Admin Console does not work under Orange-Clouded Cloudflare DNS

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
yohoho
Posts: 24
Joined: Sat Mar 09, 2019 10:22 pm

Admin Console does not work under Orange-Clouded Cloudflare DNS

Postby yohoho » Wed Mar 13, 2019 4:46 am

I tried to hide my mail server real IP address, one of them happens to be using the Orange-Clouded the Cloudflare DNS.

The web client works. Sending, receiving mail, it works. However when we tried to open the admin console (Port 7071), it timed out. Accessing the admin console through IP address works tho (Google Chrome says it's not secure. So we did not try to login. It is still timed out when accessing through https://zimbra.example.com:7071/ZimbraAdmin)


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 448
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P12 RHEL6 Network Edition
Contact:

Re: Admin Console does not work under Orange-Clouded Cloudflare DNS

Postby JDunphy » Wed Mar 13, 2019 4:26 pm

yohoho wrote:I tried to hide my mail server real IP address, one of them happens to be using the Orange-Clouded the Cloudflare DNS.

The web client works. Sending, receiving mail, it works. However when we tried to open the admin console (Port 7071), it timed out. Accessing the admin console through IP address works tho (Google Chrome says it's not secure. So we did not try to login. It is still timed out when accessing through https://zimbra.example.com:7071/ZimbraAdmin)

That is very interesting that you are proxying your zimbra server behind CF. A few ideas based on this: https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-CloudFlare-work-with-

1) Use another name that isn't proxyied (gray clouded and not orange-clouded) so that you can get to port 7071 via this other name... ie. https://zimbraAdmin.example.com:7071/ZimbraAdmin that is a cname to zimbra.example.com in your example.
2) Investigate changing port 7071 to something that CF can use as an origin server port
3) Investigate updating zimbra's nginx so that /ZimbraAdmin is off of port 443. (not recommended)

IMO, you want it on port 7071 so you can restrict access to your trusted ip space via the destination port + src address. If you haven't done so, you can also block access on your zimbra.example.com server for only the CF servers ip range to further mitigate direct attacks on your zimbra server. see: https://www.cloudflare.com/ips/. You can still see attacks via that CF range but now you have CF doing deep packet inspection that can do interesting things like put up a captcha for access or rate limit, etc, etc. You will need to make sure: X-Forwarded-For is working so you don't end up with spoofing attacks or other zimbra dosFilter oddities. https://serverfault.com/questions/314574/nginx-real-ip-header-and-x-forwarded-for-seems-wrong ... Checking your zimbra logs should be enough after observing a login cycle. The issue is you have CF nginx that proxies to zimbra nginx that proxies to zimbra (ip chaining).

BTW, you are the first I have heard of using CF in front of Zimbra. I am intrigued that this works given the WAF rules. Congratulations!

Hint:
https://wiki.zimbra.com/wiki/Ports - zimbraAdminBindAddress
https://forums.zimbra.org/viewtopic.php?t=59398
yohoho
Posts: 24
Joined: Sat Mar 09, 2019 10:22 pm

Re: Admin Console does not work under Orange-Clouded Cloudflare DNS

Postby yohoho » Wed Mar 20, 2019 1:47 am

JDunphy wrote:
yohoho wrote:I tried to hide my mail server real IP address, one of them happens to be using the Orange-Clouded the Cloudflare DNS.

The web client works. Sending, receiving mail, it works. However when we tried to open the admin console (Port 7071), it timed out. Accessing the admin console through IP address works tho (Google Chrome says it's not secure. So we did not try to login. It is still timed out when accessing through https://zimbra.example.com:7071/ZimbraAdmin)

That is very interesting that you are proxying your zimbra server behind CF. A few ideas based on this: https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-CloudFlare-work-with-

1) Use another name that isn't proxyied (gray clouded and not orange-clouded) so that you can get to port 7071 via this other name... ie. https://zimbraAdmin.example.com:7071/ZimbraAdmin that is a cname to zimbra.example.com in your example.
2) Investigate changing port 7071 to something that CF can use as an origin server port
3) Investigate updating zimbra's nginx so that /ZimbraAdmin is off of port 443. (not recommended)

IMO, you want it on port 7071 so you can restrict access to your trusted ip space via the destination port + src address. If you haven't done so, you can also block access on your zimbra.example.com server for only the CF servers ip range to further mitigate direct attacks on your zimbra server. see: https://www.cloudflare.com/ips/. You can still see attacks via that CF range but now you have CF doing deep packet inspection that can do interesting things like put up a captcha for access or rate limit, etc, etc. You will need to make sure: X-Forwarded-For is working so you don't end up with spoofing attacks or other zimbra dosFilter oddities. https://serverfault.com/questions/314574/nginx-real-ip-header-and-x-forwarded-for-seems-wrong ... Checking your zimbra logs should be enough after observing a login cycle. The issue is you have CF nginx that proxies to zimbra nginx that proxies to zimbra (ip chaining).

BTW, you are the first I have heard of using CF in front of Zimbra. I am intrigued that this works given the WAF rules. Congratulations!

Hint:
https://wiki.zimbra.com/wiki/Ports - zimbraAdminBindAddress
https://forums.zimbra.org/viewtopic.php?t=59398


I do not understand about IT world. I read the wiki and follow it blindly. I believe I do not do something different, not to mention, I use grey-clouded cloudflare atm because I need to access the Admin Console.

Sorry for the late reply, atm I am trying to install ownCloud 10.1 w/ Zimbra Drive (stuck because of compatibility, viewtopic.php?f=15&t=65843)

I will follow up here for the result tomorrow or after 25/3. Thank you JDunphy
User avatar
kasonny
Posts: 2
Joined: Tue May 21, 2019 7:44 am

Re: Admin Console does not work under Orange-Clouded Cloudflare DNS

Postby kasonny » Tue May 21, 2019 6:29 pm

In this case, I'd recommend waf.

PT AF helps to ensure compliance with PCI DSS and other international, national, industry, and corporate security standards.
As it is stated on https://www.ptsecurity.com/ww-en/products/af/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 11 guests