Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about passing the port #

jen142 at promessage.com jen142 at promessage.com
Sun Sep 22 17:11:50 UTC 2013


I have a mail server on my lan.  It exposes a WebUI over SSL on
port:443.

It currently only has 1-step, password authentication.  I want to add a
2nd layer of authentication, and put that mailserver behind an nginx
server that:

	(1) adds BASIC authentication,
and
	(2) after OK auth, transparently passes traffic to/from the mail
	server

Here's the nginx config I use to do this:

------------------------------------
upstream mail-secure {
    server mail.mydomain.com:443;
}

server {
        server_name passthru.mydomain.com;
        more_set_headers "Server: Secure WebMail";         
        listen      1.2.3.4:12345 ssl spdy default_server;

        root                      /svr/data/passthru.mydomain.com;
        access_log               
        /var/log/nginx/passthru.mydomain.com.12345.access.log main;
        error_log                
        /var/log/nginx/passthru.mydomain.com.12345.error.log  error;
        rewrite_log               on;
        ssl                       on; include
        includes/ssl_protocol.conf;
        ssl_verify_client         off;
        ssl_certificate          
        "/svr/sec/ssl/ComodoCert/mydomain.crt";
        ssl_certificate_key      
        "/svr/sec/ssl/ComodoCert/mydomain.key";
        add_header Strict-Transport-Security "max-age=315360000;
        includeSubdomains";

        gzip              on;
        gzip_http_version 1.0;
        gzip_comp_level   6;
        gzip_proxied      any;
        gzip_min_length   1100;
        gzip_buffers 16   8k;
        gzip_types        text/plain text/css application/x-javascript
        text/xml application/xml application/xml+rss text/javascript;
        gzip_disable "MSIE [1-6].(?!.*SV1)";
        gzip_vary         on;

        add_header Vary   "Accept-Encoding";

        location / {
                auth_basic "Restricted Remote";
                auth_basic_user_file /svr/sec/auth/passwd.basic;
                proxy_pass        https://mail-secure;    
                proxy_set_header  Host $host;
                proxy_set_header  X-Real-IP $remote_addr;
                proxy_set_header  X-Forwarded-For
                $proxy_add_x_forwarded_for;
        }

}------------------------------------

This works -- mostly.

If I visit https://passthru.mydomain.com:12345, I get the Nginx BASIC
auth dialog, like you'd expect.

If I enter OK credentials, thru to the mail server.  Except that the 1st
redirection from the server I get is to

	https://passthru.mydomain.com/h/search?mesg=welcome&init=true

which fails because it's at the wrong port.  NOTE that there's no
":12345" in the URL.

If I simply mod that URL

	-      
	https://passthru.mydomain.com/h/search?mesg=welcome&init=true
	-      
	https://passthru.mydomain.com:12345/h/search?mesg=welcome&init=true

, adding the port, everything works after that.  I can interact with &
use the mail server's UI no problem.

I suspect I need to pass an additional header, proxy parameter, etc --
but have no clue yet what/which.

Any ideas/suggestions what's missing or wrong here?

Thanks,

Jen



More information about the nginx mailing list