Setting up a web server to go along Zimbra

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
bmunger
Posts: 2
Joined: Tue Jun 04, 2019 7:00 pm

Setting up a web server to go along Zimbra

Postby bmunger » Sat Jan 04, 2020 1:26 am

Hello,
I have a Zimbra server setup that listens on port 443 (https). I have a domain setup for it and a machine name registered with an SSL certificate:
emails.[mydomain.tld]
I'd like to use the same ubuntu server to have a web site too on
www.[mydomain.tld]
Is that possible?

I have a fixed IP address from my service provider and they charge for it. I guess I could setup a second server and ask for more IPs, but... is that necessary?

Do I have to change the config of the Apache server that comes with Zimbra or do I configure the standard Ubuntu Apache and play with port numbers or some other means?

Am I playing with fire?

Thanks!
Bernard


phoenix
Ambassador
Ambassador
Posts: 26567
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Setting up a web server to go along Zimbra

Postby phoenix » Sat Jan 04, 2020 5:34 am

Don'y even think of doing this as you'll lose all of the modifications every time you upgrade your ZCS server.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
bmunger
Posts: 2
Joined: Tue Jun 04, 2019 7:00 pm

Re: Setting up a web server to go along Zimbra

Postby bmunger » Sat Jan 04, 2020 10:39 am

phoenix wrote:Don'y even think of doing this as you'll lose all of the modifications every time you upgrade your ZCS server.

Thank for the reply, Phoenix. I understand your point. It's a good one.

If the changes made have to be saved elsewhere, it would not be such a big thing... my web site is not that popular, I can live with it being down a few times (every update) and re-copy the new configs when it happens.

Can I change the login page? Could I have a link towards my main web site?

How can I setup to have a page load before the main login page, redirecting either towards email or towards the rest of a site?

Having two IP addresses for my domain would be a heck of a hassle as I do this from home... so multiple IPs seems like overkill.

I took a quick look under the hood and it looks like it's jetty that does the web UI, is this right?

Thanks for you help.
neutronscott
Posts: 28
Joined: Fri Jun 09, 2017 2:05 pm

Re: Setting up a web server to go along Zimbra

Postby neutronscott » Sat Jan 04, 2020 11:28 am

Editing the proxy that comes with Zimbra is bad idea for reasons phoenix said. Putting another one in front should work. You would have Zimbra then bind it's proxy service to some other high port (on 127.0.0.1 preferably) and setup name based vhost. You may need to pay attention to the logs and be sure client IP is passed through or you risk the DoSfilter blocking everything. It looks like zimbras nginx config will honor X-Forwarded-For. I recommend enabling this anyway:

https://wiki.zimbra.com/wiki/Log_Files#Logging_the_Originating_IP

Ideally you'd have the public IP in a firewall DMZ and separate VM for it, Zimbra, and the other web stuff you want to serve. Only allow proxy into your network to reach the backend web services which can be on private addresses so if it is compromised it's more inconvenience for lateral movement.
neutronscott
Posts: 28
Joined: Fri Jun 09, 2017 2:05 pm

Re: Setting up a web server to go along Zimbra

Postby neutronscott » Sat Jan 04, 2020 11:51 am

So I tested this out briefly. I used nginx and the X-Forwarded-For header is set there. Then Zimbra's nginx adds to this value.
mailbox.log shows oip="192.168.1.103, 192.168.255.249" which I believe will cause problems with DoSFilter. It's not really good that Zimbra's nginx does that.
milauria
Advanced member
Advanced member
Posts: 67
Joined: Mon Aug 15, 2016 12:32 pm

Re: Setting up a web server to go along Zimbra

Postby milauria » Sun Jan 05, 2020 12:40 pm

To achieve this in my environment I have done the following:

I left the Zimbra installation "standard" including the ports (in my case the webmail responds to 8443 port). I tend to avoid manual editing of files.
In front of the zimbra server I have created a separate VM with nginx hosting the web site and configured as as reverse proxy for the Zimbra server (this VM also hosts the letsencrypt certificate). By configuring nginx reverse proxy I can direct http://www., mail., /activesync etc to where is needed.

No issues with the DOSfiltering and originating IP per example below

Code: Select all

proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 13 guests