[SOLVED] AuthRequest through NGINX proxy not creating/returning session on most calls

[liverpoolfcfan]

I am troubleshooting an issue with a user of the z-push zimbra backend, and it has come down to the fact that for some reason when the AuthRequest is passed to the backend, it is not opening a session every time, and as a result is not passing back the session refresh block, and cannot initiate a WaitSet.
A random section of the debug log shows that maybe one in every 4 AuthRequest calls is getting a session. The others are just returning a token but with no session context created.
Has anyone any idea what would prevent/limit zimbra from opening a session ?
The configuration is one zimbra proxy in front of 3 or 4 mailstores. They are running 7.2.0 FOSS

[17416jflanigan]

One case that comes immediately to mind is that AuthRequest will not create a session for mailboxes which reside on a different host. Since you are accessing the mailstores through a proxy you may need to send an additional request (perhaps NoOpRequest) after AuthRequest to get a sessionId.

[liverpoolfcfan]

Thanks for the pointer.
How would I know that I have hit a proxy ?
The documentation states that I should get back a tag always - yet I never see one in the response.
Why would some AuthRequests work and others not for the same account connecting to the same hostname ?

[17416jflanigan]

You mentioned in the original post that you are using a proxy. I am not familiar with this 3rd party 'zpush' you are using; but I assume it uses a single URL to connect to the mailstore servers. Therefore, I assume it is using the reverse proxy (nginx) URL so it can access any mailbox. You can know for sure by understanding the hostname of each server.
The behavior of the tag is controlled by the zimbraMailReferMode LDAP attribute. It sounds like this is set to reverse-proxied which means refer will never appear. If you see misleading documentation somewhere please file a bug against the 'tech docs' component so we can get it updated. Here's the actual description from zimbra-attrs.xml:
whether to send back a refer tag in an auth response to force a client redirect.

always - always send refer

wronghost - send refer if only if the account being authenticated does not live on this mail host

reverse-proxied - reverse proxy is in place and should never send refer
As for why AuthRequest may return different results for the same account; again I'm assuming you are connecting through the proxy. The initial AuthRequest is routed from the proxy to any of the available mailstore servers using round robin and IP hashing algorithms. Depending on which mailstore the request lands a session may or may not be created.
Hope this helps. If you want to understand more you may want to take a look at the HTTP access logs on the proxy and mailstores.

[liverpoolfcfan]

Z-Push is an opensource ActiveSync implementation. The zimbra backend connects, normally to zimbraPublicURL appended to '/service/soap/', to send soap requests to the server. The system is working great against version 5,6,7 & 8 single node servers. But, it seems that when the proxy is in front a session is not getting created all the time - so the phone keeps seeing folders appear, then disappear, then appear again, then disappear again, and so on ...
OK - I understand the the refer tag appearing or not. That is clear. Thank you.

[quote user="17416jflanigan"]

As for why AuthRequest may return different results for the same account; again I'm assuming you are connecting through the proxy. The initial AuthRequest is routed from the proxy to any of the available mailstore servers using round robin and IP hashing algorithms. Depending on which mailstore the request lands a session may or may not be created.[/QUOTE]

This makes sense then. If it happens to get routed to the actual mailstore that hosts the account it gets a session opened. That case is good.
But in the case I don't hit the right server first time, how do I get connected to the right one ? I have tried issuing a NoOpRequest, and it does not start a session.
Is there a pref or an attr I should look for that would direct me to structure a header differently ? Or anything else I need to do differently to handle this situation ?

[17416jflanigan]

You can request a new session by specifying in the SOAP header.
http://www.w3.org/2003/05/soap-envelope">





...

[liverpoolfcfan]

That is exactly what I did. Here's the PHP code

            $header  = '

                            '.$this->_authtoken.'

                            

                            

                             

                        ';
$body = '';

$response = $this->SoapRequest($body, $header, true, $returnJSON);

$contents = json_decode($response, true);

}

SoapRequest sends the request using CURL
But, I still do not get a session
Here is the debug of the request and the response.

15/10/2013 19:08:52 [ 2040] [DEBUG] [testing@server.com] Zimbra->SoapRequest(): SOAP Message: http://www.w3.org/2003/05/soap-envelope">

                            

                            0_d11dc762e0e0abb0524f0ed04355ce65cccf7314_69643d33363a36393732373233352d343833652d343532342d393230632d6339636131666437353737343b6578703d31333a313338323033363932353730333b747970653d363a7a696d6272613b

                            

                            

                             

                        

                            

                         

15/10/2013 19:08:52 [ 2040] [DEBUG] [testing@server.com] Zimbra->SoapRequest(): SOAP response: {"Header":{"context":{"_jsns":"urn:zimbra"}},"Body":{"NoOpResponse":{"_jsns":"urn:zimbraMail"}},"_jsns":"urn:zimbraSoap"}

[17416jflanigan]

Ahh right; I forgot to mention you need to include the authToken as a cookie so nginx knows which server to route the subsequent NoOpRequest to.
For example curl https://proxy.example.com/service/soap --cookie "ZM_AUTH_TOKEN=..." --data @noop.txt

[liverpoolfcfan]

Ah! Maybe that is the missing key!
Does passing the auth token as a cookie like this only work for nginx configurations ?
Or if I configured it to always do that would that work for single node configurations too ?
Do I also need to have the auto token in the SOAP HEADER as well ?

[17416jflanigan]

Yes, it works for both cases. Basically, the mail server will take auth token from cookie or SOAP header; only one is required however if both are specified they must match. The nginx proxy will take it only from cookie since it never inspects the body of the HTTP request.