Nginx as an AUTH + proxy_pass in front of a mail server on the LAN; I'm missing something about passing the port #
jen142 at promessage.com
jen142 at promessage.com
Sun Sep 22 17:11:50 UTC 2013
I have a mail server on my lan. It exposes a WebUI over SSL on
port:443.
It currently only has 1-step, password authentication. I want to add a
2nd layer of authentication, and put that mailserver behind an nginx
server that:
(1) adds BASIC authentication,
and
(2) after OK auth, transparently passes traffic to/from the mail
server
Here's the nginx config I use to do this:
------------------------------------
upstream mail-secure {
server mail.mydomain.com:443;
}
server {
server_name passthru.mydomain.com;
more_set_headers "Server: Secure WebMail";
listen 1.2.3.4:12345 ssl spdy default_server;
root /svr/data/passthru.mydomain.com;
access_log
/var/log/nginx/passthru.mydomain.com.12345.access.log main;
error_log
/var/log/nginx/passthru.mydomain.com.12345.error.log error;
rewrite_log on;
ssl on; include
includes/ssl_protocol.conf;
ssl_verify_client off;
ssl_certificate
"/svr/sec/ssl/ComodoCert/mydomain.crt";
ssl_certificate_key
"/svr/sec/ssl/ComodoCert/mydomain.key";
add_header Strict-Transport-Security "max-age=315360000;
includeSubdomains";
gzip on;
gzip_http_version 1.0;
gzip_comp_level 6;
gzip_proxied any;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_types text/plain text/css application/x-javascript
text/xml application/xml application/xml+rss text/javascript;
gzip_disable "MSIE [1-6].(?!.*SV1)";
gzip_vary on;
add_header Vary "Accept-Encoding";
location / {
auth_basic "Restricted Remote";
auth_basic_user_file /svr/sec/auth/passwd.basic;
proxy_pass https://mail-secure;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
}
}------------------------------------
This works -- mostly.
If I visit https://passthru.mydomain.com:12345, I get the Nginx BASIC
auth dialog, like you'd expect.
If I enter OK credentials, thru to the mail server. Except that the 1st
redirection from the server I get is to
https://passthru.mydomain.com/h/search?mesg=welcome&init=true
which fails because it's at the wrong port. NOTE that there's no
":12345" in the URL.
If I simply mod that URL
-
https://passthru.mydomain.com/h/search?mesg=welcome&init=true
-
https://passthru.mydomain.com:12345/h/search?mesg=welcome&init=true
, adding the port, everything works after that. I can interact with &
use the mail server's UI no problem.
I suspect I need to pass an additional header, proxy parameter, etc --
but have no clue yet what/which.
Any ideas/suggestions what's missing or wrong here?
Thanks,
Jen
More information about the nginx
mailing list