nginx closes connection when the Host value is unknown (no zimbraVirtual* set)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
scantec
Advanced member
Advanced member
Posts: 75
Joined: Mon May 05, 2014 11:55 am

Re: Zimbra Collaboration 8.8 is Now Available

Post by scantec »

Not here. https is broken after upgrade on ubuntu 14.04 from a working 8.7.11, always getting "ERR_EMPTY_RESPONSE" on chrome i.e.

on logs: nginx.log: *26 client closed connection while waiting for request, client: x.x.x.x, server: 0.0.0.0:443
thedead106 wrote:Upgrade from 8.7 to 8.8 on Ubuntu smooth as silk. Good job guys. Now about my GAL issues.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: Zimbra Collaboration 8.8 is Now Available

Post by jorgedlcruz »

scantec wrote:Not here. https is broken after upgrade on ubuntu 14.04 from a working 8.7.11, always getting "ERR_EMPTY_RESPONSE" on chrome i.e.

on logs: nginx.log: *26 client closed connection while waiting for request, client: x.x.x.x, server: 0.0.0.0:443
thedead106 wrote:Upgrade from 8.7 to 8.8 on Ubuntu smooth as silk. Good job guys. Now about my GAL issues.
Hello, starting ZCS 8.8 you will need to use a valid FQDN which your Zimbra server recognize, like if you have a Zimbra domain zimbra.io, you will be able to log in using mail.zimbra.io, etc, not by the IP.

If you want to use the IP just for a quick check please use the port https://IP:8443, which is jetty, not proxy, that will allow logging in using only the IP.

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Zimbra Collaboration 8.8 is Now Available

Post by phoenix »

jorgedlcruz wrote:Hello, starting ZCS 8.8 you will need to use a valid FQDN which your Zimbra server recognize, like if you have a Zimbra domain zimbra.io, you will be able to log in using mail.zimbra.io, etc, not by the IP.
Was this mentioned in the Release Notes?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
scantec
Advanced member
Advanced member
Posts: 75
Joined: Mon May 05, 2014 11:55 am

Re: Zimbra Collaboration 8.8 is Now Available

Post by scantec »

using FQDN works,

I don't have access to port 8443 port is closed on every systems I checked (only port 8080 works)
jorgedlcruz wrote:
scantec wrote:Not here. https is broken after upgrade on ubuntu 14.04 from a working 8.7.11, always getting "ERR_EMPTY_RESPONSE" on chrome i.e.

on logs: nginx.log: *26 client closed connection while waiting for request, client: x.x.x.x, server: 0.0.0.0:443
thedead106 wrote:Upgrade from 8.7 to 8.8 on Ubuntu smooth as silk. Good job guys. Now about my GAL issues.
Hello, starting ZCS 8.8 you will need to use a valid FQDN which your Zimbra server recognize, like if you have a Zimbra domain zimbra.io, you will be able to log in using mail.zimbra.io, etc, not by the IP.

If you want to use the IP just for a quick check please use the port https://IP:8443, which is jetty, not proxy, that will allow logging in using only the IP.

Best regards
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: Zimbra Collaboration 8.8 is Now Available

Post by jorgedlcruz »

DuddiZetor wrote:Upgrade from 8.7.5 on ubuntu 16 went smoothly :-)
However, I now get the following error when logging into the web client: ???account.INVALID_ATTR_NAME???
Any ideas?
Hello Duddy,
Are you trying the DNS FQDN? Or just the IP? Any relevant information on the mailbox.log?

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Zimbra Collaboration 8.8 is Now Available

Post by L. Mark Stone »

jorgedlcruz wrote:
scantec wrote:Not here. https is broken after upgrade on ubuntu 14.04 from a working 8.7.11, always getting "ERR_EMPTY_RESPONSE" on chrome i.e.

on logs: nginx.log: *26 client closed connection while waiting for request, client: x.x.x.x, server: 0.0.0.0:443
thedead106 wrote:Upgrade from 8.7 to 8.8 on Ubuntu smooth as silk. Good job guys. Now about my GAL issues.
Hello, starting ZCS 8.8 you will need to use a valid FQDN which your Zimbra server recognize, like if you have a Zimbra domain zimbra.io, you will be able to log in using mail.zimbra.io, etc, not by the IP.

If you want to use the IP just for a quick check please use the port https://IP:8443, which is jetty, not proxy, that will allow logging in using only the IP.

Best regards
You can get around this restriction, but it's a bit of a process. Here's how we did it...

We wanted to build a new Zimbra multi-tenant hosting farm on the reliablenetworks.com domain, so customers could login via https://proxy.reliablenetworks.com (not the real fqdn BTW...)

But, we didn't want to host email for the reliablenetworks.com domain on this hosting farm.

So what we did was build the new hosting farm's servers with reliablenetworks.com as the default domain, install our wildcard commercial SSL certificate and do much of the other initial deployment work.

Post install, what we did was as follows:

Code: Select all

zmprov rd reliablenetworks.com rnome.net
zmprov cd reliablenetworks.com
zmprov md reliablenetworks.com zimbraMailCatchAllAddress @reliablenetworks.com
zmprov md reliablenetworks.com zimbraMailCatchAllForwardingAddress @reliablenetworks.com
zmprov md reliablenetworks.com zimbraMailTransport smtp:cabernet.reliablenetworks.com
zmprov mcf zimbraVersionCheckNotificationEmailFrom zimbraadmin@rnome.net
zmprov mcf zimbraVersionCheckNotificationEmail zimbraadmin@rnome.net
zmprov mcf zimbraBackupReportEmailRecipients zimbraadmin@rnome.net
zmprov mcf zimbraBackupReportEmailSender zimbraadmin@rnome.net

*** On all servers we then ran: ***
zmlocalconfig -e av_notify_domain='rnome.net'
zmlocalconfig -e av_notify_user='zimbraadmin@rnome.net'
zmlocalconfig -e smtp_destination='zimbraadmin@rnome.net'
zmlocalconfig -e smtp_source='zimbraadmin@rnome.net'
zmprov ms `zmhostname` zimbraBackupReportEmailRecipients zimbraadmin@rnome.net
zmprov ms `zmhostname` zimbraBackupReportEmailSender zimbraadmin@rnome.net

*** And finally: ***
zmprov fc all
We noted that the Admin Console would not even load after we renamed the domain FWIW. We needed to create the reliablenetworks.com domain before things would work again.

*** UPDATE 1 *** I may have spoken too soon... The Admin Console works OK but not the regular web interface; still getting "client closed connection while waiting for request" errors. More work to do; will update this post when I have more info.

*** UPDATE 2 *** This looks promising: https://bugzilla.zimbra.com/show_bug.cgi?id=108299#c7 Will try this tomorrow and update this post at that time.

*** UPDATE 3 :: ALL FIXED! *** Per Malte's suggestions in bugzilla 108299 (not in 8.8.5 BTW), we ran the following commands and then we were able to log in to both the end-user console and the Admin Console via the proxy, using an rnome.net account.

Code: Select all

zimbra@securemail:~$ zmprov md rnome.net zimbraVirtualHostname securemail.reliablenetworks.com
zimbra@securemail:~$ zmprov md rnome.net +zimbraVirtualHostname zmail.reliablenetworks.com
zimbra@securemail:~$ zmprov gd rnome.net | grep -i virtual
zimbraVirtualHostname: securemail.reliablenetworks.com
zimbraVirtualHostname: zmail.reliablenetworks.com
zimbra@securemail:~$ libexec/zmproxyconfgen 
<snipped most output from zmproxyconfgen>
[] INFO: Proxy configuration files are generated successfully
zimbra@securemail:~$ zmproxyctl restart
Stopping proxy...done.
Starting proxy...done.
zimbra@securemail:~$  
Hope that helps others,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: Zimbra Collaboration 8.8 is Now Available

Post by msquadrat »

jorgedlcruz wrote:
scantec wrote:Not here. https is broken after upgrade on ubuntu 14.04 from a working 8.7.11, always getting "ERR_EMPTY_RESPONSE" on chrome i.e.

on logs: nginx.log: *26 client closed connection while waiting for request, client: x.x.x.x, server: 0.0.0.0:443
thedead106 wrote:Upgrade from 8.7 to 8.8 on Ubuntu smooth as silk. Good job guys. Now about my GAL issues.
Hello, starting ZCS 8.8 you will need to use a valid FQDN which your Zimbra server recognize, like if you have a Zimbra domain zimbra.io, you will be able to log in using mail.zimbra.io, etc, not by the IP.
Umm... wasn't this supposed to be fixed in 8.8 and the "security feature" only enabled on request? I mean we saw the fallout of this change in September (I think it was one of the most discussed beta issues) and the change was merged last month or so and it still wasn't included in the GA? Seriously?
10424bofh
Outstanding Member
Outstanding Member
Posts: 285
Joined: Sat Sep 13, 2014 1:15 am

Re: Zimbra Collaboration 8.8 is Now Available

Post by 10424bofh »

msquadrat wrote:
jorgedlcruz wrote:
scantec wrote:Not here. https is broken after upgrade on ubuntu 14.04 from a working 8.7.11, always getting "ERR_EMPTY_RESPONSE" on chrome i.e.

on logs: nginx.log: *26 client closed connection while waiting for request, client: x.x.x.x, server: 0.0.0.0:443
Hello, starting ZCS 8.8 you will need to use a valid FQDN which your Zimbra server recognize, like if you have a Zimbra domain zimbra.io, you will be able to log in using mail.zimbra.io, etc, not by the IP.
Umm... wasn't this supposed to be fixed in 8.8 and the "security feature" only enabled on request? I mean we saw the fallout of this change in September (I think it was one of the most discussed beta issues) and the change was merged last month or so and it still wasn't included in the GA? Seriously?
Uhm guys i know it soudns stupid and maybe it doesnt mean anything but i though its wierd that all files (at least in the ubuntu package) have the date of oct 26
i wonder why this is and if maybe, jsut maybe we have here an older build as an release
User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: Zimbra Collaboration 8.8 is Now Available

Post by msquadrat »

10424bofh wrote:
msquadrat wrote:
jorgedlcruz wrote:
Hello, starting ZCS 8.8 you will need to use a valid FQDN which your Zimbra server recognize, like if you have a Zimbra domain zimbra.io, you will be able to log in using mail.zimbra.io, etc, not by the IP.
Umm... wasn't this supposed to be fixed in 8.8 and the "security feature" only enabled on request? I mean we saw the fallout of this change in September (I think it was one of the most discussed beta issues) and the change was merged last month or so and it still wasn't included in the GA? Seriously?
Uhm guys i know it soudns stupid and maybe it doesnt mean anything but i though its wierd that all files (at least in the ubuntu package) have the date of oct 26
i wonder why this is and if maybe, jsut maybe we have here an older build as an release
You're right, I didn't look at the build date before but this release was obviously built in October: zcs-NETWORK-8.8.5_GA_1894.UBUNTU16_64.20171026035615. I'm sure this must have been a mistake.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

nginx closes connection when the Host value is unknown (no zimbraVirtual* set)

Post by jorgedlcruz »

Hello guys,
In ZCS 8.8 we make some changes on the way nginx behaves, we included this and be controlled with the command - zimbraReverseProxyStrictServerName, available starting ZCS 8.8.6 and above.

More information about the topic can be found here: As the GA Release we have is ZCS 8.8.5, we will need to wait a few weeks until 8.8.6 goes out.

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Post Reply