[SOLVED] zimbra-proxy limitations

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

[SOLVED] zimbra-proxy limitations

Post by Klug »

I've just tried to setup a zimbra-proxy (single mailbox server).
The idea is to get zimbra-proxy in a DMZ for external access and the mailbox server on the LAN for internal access.
LAN internal access is currently done through https and I don't want to change this (https and port 443).
zimbra-proxy seems to be coded to talk to port 8080 by default (hope it's not hardcoded), how can we change this ?

The config file is opt/zimbra/conf/nginx/includes/nginx.conf.web.https but get rewritten on zimbra-proxy start 8)

What is the zmprov attribute for it ?
In this config file, it's also stated zimbra-proxy only speaks http to the upstream mailbox servers... Why ?!
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

[SOLVED] zimbra-proxy limitations

Post by Klug »

Answering to myself 8)
It seems all this is related to zmproxyinit and the way it's launched.
The doc says : On each proxy node that has the proxy service installed, enable the proxy for the web. Type
/opt/zimbra/libexec/zmproxyinit -e -w proxy.node.service.hostname
I don't understand if "proxy.node.service.hostname" is the mailbox server you want to proxify or the proxy server you want to enable.
It populates the LDAP in such way when you launch zimbra-proxy, /opt/zimbra/conf/nginx/includes/nginx.conf.web gets itself populated with the list of the back-end mailbox servers...
Additional infos here : Bug 28083 – Improvements to zmproxyinit
Next step is to find a way to remove the proxy server from the upstream servers ("zmproxyinit -d -w proxy.domain.tld" does not work) and populate this list with the ports I want (and not 8080).
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

[SOLVED] zimbra-proxy limitations

Post by Klug »

Got worse.
proxy.domain.tld:80 is now in "upstream zimbra"...

No clue where the ":80" comes from, it changed from ":8080" to ":80" after I tried "/opt/zimbra/libexec/zmproxyinit -d -w proxy.domain.tld"...
And trying to force the ports with "/opt/zimbra/libexec/zmproxyinit -e -w mailbox.domain.tld -a 80:80:443:443" does not work.

I still have "mailbox.domain.tld:8080" in "upstream zimbra".
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

[SOLVED] zimbra-proxy limitations

Post by Klug »

That's it, I'm mad.
I ran "/opt/zimbra/libexec/zmproxyinit -e -w mailbox.domain.tld" (from the proxy server) because I want mailbox.domain.tld to be in the "zimbra upstream" list. But, as I did this, zimbra-proxy now tries to run on mailbox.domain.tld while I don't want it to run here !
If I run "/opt/zimbra/libexec/zmproxyinit -d -w proxy.domain.tld", there's no more the web proxy running on the proxy server and the proxy appears in the "upstream zimbra" (on port 80).
If I run "/opt/zimbra/libexec/zmproxyinit -e -w proxy.domain.tld", web proxy runs on the proxy server but the proxy appears in the "upstream zimbra" (on port 8080) and it gives me a "502 Bad Gateway" (because nginx tries to connect to proxy.domain.tld:8080 while there's nothing on this).
Is there any _correct_ documentation about setting up zimbra-proxy (and the _correct_ zmprov and zmproxyinit command to run) ?
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

[SOLVED] zimbra-proxy limitations

Post by quanah »

zmproxyinit needs to be run on each server you want to do the changes for, it queries the package DB to determine which operations to perform.
i.e., if your proxy instance and your store instance are on separate servers, you'll need to run it on each of them.
The requirement to run it on each of them separately will be resolved in 5.0.9, but you'll have to use an override flag to do it, and will still need to run it once for each host.
This is because different things get set depending on which service is being dealt with (store or proxy).
--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

[SOLVED] zimbra-proxy limitations

Post by Klug »

Thanks Quanah.
So I'm supposed to run "/opt/zimbra/libexec/zmproxyinit -e -w mailbox.domain.tld" on the mailbox server then run "/opt/zimbra/libexec/zmproxyinit -e -w proxy.domain.tld" on the proxy server (we just want to proxify https) ?
Will this correct the fact I ran it on the proxy server at first (because the documentation is wrong) ?
If not, how can I fix it ?
(We're trying to validate an infrastructure upgrade and I'd rather not wait for 5.0.9)
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

[SOLVED] zimbra-proxy limitations

Post by quanah »

[quote user="8141Klug"]Thanks Quanah.
So I'm supposed to run "/opt/zimbra/libexec/zmproxyinit -e -w mailbox.domain.tld" on the mailbox server then run "/opt/zimbra/libexec/zmproxyinit -e -w proxy.domain.tld" on the proxy server (we just want to proxify https) ?
Will this correct the fact I ran it on the proxy server at first (because the documentation is wrong) ?

[/QUOTE]
It's not order dependent, but you do need to run the exact same command on each. I.e., if you changed the default port settings (which you did in an invalid way in one of your posts, where you set 80:80...) they need to be set similarly on each system. Generally, unless you want to use very unusual ports, you don't specify those at all so you can just use the defaults.
Generally, I'd advise setting up the http proxy via the installation menu rather than running zmproxyinit by hand. If you check zmsetup.pl, you'll see that it too runs zmproxyinit to configure the mail & web proxies. You only need to be touching zmproxyinit if you're enabling proxy after the fact.
--Quanah
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

[SOLVED] zimbra-proxy limitations

Post by Klug »

Hmmm, it seemed to work, half of it 8)
I can now connect to https://proxy.domain.tld and login to the infrastructure.

After logon I'm getting the skin layout but it's empty (no text at all, no emails list, no folders, no minical, etc)...
Edit a bit later

Connecting to http://mailbox.domain.tld:8080 (or using its IP address as nginx does) gives the same result.
Additionnaly /opt/zimbra/conf/nginx/includes/nginx.conf.web still contains proxy.domain.tld:8080 in the "upstream zimbra".
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1668
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

[SOLVED] zimbra-proxy limitations

Post by quanah »

[quote user="8141Klug"]Hmmm, it seemed to work, half of it 8)
I can now connect to https://proxy.domain.tld and login to the infrastructure.

After logon I'm getting the skin layout but it's empty (no text at all, no emails list, no folders, no minical, etc)...
Additionnaly /opt/zimbra/conf/nginx/includes/nginx.conf.web still contains proxy.domain.tld:8080 in the "upstream zimbra".[/QUOTE]
Did you restart both proxy and store after running? Restarting nginx should make it regenerate its config files.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

[SOLVED] zimbra-proxy limitations

Post by Klug »

[quote user="quanah"]It's not order dependent, but you do need to run the exact same command on each. I.e., if you changed the default port settings (which you did in an invalid way in one of your posts, where you set 80:80...) they need to be set similarly on each system. Generally, unless you want to use very unusual ports, you don't specify those at all so you can just use the defaults.[/quote]

I'd like to use very usual ports 8)

I'd like to keep http on port 80 and https on port 443 on the mailbox server and use the same ports on the proxy one...
[quote user="quanah"]Generally, I'd advise setting up the http proxy via the installation menu rather than running zmproxyinit by hand. If you check zmsetup.pl, you'll see that it too runs zmproxyinit to configure the mail & web proxies. You only need to be touching zmproxyinit if you're enabling proxy after the fact.[/QUOTE]

I missed that.

Do you think I should "destroy" my current proxy server and re-set it up from scratch ?
Post Reply