Configure Zimbra on same public ip on which web server is running

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
mayurjrajyaguru
Posts: 1
Joined: Tue Apr 03, 2018 8:10 pm

Configure Zimbra on same public ip on which web server is running

Post by mayurjrajyaguru »

Hello team,

I am planning to install Zimbra Mail server in SOHO environment. Users will be upto 100. I have single public IP address which is configured on WAN1 interface of firewall. Web-server is hosted behind the firewall and it is responding on TCP port 80 and 443. I configured port forwarding in firewall and appropriate policy is configured towards web-server in order to allow public access. Website is up and working fine.

Now, we are planning to install Zimbra however it works on TCP port 80 and 443 through web access. We don;t have another public IP address.

Is there any way to configure Zimbra on same public IP on which web-server is running? How can we segregate web-server traffic (TCP 80 & 443) with Zimbra web access (which is also on TCP 80 and 443). We are new to Zimbra so, your advise will be appreciated.

Thank You!

Regards,
Mayur Rajyaguru
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Configure Zimbra on same public ip on which web server is running

Post by JDunphy »

zimbra is using nginx so if you want to maintain that configuration file yourself, you can make this happen. It will most certainly be overwritten during zimbra upgrades so keep it as a patch any changes you make. The answer I have seen is don't do this or it is not supported, etc... Note: Zimbra will most likely self-tune to use most of the servers resources to optimize the users experience, etc. Pick reason. :-)

Having said that, nginx is more than capable of segmenting virtual services so run your company web server on 127.0.0.1:80 and 127.0.0.1:443 or pick different ports on your public ip address... Then have Zimbra's nginix inverse proxy your webserver based on server name to those web server ports. That would minimize the changes you would need to make to the zimbra nginx configuration and/or let you switch back to pure zimbra or pure webserver should something go wrong with either configuration. Probably a few other ways but that seems like the least intrusive to zimbra. I wouldn't do that myself given the inexpensive cost of cloud/KVM's and what my time was worth but that is how I would do it if I was being told/forced to make it happen.

The other option is to look at something like cloudflare (free) and see if its possible to have the origin server at different public ip ports... If that is the case, leave zimbra as is and put your public web server on those ports and have cloudflare do all the work to keep the illusion in tact for the users. That would be the easiest by far.
McGregor
Posts: 17
Joined: Wed Oct 25, 2017 5:09 pm

Re: Configure Zimbra on same public ip on which web server is running

Post by McGregor »

Hi JDunphy,

I'm interested to know more about the solution you describe in the second paragraph above. Particularly how do you configure zimbra to do: "Then have Zimbra's nginix inverse proxy your webserver based on server name to those web server ports."?

Thanks.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Configure Zimbra on same public ip on which web server is running

Post by JDunphy »

McGregor wrote:Hi JDunphy,

I'm interested to know more about the solution you describe in the second paragraph above. Particularly how do you configure zimbra to do: "Then have Zimbra's nginix inverse proxy your webserver based on server name to those web server ports."?
I recommend that you play with nginx first so you can see how to use reverse proxies. Google proxy_pass and inverse proxy with nginx in the search terms. Here is one page: https://docs.nginx.com/nginx/admin-guid ... rse-proxy/ Put that in front of your web server. Then when you are comfortable you know how it works, you can look at zimbra and its nginx configuration to see if this is doable with your skill set. Basically you are doing this.

Code: Select all

server {
   listen 443 ssl;
   server_name mywebsite.com;
   
   ...
   ...
   proxy_pass             http://127.0.0.1;
   proxy_set_header       Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $remote_addr;
   proxy_set_header X-Forwarded-Proto $scheme;
   ...
  }
  
It is important to get your inverse proxy working perfectly with your webserver outside of zimbra. Our config files are about 125 lines for some drupal sites, etc. You won't know what you need until you experiment with nginix. The problem is web sites have a lot of hard coded URL's, etc so you might be doing some rewriting with sub_filter to provide the illusion to get everything working with your website first.

I would never run zimbra and a website on the same server myself given how inexpensive VPS are these days for websites ($5/month). Not to mention, do you really want to expose your company email should an exploit happen against your web server CMS? Things to think about. Yes it can be done but why wouldn't you want to segment those services in the event of a security problem. Not trying to lecture here but feel that I should at least warn you of why it might not be optimal given your time and effort. It will make you understand how zimbra works at a deeper level however which will always come in handy in the future. Good luck.
Post Reply