Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about passing the port #

jen142 at jen142 at
Sun Sep 22 17:11:50 UTC 2013

I have a mail server on my lan.  It exposes a WebUI over SSL on

It currently only has 1-step, password authentication.  I want to add a
2nd layer of authentication, and put that mailserver behind an nginx
server that:

	(1) adds BASIC authentication,
	(2) after OK auth, transparently passes traffic to/from the mail

Here's the nginx config I use to do this:

upstream mail-secure {

server {
        more_set_headers "Server: Secure WebMail";         
        listen ssl spdy default_server;

        root                      /svr/data/;
        /var/log/nginx/ main;
        /var/log/nginx/  error;
        rewrite_log               on;
        ssl                       on; include
        ssl_verify_client         off;
        add_header Strict-Transport-Security "max-age=315360000;

        gzip              on;
        gzip_http_version 1.0;
        gzip_comp_level   6;
        gzip_proxied      any;
        gzip_min_length   1100;
        gzip_buffers 16   8k;
        gzip_types        text/plain text/css application/x-javascript
        text/xml application/xml application/xml+rss text/javascript;
        gzip_disable "MSIE [1-6].(?!.*SV1)";
        gzip_vary         on;

        add_header Vary   "Accept-Encoding";

        location / {
                auth_basic "Restricted Remote";
                auth_basic_user_file /svr/sec/auth/passwd.basic;
                proxy_pass        https://mail-secure;    
                proxy_set_header  Host $host;
                proxy_set_header  X-Real-IP $remote_addr;
                proxy_set_header  X-Forwarded-For


This works -- mostly.

If I visit, I get the Nginx BASIC
auth dialog, like you'd expect.

If I enter OK credentials, thru to the mail server.  Except that the 1st
redirection from the server I get is to

which fails because it's at the wrong port.  NOTE that there's no
":12345" in the URL.

If I simply mod that URL


, adding the port, everything works after that.  I can interact with &
use the mail server's UI no problem.

I suspect I need to pass an additional header, proxy parameter, etc --
but have no clue yet what/which.

Any ideas/suggestions what's missing or wrong here?



More information about the nginx mailing list