[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

Have a great idea for extending Zimbra? Share ideas, ask questions, contribute, and get feedback.
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 921
Joined: Sat Sep 13, 2014 12:47 am

[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

Postby liverpoolfcfan » Tue Oct 08, 2013 6:29 am

I am troubleshooting an issue with a user of the z-push zimbra backend, and it has come down to the fact that for some reason when the AuthRequest is passed to the backend, it is not opening a session every time, and as a result is not passing back the session refresh block, and cannot initiate a WaitSet.
A random section of the debug log shows that maybe one in every 4 AuthRequest calls is getting a session. The others are just returning a token but with no session context created.
Has anyone any idea what would prevent/limit zimbra from opening a session ?
The configuration is one zimbra proxy in front of 3 or 4 mailstores. They are running 7.2.0 FOSS


17416jflanigan
Zimbra Alumni
Zimbra Alumni
Posts: 113
Joined: Sat Sep 13, 2014 1:20 am

[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

Postby 17416jflanigan » Mon Oct 14, 2013 2:41 pm

One case that comes immediately to mind is that AuthRequest will not create a session for mailboxes which reside on a different host. Since you are accessing the mailstores through a proxy you may need to send an additional request (perhaps NoOpRequest) after AuthRequest to get a sessionId.
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 921
Joined: Sat Sep 13, 2014 12:47 am

[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

Postby liverpoolfcfan » Mon Oct 14, 2013 5:30 pm

Thanks for the pointer.
How would I know that I have hit a proxy ?
The documentation states that I should get back a tag always - yet I never see one in the response.
Why would some AuthRequests work and others not for the same account connecting to the same hostname ?
17416jflanigan
Zimbra Alumni
Zimbra Alumni
Posts: 113
Joined: Sat Sep 13, 2014 1:20 am

[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

Postby 17416jflanigan » Tue Oct 15, 2013 12:18 pm

You mentioned in the original post that you are using a proxy. I am not familiar with this 3rd party 'zpush' you are using; but I assume it uses a single URL to connect to the mailstore servers. Therefore, I assume it is using the reverse proxy (nginx) URL so it can access any mailbox. You can know for sure by understanding the hostname of each server.
The behavior of the tag is controlled by the zimbraMailReferMode LDAP attribute. It sounds like this is set to reverse-proxied which means refer will never appear. If you see misleading documentation somewhere please file a bug against the 'tech docs' component so we can get it updated. Here's the actual description from zimbra-attrs.xml:
whether to send back a refer tag in an auth response to force a client redirect.

always - always send refer

wronghost - send refer if only if the account being authenticated does not live on this mail host

reverse-proxied - reverse proxy is in place and should never send refer
As for why AuthRequest may return different results for the same account; again I'm assuming you are connecting through the proxy. The initial AuthRequest is routed from the proxy to any of the available mailstore servers using round robin and IP hashing algorithms. Depending on which mailstore the request lands a session may or may not be created.
Hope this helps. If you want to understand more you may want to take a look at the HTTP access logs on the proxy and mailstores.
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 921
Joined: Sat Sep 13, 2014 12:47 am

[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

Postby liverpoolfcfan » Tue Oct 15, 2013 2:29 pm

Z-Push is an opensource ActiveSync implementation. The zimbra backend connects, normally to zimbraPublicURL appended to '/service/soap/', to send soap requests to the server. The system is working great against version 5,6,7 & 8 single node servers. But, it seems that when the proxy is in front a session is not getting created all the time - so the phone keeps seeing folders appear, then disappear, then appear again, then disappear again, and so on ...
OK - I understand the the refer tag appearing or not. That is clear. Thank you.

[quote user="17416jflanigan"]

As for why AuthRequest may return different results for the same account; again I'm assuming you are connecting through the proxy. The initial AuthRequest is routed from the proxy to any of the available mailstore servers using round robin and IP hashing algorithms. Depending on which mailstore the request lands a session may or may not be created.[/QUOTE]

This makes sense then. If it happens to get routed to the actual mailstore that hosts the account it gets a session opened. That case is good.
But in the case I don't hit the right server first time, how do I get connected to the right one ? I have tried issuing a NoOpRequest, and it does not start a session.
Is there a pref or an attr I should look for that would direct me to structure a header differently ? Or anything else I need to do differently to handle this situation ?
17416jflanigan
Zimbra Alumni
Zimbra Alumni
Posts: 113
Joined: Sat Sep 13, 2014 1:20 am

[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

Postby 17416jflanigan » Tue Oct 15, 2013 3:25 pm

You can request a new session by specifying in the SOAP header.
http://www.w3.org/2003/05/soap-envelope">





...













liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 921
Joined: Sat Sep 13, 2014 12:47 am

[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

Postby liverpoolfcfan » Tue Oct 15, 2013 3:34 pm

That is exactly what I did. Here's the PHP code

            $header  = '

'.$this->_authtoken.'







';
$body = '';

$response = $this->SoapRequest($body, $header, true, $returnJSON);

$contents = json_decode($response, true);

}



SoapRequest sends the request using CURL
But, I still do not get a session
Here is the debug of the request and the response.
15/10/2013 19:08:52 [ 2040] [DEBUG] [testing@server.com] Zimbra->SoapRequest(): SOAP Message: http://www.w3.org/2003/05/soap-envelope">



0_d11dc762e0e0abb0524f0ed04355ce65cccf7314_69643d33363a36393732373233352d343833652d343532342d393230632d6339636131666437353737343b6578703d31333a313338323033363932353730333b747970653d363a7a696d6272613b













15/10/2013 19:08:52 [ 2040] [DEBUG] [testing@server.com] Zimbra->SoapRequest(): SOAP response: {"Header":{"context":{"_jsns":"urn:zimbra"}},"Body":{"NoOpResponse":{"_jsns":"urn:zimbraMail"}},"_jsns":"urn:zimbraSoap"}

17416jflanigan
Zimbra Alumni
Zimbra Alumni
Posts: 113
Joined: Sat Sep 13, 2014 1:20 am

[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

Postby 17416jflanigan » Tue Oct 15, 2013 4:02 pm

Ahh right; I forgot to mention you need to include the authToken as a cookie so nginx knows which server to route the subsequent NoOpRequest to.
For example curl https://proxy.example.com/service/soap --cookie "ZM_AUTH_TOKEN=..." --data @noop.txt
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 921
Joined: Sat Sep 13, 2014 12:47 am

[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

Postby liverpoolfcfan » Tue Oct 15, 2013 4:19 pm

Ah! Maybe that is the missing key!
Does passing the auth token as a cookie like this only work for nginx configurations ?
Or if I configured it to always do that would that work for single node configurations too ?
Do I also need to have the auto token in the SOAP HEADER as well ?
17416jflanigan
Zimbra Alumni
Zimbra Alumni
Posts: 113
Joined: Sat Sep 13, 2014 1:20 am

[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

Postby 17416jflanigan » Tue Oct 15, 2013 4:23 pm

Yes, it works for both cases. Basically, the mail server will take auth token from cookie or SOAP header; only one is required however if both are specified they must match. The nginx proxy will take it only from cookie since it never inspects the body of the HTTP request.

Return to “Developers”

Who is online

Users browsing this forum: No registered users and 2 guests