtual server to webmail Zimbra, make sure to have declared under "Location"

    Code:
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    And on the Zimbra host, make sure to have on /opt/zimbra/jetty/etc/jetty.xml.in the following change, under

    <!-- user services connector, SSL --> and/or (depending on your configuration)
    <!-- user services connector, no SSL -->

    FROM
    Code:
              <Set name="ForwardedForHeader">bogus</Set>
    TO
    Code:
              <Set name="ForwardedForHeader">X-Real-IP</Set>
    And it works after zmcontrol restart
    Last edited by stasouv; 01-23-2013 at 03:16 PM.

Similar Threads

  1. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 05:42 PM
  2. Replies: 8
    Last Post: 01-20-2009, 01:06 PM
  3. DNS Questions and Trouble Installing
    By smurraysb in forum Installation
    Replies: 22
    Last Post: 03-14-2008, 04:27 PM
  4. Major Issue - 5.0RC2 NE to 5.0GA NE failed
    By DougWare in forum Installation
    Replies: 7
    Last Post: 01-06-2008, 09:56 PM
  5. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •