Configure nginx to trust and set X-ORIGINATING-IP

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
vdagost-fr
Posts: 43
Joined: Mon Apr 11, 2016 11:59 am

Configure nginx to trust and set X-ORIGINATING-IP

Postby vdagost-fr » Sun Nov 13, 2016 4:27 pm

Hi guys

I have a F5 BIG IP network equipment in front of my two zimbra proxy and I would like to have the users original ip in the IMAP mailbox logs instead of the BIG IP one.

I tried to set up the zimbra proxy nginx with :
set_real_ip_from w.x.y.z/32;
real_ip_header X-ORIGINATING-IP;

But at proxy restart I have :
Starting nginx...nginx: [emerg] unknown directive "set_real_ip_from" in /opt/zimbra/conf/nginx/includes/nginx.conf.mail.imap.default:17 failed.

How can I set nginx to trust the X-ORIGINATING-IP provided in the IMAP dialog and keep it when proxying to the zimbra stores ?

Regards

Victor
Last edited by vdagost-fr on Tue Nov 15, 2016 3:12 pm, edited 1 time in total.


flunda
Advanced member
Advanced member
Posts: 61
Joined: Fri Sep 18, 2015 2:19 am
ZCS/ZD Version: 8.7.0_GA_1659.RHEL6_64 @ CentOS_6

Re: Configure nginx to trust and set X-ORIGINATING-IP

Postby flunda » Mon Nov 14, 2016 7:06 am

Hi,

we have an nginx-clusert in front of our zimbra environment and on the nginx we're redirecting the original IP and on zimbra we've done the following:

Code: Select all

zmprov mcf +zimbraMailTrustedIP IPADDRONE +zimbraMailTrustedIP IPADDRTWO


and this gives us the OriginalIP in our access.log
vdagost-fr
Posts: 43
Joined: Mon Apr 11, 2016 11:59 am

Re: Configure nginx to trust and set X-ORIGINATING-IP

Postby vdagost-fr » Mon Nov 14, 2016 8:16 am

Hi

Thanks for your help :)

Do you have only "zimbra nginx" ?
Because I've already done this setting and it works perfectly : If IMAP users connect to one of the nginx then his oip is logged in mailboxd.

My problem is when IMAP users connect to a ip load balancer in front of the zimbra nginx cluster.

Regards

Victor
flunda
Advanced member
Advanced member
Posts: 61
Joined: Fri Sep 18, 2015 2:19 am
ZCS/ZD Version: 8.7.0_GA_1659.RHEL6_64 @ CentOS_6

Re: Configure nginx to trust and set X-ORIGINATING-IP

Postby flunda » Mon Nov 14, 2016 10:15 am

Hi,

ok, sorry. But in our setup we're also using a IMAP-Loadbalancer in front of Zimbra and here i am also not getting the real IP, just the LoadBalancer's IP. But we we never had the need to get also the real IMAP initiator's IP as we're just having IMAP internally. But i would also beinterested in how to get that :D

Code: Select all

2016-11-14 11:11:17,090 INFO  [ImapServer-766] [ip=10.8.8.1;oip=10.10.200.50;via=10.8.8.1(nginx/1.7.1);ua=Zimbra/8.7.0_GA_1659;] security - cmd=Auth; account=account@domain.com; protocol=imap;
vdagost-fr
Posts: 43
Joined: Mon Apr 11, 2016 11:59 am

Re: Configure nginx to trust and set X-ORIGINATING-IP

Postby vdagost-fr » Mon Nov 14, 2016 10:49 am

Hi

Alright then :)

I hope a zimbra nginx expert may help us !
vdagost-fr
Posts: 43
Joined: Mon Apr 11, 2016 11:59 am

Re: Configure nginx to trust and set X-ORIGINATING-IP (unsolved)

Postby vdagost-fr » Fri Nov 18, 2016 8:44 am

Hi

Anyone ?

I can't believe i'm the first person trying to do that.

Zimbra is supposed to be a profesionnal software :(

Victor
gtillman
Posts: 2
Joined: Tue May 10, 2016 3:41 pm

Re: Configure nginx to trust and set X-ORIGINATING-IP (unsolved)

Postby gtillman » Tue Nov 22, 2016 12:09 am

Victor I'm not sure that can work with IMAP connections. I tried compiling nginx with the

Code: Select all

--with-http_realip_module
option after noticing that src/http/modules/ngx_http_realip_module.c was in the code base. I was able to get nginx to accept these directives (with actual IP address)...

Code: Select all

set_real_ip_from w.x.y.z/32;
real_ip_header X-ORIGINATING-IP;


... in the top of nginx.conf.web.template, just inside the http block. But I don't think HTTP headers apply for IMAP protocol.

By the way, that was on an 8.7 build.
vdagost-fr
Posts: 43
Joined: Mon Apr 11, 2016 11:59 am

Re: Configure nginx to trust and set X-ORIGINATING-IP

Postby vdagost-fr » Thu Dec 08, 2016 4:10 pm

Hi

Great work and this is the way to do it.

Compiling nginx with this module could be a nice and easy request for enhancement.

I'm very surprised to be the first person asking about that !

Victor

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 21 guests