[SOLVED] zimbraHttpThrottleSafeIPs and proxy

[axslingr]

Hey guys, I'm having an issue where my users are getting the 'network service error' periodically due to authentication failures against the web client. The problem is that the ip address of the proxy server in front of the mailbox server is the ip that's getting suspended:

Code: Select all

2018-01-03 16:26:23,835 INFO  [qtp1595953398-1805:http://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 192.168.100.11 suspended, for repeated failed login.

192.168.100.11 is the proxy ip. Should I add this ip to the safe list or no? If no, what is the best way to get around this? I keep having to restart the mailbox service as a workaround.

Thanks!
Lance

Release 8.8.5.GA.1894.UBUNTU14.64 UBUNTU14_64 FOSS edition.

[axslingr]

I think I may have stumbled onto the answer:

https://wiki.zimbra.com/wiki/Log_Files# ... inating_IP

i've added my proxy ip to zimbraMailTrustedIP and restarted mailbox service. zimbra_http_originating_ip_header = X-Forwarded-For was already set.

Will post back results.

Lance

[axslingr]

Well, as luck would have it, I haven't had any other break-in attempts yet. Still waiting...

Lance

[axslingr]

Finally got some break-in attempts and following the wiki link above worked.

Lance

[L. Mark Stone]

Finally got some break-in attempts and following the wiki link above worked.

Lance

Good to hear! For others who may come across this thread, 8.7 and above allows CIDR addressing for safe IP addresses, as documented here:
https://wiki.zimbra.com/wiki/DoSFilter

All the best,
Mark

[weblike]

I have added to SafeIPS our internal subnet, 10.7.1.0/24, but this morning I saw in the log that one of internal IP's was blocked:

[qtp1231156911-17143://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 10.7.1.162 suspended, for repeated failed login.


Does this feature supports subnets?
Thank you

[weblike]

Hello,

It's very strange because when I search the /opt/zimbra/log/mailbox.log with " cat mailbox.log | grep -i "DoSFilter: Configured whitelist IPs" "
I get different IP's than I run this command: zmprov gcf zimbraHttpThrottleSafeIPs

could anyone help on this please?

[phoenix]

Why don't you post the zmprov output for all the attributes mentioned in the wiki article and some of the log file entries that show an 'incorrect ip' that you've mentioned in your post.

[weblike]

This is the output:

Code: Select all

[root@mail log]# cat mailbox.log | grep -i "DoSFilter: Configured whitelist IPs"
2019-11-13 12:46:50,257 INFO  [main] [] misc - DoSFilter: Configured whitelist IPs = 244.222.5.15,192.168.2.1,10.4.1.150,127.0.0.1,::1,0:0:0:0:0:0:0:1
2019-11-13 12:46:50,291 INFO  [main] [] misc - DoSFilter: Configured whitelist IPs = 244.222.5.15,192.168.2.1,10.4.1.150,127.0.0.1,::1,0:0:0:0:0:0:0:1
2019-11-13 12:47:05,625 INFO  [main] [] misc - DoSFilter: Configured whitelist IPs = 244.222.5.15,192.168.2.1,10.4.1.150,127.0.0.1,::1,0:0:0:0:0:0:0:1
2019-11-13 12:47:09,358 INFO  [main] [] misc - DoSFilter: Configured whitelist IPs = 244.222.5.15,192.168.2.1,10.4.1.150,127.0.0.1,::1,0:0:0:0:0:0:0:1
[root@mail log]# su zimbra
[zimbra@mail log]$ zmprov gcf zimbraHttpThrottleSafeIPs
zimbraHttpThrottleSafeIPs: 10.4.1.0/24
zimbraHttpThrottleSafeIPs: 244.222.5.5
zimbraHttpThrottleSafeIPs: 244.222.5.6
zimbraHttpThrottleSafeIPs: 192.168.2.1
zimbraHttpThrottleSafeIPs: 244.222.31.94
zimbraHttpThrottleSafeIPs: 10.5.1.0/24
[zimbra@mail log]$

I have declared the IP's from zmprov command, but cannot recognize those from output of "cat mailbox.log | grep -i "DoSFilter: Configured whitelist IPs""

Where is the error?In my brain?

[L. Mark Stone]

Please post the output from the following command:

Code: Select all

zmprov gs `zmhostname` zimbraHttpThrottleSafeIPs

It's possible zimbraHttpThrottleSafeIPs has been set explicitly at the server level; doing so overrides what is set at the global level (breaking inheritance).

Mark