400 Bad Request - nginx
Posted: Sun Feb 24, 2019 7:02 am
Hi everybody,
I am from Vietnam, my English is very bad, so this topic I translated from google, so there are spelling errors, I am sorry, please excuse me.
Recently, I have deployed Zimbra's single-server, and when I deploy I do not install Zimbra Proxy. But when using 1 week, I want to deploy more NextCloud to Drive in Zimbra, then read the document that requires Zimbra Proxy.
So I installed Zimbra Proxy on the current server, but when the deployment is complete, every trial works well, only the zimbra web proxy service has a "400 Bad Request" error, the non-proxy web service is still working normally.
Can anyone tell me how to fix this problem?
But when using the FQDN hostname of the server, access is normal.
Everyone help, thanks
I am from Vietnam, my English is very bad, so this topic I translated from google, so there are spelling errors, I am sorry, please excuse me.
Recently, I have deployed Zimbra's single-server, and when I deploy I do not install Zimbra Proxy. But when using 1 week, I want to deploy more NextCloud to Drive in Zimbra, then read the document that requires Zimbra Proxy.
So I installed Zimbra Proxy on the current server, but when the deployment is complete, every trial works well, only the zimbra web proxy service has a "400 Bad Request" error, the non-proxy web service is still working normally.
Can anyone tell me how to fix this problem?
Code: Select all
[zimbra@mailsrv-zbr ~]$ zmproxyconf
# NGINX POP/IMAP proxy configuration file for use with Zimbra
#
working_directory /opt/zimbra;
# change UID/GID to zimbra/zimbra upon startup
#
user zimbra zimbra;
# number of worker processes to start
# multiply this by worker_connections to get the maximum number of connections
# that can be simultaneously handled by nginx (the product should not exceed
# 65536, since that is the 16-bit limit of the TCP port range)
#
worker_processes 4;
pid /opt/zimbra/log/nginx.pid;
error_log /opt/zimbra/log/nginx.log info;
events {
# number of simultaneous connections that each worker process can
# handle simultaneously
# note that this number should not exceed the hard limit of the
# RLIMIT_NOFILE resource limit that is set for the zimbra user, because
# RLIMIT_NOFILE defines the maximum number of open file descriptors that
# a process running as a user can have - by default, limits.conf on a
# zimbra system will ensure that the zimbra user has more than 10k file
# descriptors allowed for a zimbra process
# (note) also see worker_rlimit_nofile at
# http://wiki.codemongers.com/NginxMainModule#worker_rlimit_nofile
#
worker_connections 10240;
accept_mutex on;
}
# environment variables for worker processes
#
# Kerberos 5 keytab location
env KRB5_KTNAME=/opt/zimbra/conf/krb5.keytab;
memcache
{
# memcached server configuration
# configure one or more memcached servers that will cache the route
# information for pop/imap users
#
servers 192.168.3.25:11211;
# The time that NGINX will wait for a cached result from a memcached
# server, after which the request will be considered timed out,
# and NGINX will fall back to an http routing lookup handler
#
timeout 3000ms;
# The amount of time that NGINX will wait before attempting to reconnect
# to a memcache server that unexpectedly terminated (or shut down) its
# connection with NGINX
#
reconnect 60000ms;
# The time to live (TTL) for an entry added to the memcached server
# This value represents the amount of time that the route information
# that is cached into the memcached servers will be available, before
# the memcached daemon expires it
# Memcached expects the TTL for an entry to be specified in seconds,
# therefore any value specified in milliseconds here will be rounded
# up to the next integer value in seconds. If not specified, the TTL
# defaults to 0, which indicates an infinite time to live for the
# routing information
#
ttl 3600000ms;
}
zm_lookup {
zm_lookup_handlers https://192.168.3.25:7072/service/extension/nginx-lookup;
# The timeout to lookup in the lookup handler. This timeout
# does not include the time out accessing memcache, which is
# controlled by "timeout" in nginx.conf.memecache.
#
zm_lookup_timeout 15000ms;
# The interval that nginx will try to reconnect to a failed lookup handler.
#
zm_lookup_handler_retry_interval 60000ms;
# Whether to turn on lookup result caching. This should be always
# turn on in the production environment.
#
zm_lookup_caching on;
# master authenticating user for cases where nginx must authenticate
# on behalf of the end user -- this is required in those sasl auth
# mechanisms where the user's plain-text password is not available,
# in these cases, after nginx has deemed that the user has authenticated
# himself/herself correctly, then nginx will use the master auth user
# name and master auth password, along with the end user's user name,
# in order to log in to the upstream server
# such authentication will be done as per the PLAIN sasl mechanism as
# defined in RFC 4616
# (presently, this feature are used in GSSAPI & cert auth)
#
zm_lookup_master_auth_username "zmnginx";
zm_lookup_master_auth_password "sdjksxys";
# Whether or not to cache unqualified login names in the "account-->route cache"
# When this option is set "off", and the login name to be cached is unqualified,
# the client IP will be appended to the login name in the format:
# <login name>@<client ip>
#
zm_lookup_allow_unqualified off;
# URL prefix for the upstream server
zm_prefix_url /;
}
mail
{
# mail proxy connection timeout
proxy_ctimeout 120000ms;
# pass error messages from the backend server to the client
# if true, the error messages are passed to the client verbatim, else
# nginx logs the original error message in its log file and sends back
# a generic error message to the client
#
proxy_pass_error_message on;
# HTTP lookup handlers that will return the route information for a
# pop3/imap login
#
zm_auth_http;
# Wether to use ssl to connect the upstream mail servers
#
proxy_ssl on;
# IMAP/POP3 greeting messages
#
imap_greeting "";
pop3_greeting "";
pop3_capabilities "EXPIRE 31 USER" "TOP" "UIDL" "USER" "XOIP";
imap_capabilities "ACL" "BINARY" "CATENATE" "CHILDREN" "CONDSTORE" "ENABLE" "ESEARCH" "ESORT" "I18NLEVEL=1" "ID" "IDLE" "IMAP4rev1" "LIST-EXTENDED" "LIST-STATUS" "LITERAL+" "MULTIAPPEND" "NAMESPACE" "QRESYNC" "QUOTA" "RIGHTS=ektx" "SASL-IR" "SEARCHRES" "SORT" "THREAD=ORDEREDSUBJECT" "UIDPLUS" "UNSELECT" "WITHIN" "XLIST";
# IMAP4 ID Extension support (RFC 2971)
# Use the imap_id directive to specify the string that should be sent
# back by the proxy server back to the client upon receipt of an
# IMAP ID command as described by RFC 2971
# There MUST be an even number of strings specified against
# this directive, because RFC 2971 defines the server response to be
# a list of field-value pairs (refer Formal Syntax, RFC 2971 Section 4)
# Each string in this list should be enclosed within double quotes
# If not quoted, they will be automatically quoted by nginx, but the
# use of quotes allows the space character to be included within an
# ID field or a value
# The odd numbered strings are treated as ID fields, with the following
# even-numbered string considered to be the ID value corresponding to
# the field name
# If omitted, the response to the ID command will be nil, which
# according to RFC 2971, is permissible in lieu of the field-value list
# The imap_id directive may be overridden in a server block
#
imap_id "NAME" "Zimbra" "VERSION" "8.8.11_GA_3772" "RELEASE" "20190128052127";
# Default realm (kerberos)
# For GSSAPI authentication, when the server's realm is the same as
# the default realm as defined in the default_realm variable in the
# [libdefaults] section of krb5.conf, then in this case, the SASL
# GSSAPI library strips off the realm portion from the authenticating
# principal. Therefore, the default realm name must be specified here
# so that NGINX can append it to the authenticating principal for GSSAPI
#
default_realm "";
# Resolve IP address to SASL server name (kerberos)
# For GSSAPI, in cases of multi-homed hosts, it may be that the proxy
# server has multiple network interfaces, and we wish to reverse map
# the incoming interface IP address (via DNS) to a host name, which will
# be used as the service principal
# Set this to on if gssapi clients will connect to a proxy server using
# different FQDNs. Otherwise, set it to off, and the fully qualified
# host name of the proxy (as returned by hostname), will be used as the
# service principal
# If not specified, this configuration defaults to off
#
sasl_host_from_ip off;
# sasl_app_name
# This is the application name which nginx will use when initializing
# the SASL library using the call to sasl_server_init()
# The SASL library is initialized once per process, the application name
# provided here is used for where to find the default configuration file
# If not specified, sasl_app_name defaults to "nginx"
#
sasl_app_name "nginx";
# Login rate limiting directives
#
# mail_login_ip_max
#
# Sets the maximum number of times that any user is allowed to log in from
# a particular IP over POP or IMAP to this proxy server before the login is
# rejected with an appropriate protocol specific bye response
# This counter is cumulative for all users that appear to the proxy to be
# logging in from the same IP address
# If multiple users appear to the proxy to be logging in from the same IP
# address (usual with NATing), then each of the different users' login will
# contribute to increasing the hit counter for that IP address, and when the
# counter eventually exceeds mail_login_ip_max, then the connections from
# that IP address will be throttled
# Therefore, all users from the same IP will contribute to
# (and be affected by) this counter
# Logins using all protocols (POP3/POP3S/IMAP/IMAPS) will affect this
# counter, (the counter is aggregate for all protocols, *not* separate)
# See notes accompanying the mail_login_ip_ttl for reasonable values for
# this directive
# If this value is set to 0, then no throttling will take place for any IP
#
mail_login_ip_max 0;
# mail_login_ip_ttl
#
# Sets the time-to-live for the hit counter for IP login throttling
# Used in conjunction with mail_login_ip_max, this defines the semantics
# of the throttling for IP logins. Therfore, if this is set to 3600s, and
# if mail_login_ip_max is set to 1000, then it means that NGINX should not
# allow more than 1000 users to log in to the proxy from the same IP,
# within the time interval of an hour (=3600s)
# The semantics for such a configuration would then be -
# "allow maximum 1000 users per hour from any given IP address"
#
mail_login_ip_ttl 3600000ms;
# mail_login_ip_imap_max
#
# Sets the maximum number of times that any user is allowed to log in from
# a particular IP over IMAP to this proxy server before the login is rejected
# with an appropriate protocol specific bye response.
#
# This counter is cumulative for all users that appear to the proxy to be
# logging in from the same IP address.
# If multiple users appear to the proxy to be logging in from the same IP
# address (usual with NATing), then each of the different users' login will
# contribute to increasing the hit counter for that IP address, and when the
# counter eventually exceeds mail_login_ip_imap_max, then the connections from
# that IP address will be throttled
# Therefore, all users from the same IP will contribute to
# (and be affected by) this counter
# Logins using the IMAP protocol (IMAP/IMAPS) will affect this
# counter, (the counter is aggregate for IMAP)
# See notes accompanying the mail_login_ip_imap_ttl for reasonable values for
# this directive
# If this value is set to 0, the handling of imap connections will fall back to
# using the mail_login_ip_max setting
#
mail_login_ip_imap_max 0;
# mail_login_ip_imap_ttl
#
# Sets the time-to-live for the hit counter for IMAP login throttling
# Used in conjunction with mail_login_ip_imap_max, this defines the semantics
# of the throttling for IMAP logins. Therefore, if this is set to 3600s, and
# if mail_login_ip_imap_max is set to 1000, then it means that NGINX should not
# allow more than 1000 IMAP users to log in to the proxy from the same IP,
# within the time interval of an hour (=3600s)
# The semantics for such a configuration would then be -
# "allow maximum 1000 IMAP users per hour from any given IP address"
#
mail_login_ip_imap_ttl 3600000ms;
# mail_login_ip_pop3_max
#
# Sets the maximum number of times that any user is allowed to log in from
# a particular IP over POP3 to this proxy server before the login is rejected
# with an appropriate protocol specific bye response.
#
# This counter is cumulative for all users that appear to the proxy to be
# logging in from the same IP address.
# If multiple users appear to the proxy to be logging in from the same IP
# address (usual with NATing), then each of the different users' login will
# contribute to increasing the hit counter for that IP address, and when the
# counter eventually exceeds mail_login_ip_pop3_max, then the connections from
# that IP address will be throttled
# Therefore, all users from the same IP will contribute to
# (and be affected by) this counter
# Logins using the POP3 protocol (POP3/POP3S) will affect this
# counter, (the counter is aggregate for POP3)
# See notes accompanying the mail_login_ip_pop3_ttl for reasonable values for
# this directive
# If this value is set to 0, the handling of pop3 connections will fall back to
# using the mail_login_ip_max setting
#
mail_login_ip_pop3_max 0;
# mail_login_ip_pop3_ttl
#
# Sets the time-to-live for the hit counter for POP3 login throttling
# Used in conjunction with mail_login_ip_pop3_max, this defines the semantics
# of the throttling for POP3 logins. Therefore, if this is set to 3600s, and
# if mail_login_ip_pop3_max is set to 1000, then it means that NGINX should not
# allow more than 1000 POP3 users to log in to the proxy from the same IP,
# within the time interval of an hour (=3600s)
# The semantics for such a configuration would then be -
# "allow maximum 1000 IMAP users per hour from any given IP address"
#
mail_login_ip_pop3_ttl 3600000ms;
# Define a textual message that should be displayed to the user when
# his/her connection is rejected based on IP overusage
# This message will be encapsulated in the proper protocol specific
# response to the client ("* BYE" for IMAP, and "-ERR" for POP3)
#
mail_login_ip_rejectmsg "Login rejected from this IP";
# Similar semantics for Rate Limiting User Logins
# Setting mail_login_user_max to 100 and mail_login_user_ttl to 3600s
# implies "allow maximum 100 logins per hour for any user"
# As with the ip counterparts, the user hit counter and timeout are
# cumulative for all protocols
# Also, for a given user's login, both counters are checked in succession,
# with the IP counter being checked first
# A login may be rejected (throttled) because the IP is over-usage, or
# because the login name itself is over-usage
# A value of 0 indicates that no throttling will take place for any user
#
mail_login_user_max 0;
mail_login_user_ttl 3600000ms;
mail_login_user_rejectmsg "Login rejected for this user";
# List of servers to which no ip throttling will be done
# Sets the time-to-live of the list of servers for which no ip throttling
# will be done
mail_whitelist_ip_ttl 300;
# Issue POP3 XOIP before logging in to upstream (Audit purposes)
#
proxy_issue_pop3_xoip on;
# Issue IMAP ID before logging in to upstream (Audit purposes)
#
proxy_issue_imap_id on;
# Supported SASL Authentication mechanisms
#
# Use the pop3_auth and imap_auth to specify which SASL mechanisms are
# enabled for POP and IMAP respectively
# These directives may be specified at mail{} level, or overridden at
# server{} level
# Even though an authentication mechanism may be listed against
# pop3_auth and/or imap_auth, it may or may not be available depending
# on whether cleartext login is available (see description for starttls)
# For example, if starttls is set to only, then SASL PLAIN is not
# available outside of TLS/SSL
# SASL mechanisms may be specified all on one line (space separated)
# against pop3_auth, or they may be specified on a separate line
# Specifying the SASL mechanisms on a separate line has the advantage
# that they can be enabled/disabled separately by zmmtaconfig using
# different LDAP attributes
# Currently, only PLAIN and GSSAPI mechanisms are supported
#
imap_auth plain;
#imap_auth gssapi;
pop3_auth plain;
#pop3_auth gssapi;
# Specify whether to use literal strings while issuing the LOGIN command
# to the upstream server. If set to on, then it means that NGINX will use
# literal strings to log in to the upstream server, and so the upstream
# MUST support literal strings
# If set to off, then NGINX uses quoted strings to log in to the upstream
# server when using the LOGIN command
# If not specified, imap_literalauth defaults to on
#
imap_literalauth on;
# Auth Wait Interval
# Specifies the time interval that NGINX will wait before rejecting an
# authentication attempt to the upstream mail server with invalid credentials.
# This value is not related to the wait time when Zimbra lookup handler replies
# some login error, which is controled by the "Auth-Wait" header returned by the
# lookup handler.
# If not specified, this value defaults to 10 seconds.
#
zm_auth_wait 10000ms;
# TLS configuration
#
ssl_prefer_server_ciphers on;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
# SSL Protocols & Ciphers configuration
# Enabled protocols & Permitted ciphers. Ciphers are assigned in the formats supported by OpenSSL
#
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
# SSL ECDH cipher curve configuration
ssl_ecdh_curve prime256v1;
# IMAP proxy configuration
#
server
{
server_name mail.saigon-inttech.com;
#listen 113.176.64.96:143 ipv6only=off;
listen 113.176.64.96:143;
#listen 113.176.64.96:143;
protocol imap;
proxy on;
timeout 60;
proxy_timeout 2100;
sasl_service_name "imap";
starttls only;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
}
# IMAP proxy default configuration
#
server
{
#listen [::]:143 ipv6only=off;
listen 143;
#listen [::]:143;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
protocol imap;
proxy on;
timeout 60;
proxy_timeout 2100;
sasl_service_name "imap";
starttls only;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
}
# IMAPS proxy configuration
#
server
{
server_name mail.saigon-inttech.com;
#listen 113.176.64.96:993 ipv6only=off;
listen 113.176.64.96:993;
#listen 113.176.64.96:993;
protocol imap;
proxy on;
timeout 60;
proxy_timeout 2100;
ssl on;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
sasl_service_name "imap";
}
# IMAPS proxy default configuration
#
server
{
#listen [::]:993 ipv6only=off;
listen 993;
#listen [::]:993;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
protocol imap;
proxy on;
timeout 60;
proxy_timeout 2100;
ssl on;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
sasl_service_name "imap";
}
# POP3 proxy configuration
#
server
{
server_name mail.saigon-inttech.com;
#listen 113.176.64.96:110 ipv6only=off;
listen 113.176.64.96:110;
#listen 113.176.64.96:110;
protocol pop3;
proxy on;
timeout 60;
proxy_timeout 60;
sasl_service_name "pop";
starttls only;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
}
# POP3 proxy default configuration
#
server
{
#listen [::]:110 ipv6only=off;
listen 110;
#listen [::]:110;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
protocol pop3;
proxy on;
timeout 60;
proxy_timeout 60;
sasl_service_name "pop";
starttls only;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
}
# POP3S proxy configuration
#
server
{
server_name mail.saigon-inttech.com;
#listen 113.176.64.96:995 ipv6only=off;
listen 113.176.64.96:995;
#listen 113.176.64.96:995;
protocol pop3;
proxy on;
timeout 60;
proxy_timeout 60;
ssl on;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
sasl_service_name "pop";
}
# POP3S proxy default configuration
#
server
{
#listen [::]:995 ipv6only=off;
listen 995;
#listen [::]:995;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
protocol pop3;
proxy on;
timeout 60;
proxy_timeout 60;
ssl on;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
sasl_service_name "pop";
}
}
http
{
# disable nginx version on error pages
server_tokens off;
upstream_fair_shm_size 32k;
root /opt/zimbra/data/nginx/html;
# You need to customize these two values by setting local config
# proxy_server_names_hash_max_size and proxy_names_hash_bucket_size
# when too many virtual host names are added
server_names_hash_max_size 512;
server_names_hash_bucket_size 64;
# Define whether nginx will match exact server version against the
# version received in the client request. Defaults to 'on'
# Setting this to off will make nginx compare only the major and minor
# server versions (eg. all 8.5.x will be treated same by nginx)
exact_version_check on;
# Define the collection of upstream HTTP webclient servers to which we will proxy
# Define each server:port against a server directive
#
upstream zimbra_webclient
{
server mailsrv-zbr.saigon-inttech.local:8080 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTP servers to which we will proxy
# Define each server:port against a server directive
#
upstream zimbra
{
server mailsrv-zbr.saigon-inttech.local:8080 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTPS webclient servers to which we will proxy
# Define each server:port against a server directive
#
upstream zimbra_ssl_webclient
{
server mailsrv-zbr.saigon-inttech.local:8443 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTPS servers to which we will proxy
# Define each server:port against a server directive
upstream zimbra_ssl
{
server mailsrv-zbr.saigon-inttech.local:8443 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTP servers to dedicated zx port of jetty
upstream zx
{
server mailsrv-zbr.saigon-inttech.local:8742 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTPS servers to dedicated zx ssl port of jetty
upstream zx_ssl
{
server mailsrv-zbr.saigon-inttech.local:8743 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream admin client servers to which we will
# proxy. Define each server:port against a server directive
#
upstream zimbra_adminclient
{
server mailsrv-zbr.saigon-inttech.local:7071 fail_timeout=10s version=8.8.11_GA_3737;
zmauth_admin;
}
# Define the collection of upstream admin console servers to which we will
# proxy. Define each server:port against a server directive
#
upstream zimbra_admin
{
server mailsrv-zbr.saigon-inttech.local:7071 fail_timeout=10s version=8.8.11_GA_3737;
zmauth_admin;
}
# Define the collection of upstream HTTP EWS servers to which we will
# proxy EWS request. Define each server:port against a server directive
#
# upstream zimbra_ews
# {
#
# zmauth;
# }
# Define the collection of upstream HTTPS EWS servers to which we will
# proxy EWS request. Define each server:port against a server directive
#
# upstream zimbra_ews_ssl
# {
#
# zmauth;
# }
# Define the collection of upstream HTTP Login servers to which we will
# proxy login request. Define each server:port against a server directive
#
upstream zimbra_login
{
server mailsrv-zbr.saigon-inttech.local:8080 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTPS Login servers to which we will
# proxy login request. Define each server:port against a server directive
#
upstream zimbra_login_ssl
{
server mailsrv-zbr.saigon-inttech.local:8443 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Enable Access logs for web traffic
log_format upstream '$remote_addr:$remote_port - $remote_user [$time_local] '
'"$request_method $scheme://$host$request_uri $server_protocol" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$upstream_addr" "$server_addr:$server_port"';
access_log /opt/zimbra/log/nginx.access.log upstream;
# Set proxy timeout
proxy_connect_timeout 25;
proxy_read_timeout 60;
proxy_send_timeout 60;
# Custom error pages for upstream connection errors
error_page 502 /zmerror_upstream_502.html;
error_page 504 /zmerror_upstream_504.html;
#ssl_client_certificate /opt/zimbra/conf/nginx.client.ca.crt;
# turn on tcp keepalive
tcp_keepalive on;
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.http;
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.http.default;
# HTTPS Proxy Configuration
#
server
{
server_name mail.saigon-inttech.com;
#listen 113.176.64.96:443 ipv6only=off;
listen 113.176.64.96:443;
#listen 113.176.64.96:443;
client_max_body_size 0;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 600;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_ecdh_curve prime256v1;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
ssl_verify_client off;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
# HTTPS Mode Configuration For HTTPS
set $login_upstream https://zimbra_login_ssl;
if ($http_cookie ~ "ZM_AUTH_TOKEN=") {
set $login_upstream https://zimbra_ssl_webclient;
}
location = //
{
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# Proxy to Zimbra Login Upstream
proxy_pass $login_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location = /
{
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# Proxy to Zimbra Login Upstream
proxy_pass $login_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location /
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Webclient Upstream
proxy_pass https://zimbra_ssl_webclient;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, zimbraReverseProxyAvailableLookupTargetstherefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
#For long polling of Microsoft ActiveSync
location ^~ /Microsoft-Server-ActiveSync
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 3600;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /zx/ws-
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://zx_ssl;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_http_version 1.1;
}
location ^~ /zx/
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://zx_ssl;
}
# For NoOpRequest
location ^~ /service/soap/NoOpRequest {
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 1220;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
# For WaitSetRequest
location ^~ /service/soap/WaitSetRequest {
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 1220;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /autodiscover
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
set $autodiscover_upstream https://zimbra_ssl;
# if ($http_user_agent ~ "ExchangeWebServices") {
# set $autodiscover_upstream https://zimbra_ews_ssl;
# }
# End stray redirect hack
# Proxy to Zimbra Mailbox Upstream
proxy_pass $autodiscover_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /nginx_status {
# Location block to enable the stub status module
stub_status on;
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
}
# location ^~ /http-bind
# {
# # Proxy to external XMPP server
# proxy_pass http://:0;
# proxy_read_timeout 90;
# proxy_buffering off;
#
# # For audit
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#
# # For Virtual Hosting
# set $virtual_host $http_host;
# if ($virtual_host = '') {
# set $virtual_host $server_addr:$server_port;
# }
# proxy_set_header Host $virtual_host;
# }
# location ~* ^/ews/Exchange.asmx
# {
# # Proxy to Zimbra Upstream
# proxy_pass https://zimbra_ews_ssl;
# proxy_read_timeout 3600;
# proxy_buffering off;
#
# # For audit
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#
# # For Virtual Hosting
# set $virtual_host $http_host;
# if ($virtual_host = '') {
# set $virtual_host $server_name:$server_port;
# }
# proxy_set_header Host $virtual_host;
#
# # Location header fudging
# # Because NGINX SSL speaks plain HTTP to upstream, therefore any
# # redirects to http:// coming from the upstream need to be fudged
# # to https://
# #
# proxy_redirect http://$http_host/ https://$http_host/;
#
# # Fudge inter-mailbox redirects (kludge)
# proxy_redirect http://$relhost/ https://$http_host/;
# }
location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Mailbox Upstream
proxy_pass https://zimbra_ssl;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ~* ^/zmerror_.*\.html$ {
# for custom error pages, internal use only
internal;
}
}
# HTTPS Proxy Default Configuration
# Strict servername enforcing block
# Enabled/disabled through the 'zimbraReverseProxyStrictServerName' configuration item
# The $\{listen.:addresses\} is NOT demarcated with web.strict.servername on purpose.
server {
#listen [::]:443 default_server ipv6only=off;
listen 443 default_server;
#listen [::]:443 default_server;
server_name _;
# Listen addresses extracted from `zimbraVirtualIPAddress` on each domain
# Listen addresses extracted from `zimbraVirtualIPAddress` on each domain
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 600;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_ecdh_curve prime256v1;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
ssl_verify_client off;
ssl_verify_depth 10;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
return 400;
}
server
{
#listen [::]:443 ipv6only=off;
listen 443;
#listen [::]:443;
server_name mailsrv-zbr.saigon-inttech.local; # add aliases and perhaps public
client_max_body_size 0;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 600;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_ecdh_curve prime256v1;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
ssl_verify_client off;
ssl_verify_depth 10;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
# HTTPS Mode Configuration For HTTPS
set $login_upstream https://zimbra_login_ssl;
if ($http_cookie ~ "ZM_AUTH_TOKEN=") {
set $login_upstream https://zimbra_ssl_webclient;
}
location = //
{
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# Proxy to Zimbra Login Upstream
proxy_pass $login_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location = /
{
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# Proxy to Zimbra Login Upstream
proxy_pass $login_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location /
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Webclient Upstream
proxy_pass https://zimbra_ssl_webclient;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, zimbraReverseProxyAvailableLookupTargetstherefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
#For long polling of Microsoft ActiveSync
location ^~ /Microsoft-Server-ActiveSync
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 3600;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /zx/ws-
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://zx_ssl;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_http_version 1.1;
}
location ^~ /zx/
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://zx_ssl;
}
# For NoOpRequest
location ^~ /service/soap/NoOpRequest {
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 1220;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
# For WaitSetRequest
location ^~ /service/soap/WaitSetRequest {
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 1220;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /autodiscover
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
set $autodiscover_upstream https://zimbra_ssl;
# if ($http_user_agent ~ "ExchangeWebServices") {
# set $autodiscover_upstream https://zimbra_ews_ssl;
# }
# End stray redirect hack
# Proxy to Zimbra Mailbox Upstream
proxy_pass $autodiscover_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /nginx_status {
# Location block to enable the stub status module
stub_status on;
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
}
# location ^~ /http-bind
# {
# # Proxy to external XMPP server
# proxy_pass http://:0;
# proxy_read_timeout 90;
# proxy_buffering off;
#
# # For audit
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#
# # For Virtual Hosting
# set $virtual_host $http_host;
# if ($virtual_host = '') {
# set $virtual_host $server_addr:$server_port;
# }
# proxy_set_header Host $virtual_host;
# }
# location ~* ^/ews/Exchange.asmx
# {
# # Proxy to Zimbra Upstream
# proxy_pass https://zimbra_ews_ssl;
# proxy_read_timeout 3600;
# proxy_buffering off;
#
# # For audit
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#
# # For Virtual Hosting
# set $virtual_host $http_host;
# if ($virtual_host = '') {
# set $virtual_host $server_addr:$server_port;
# }
# proxy_set_header Host $virtual_host;
#
# # Location header fudging
# # Because NGINX SSL speaks plain HTTP to upstream, therefore any
# # redirects to http:// coming from the upstream need to be fudged
# # to https://
# #
# proxy_redirect http://$http_host/ https://$http_host/;
#
# # Fudge inter-mailbox redirects (kludge)
# proxy_redirect http://$relhost/ https://$http_host/;
# }
location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Mailbox Upstream
proxy_pass https://zimbra_ssl;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ~* ^/zmerror_.*\.html$ {
# for custom error pages, internal use only
internal;
}
}
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.sso;
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.sso.default;
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.admin;
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.admin.default;
}
# Don't edit the below comment
#__SUCCESS__
[zimbra@mailsrv-zbr ~]$
Code: Select all
[zimbra@mailsrv-zbr ~]$ lsof -i :443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 8861 zimbra 10u IPv4 23646088 0t0 TCP *:https (LISTEN)
nginx 8862 zimbra 10u IPv4 23646088 0t0 TCP *:https (LISTEN)
nginx 8863 zimbra 10u IPv4 23646088 0t0 TCP *:https (LISTEN)
nginx 8864 zimbra 10u IPv4 23646088 0t0 TCP *:https (LISTEN)
[zimbra@mailsrv-zbr ~]$ lsof -i :11211
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
memcached 7378 zimbra 26u IPv4 22998771 0t0 TCP *:memcache (LISTEN)
memcached 7378 zimbra 27u IPv6 22998772 0t0 TCP *:memcache (LISTEN)
memcached 7378 zimbra 28u IPv4 23649293 0t0 TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42180 (ESTABLISHED)
memcached 7378 zimbra 29u IPv4 23649294 0t0 TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42182 (ESTABLISHED)
memcached 7378 zimbra 30u IPv4 23649295 0t0 TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42184 (ESTABLISHED)
memcached 7378 zimbra 31u IPv4 23649296 0t0 TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42186 (ESTABLISHED)
nginx 8861 zimbra 13u IPv4 23646102 0t0 TCP mailsrv-zbr.saigon-inttech.local:42180->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
nginx 8862 zimbra 15u IPv4 23648449 0t0 TCP mailsrv-zbr.saigon-inttech.local:42186->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
nginx 8863 zimbra 17u IPv4 23648448 0t0 TCP mailsrv-zbr.saigon-inttech.local:42184->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
nginx 8864 zimbra 19u IPv4 23646103 0t0 TCP mailsrv-zbr.saigon-inttech.local:42182->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
[zimbra@mailsrv-zbr ~]$ netstat -anltp | egrep '^tcp' | grep LISTEN | awk '{print $4 " "$7}' | sed -e 's/.*://' | sort -n | uniq
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
22 -
25 -
53 -
389 -
465 -
587 -
953 -
3310 7902/clamd
5222 -
5269 -
7025 -
7071 -
7072 -
7073 -
7110 -
7143 -
7171 5594/java
7306 7027/mysqld
7993 -
7995 -
8080 -
8443 -
8465 8250/opendkim
10024 7453/amavisd
10025 -
10026 7453/amavisd
10027 -
10028 -
10029 -
10030 -
10032 7453/amavisd
11211 7378/memcached
23232 7421/perl
23233 7423/perl
[zimbra@mailsrv-zbr ~]$ netstat -anelpt | egrep ':25|:465|:389|:636|:7025|:7047|:80|:8080|:443|:8443|:110|:7110|:995|:7995|:143|:7143|:993|:7993|:3443|:9443|:7071|:9071|:7072|:7306|:7307|:7780|:10024|:10025|:11211'
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:7143 0.0.0.0:* LISTEN 0 22999241 -
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 998 22999307 7453/amavisd (maste
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 0 23001904 -
tcp 0 0 127.0.0.1:7306 0.0.0.0:* LISTEN 998 22999190 7027/mysqld
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 998 22998771 7378/memcached
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 0 23646086 8861/nginx: worker
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 0 23646084 8861/nginx: worker
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 0 22999229 -
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 0 23001805 -
tcp 0 0 0.0.0.0:7025 0.0.0.0:* LISTEN 0 22999243 -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0 23001793 -
tcp 0 0 0.0.0.0:7993 0.0.0.0:* LISTEN 0 22999242 -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 23646088 8861/nginx: worker
tcp 0 0 0.0.0.0:7995 0.0.0.0:* LISTEN 0 22999240 -
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 0 22999237 -
tcp 0 0 0.0.0.0:7071 0.0.0.0:* LISTEN 0 22999238 -
tcp 0 0 0.0.0.0:7072 0.0.0.0:* LISTEN 0 22996855 -
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 0 23646085 8861/nginx: worker
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 0 23646087 8861/nginx: worker
tcp 0 0 192.168.3.25:389 0.0.0.0:* LISTEN 0 22967372 -
tcp 0 0 0.0.0.0:7110 0.0.0.0:* LISTEN 0 22999239 -
tcp 0 0 192.168.3.25:42180 192.168.3.25:11211 ESTABLISHED 998 23646102 8861/nginx: worker
tcp 0 0 127.0.0.1:7306 127.0.0.1:33286 ESTABLISHED 998 22999823 7027/mysqld
tcp 0 0 192.168.3.25:47612 192.168.3.25:389 ESTABLISHED 998 23000011 7526/amavisd (ch3-a
tcp 0 0 192.168.3.25:42182 192.168.3.25:11211 ESTABLISHED 998 23646103 8864/nginx: worker
tcp 0 0 192.168.3.25:47580 192.168.3.25:389 ESTABLISHED 998 22999958 7518/amavisd (ch8-a
tcp 0 0 192.168.3.25:389 192.168.3.25:47424 ESTABLISHED 998 22966524 -
tcp 0 0 192.168.3.25:47652 192.168.3.25:389 ESTABLISHED 998 23002826 7516/amavisd (ch6-a
tcp 0 0 192.168.3.25:389 192.168.3.25:47652 ESTABLISHED 998 23002827 -
tcp 0 0 192.168.3.25:47530 192.168.3.25:389 ESTABLISHED 998 23000306 -
tcp 0 0 192.168.3.25:47502 192.168.3.25:389 ESTABLISHED 998 22996904 -
tcp 0 0 192.168.3.25:51502 192.168.3.25:389 TIME_WAIT 0 0 -
tcp 0 0 192.168.3.25:7071 171.249.111.38:59814 ESTABLISHED 998 24400608 -
tcp 0 0 192.168.3.25:47596 192.168.3.25:389 ESTABLISHED 998 22999984 7522/amavisd (ch4-a
tcp 0 0 192.168.3.25:389 192.168.3.25:47538 ESTABLISHED 998 23001698 -
tcp 0 0 192.168.3.25:11211 192.168.3.25:42180 ESTABLISHED 998 23649293 7378/memcached
tcp 0 0 192.168.3.25:389 192.168.3.25:47522 ESTABLISHED 998 23001403 -
tcp 0 0 192.168.3.25:11211 192.168.3.25:42182 ESTABLISHED 998 23649294 7378/memcached
tcp 0 0 192.168.3.25:49392 192.168.3.25:389 ESTABLISHED 998 23558639 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47634 ESTABLISHED 998 23003549 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47524 ESTABLISHED 998 22999429 -
tcp 0 0 192.168.3.25:42184 192.168.3.25:11211 ESTABLISHED 998 23648448 8863/nginx: worker
tcp 0 0 127.0.0.1:7306 127.0.0.1:33284 ESTABLISHED 998 22999822 7027/mysqld
tcp 0 0 192.168.3.25:389 192.168.3.25:47612 ESTABLISHED 998 23000012 -
tcp 0 0 127.0.0.1:33238 127.0.0.1:7306 ESTABLISHED 998 22995909 -
tcp 0 0 192.168.3.25:47684 192.168.3.25:389 ESTABLISHED 998 23003677 7514/amavisd (ch5-a
tcp 0 0 192.168.3.25:47524 192.168.3.25:389 ESTABLISHED 998 23001404 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47530 ESTABLISHED 998 23002174 -
tcp 0 0 192.168.3.25:47590 192.168.3.25:389 ESTABLISHED 998 23002695 7525/amavisd (ch11-
tcp 0 0 192.168.3.25:389 192.168.3.25:47674 ESTABLISHED 998 23004234 -
tcp 0 0 192.168.3.25:47606 192.168.3.25:389 ESTABLISHED 998 23000724 7519/amavisd (ch5-a
tcp 0 0 192.168.3.25:47522 192.168.3.25:389 ESTABLISHED 998 22999428 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47988 ESTABLISHED 998 23048031 -
tcp 0 0 127.0.0.1:7306 127.0.0.1:33288 ESTABLISHED 998 22999824 7027/mysqld
tcp 0 0 192.168.3.25:389 192.168.3.25:47426 ESTABLISHED 998 22966089 -
tcp 0 0 192.168.3.25:48556 192.168.3.25:389 ESTABLISHED 998 23284842 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47596 ESTABLISHED 998 22999985 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47504 ESTABLISHED 998 22995908 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47568 ESTABLISHED 998 23002660 -
tcp 0 0 192.168.3.25:389 192.168.3.25:49672 ESTABLISHED 998 23627468 -
tcp 0 0 127.0.0.1:33288 127.0.0.1:7306 ESTABLISHED 998 23002112 -
tcp 0 0 192.168.3.25:51500 192.168.3.25:389 TIME_WAIT 0 0 -
tcp 0 0 192.168.3.25:389 192.168.3.25:49216 ESTABLISHED 998 23524552 -
tcp 0 0 192.168.3.25:47428 192.168.3.25:389 ESTABLISHED 998 22967394 5594/java
tcp 0 0 192.168.3.25:389 192.168.3.25:47532 ESTABLISHED 998 23001502 -
tcp 0 0 127.0.0.1:33286 127.0.0.1:7306 ESTABLISHED 998 23002110 -
tcp 0 0 192.168.3.25:47532 192.168.3.25:389 ESTABLISHED 998 23001501 -
tcp 0 0 192.168.3.25:47504 192.168.3.25:389 ESTABLISHED 998 22995907 -
tcp 0 0 192.168.3.25:47988 192.168.3.25:389 ESTABLISHED 998 23051337 -
tcp 0 0 192.168.3.25:47634 192.168.3.25:389 ESTABLISHED 998 23000788 7521/amavisd (ch6-a
tcp 0 0 192.168.3.25:47424 192.168.3.25:389 ESTABLISHED 998 22962167 5594/java
tcp 0 0 192.168.3.25:389 192.168.3.25:47590 ESTABLISHED 998 22999971 -
tcp 0 0 192.168.3.25:47426 192.168.3.25:389 ESTABLISHED 998 22962168 5594/java
tcp 0 0 192.168.3.25:42186 192.168.3.25:11211 ESTABLISHED 998 23648449 8862/nginx: worker
tcp 0 0 192.168.3.25:389 192.168.3.25:48556 ESTABLISHED 998 23282797 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47684 ESTABLISHED 998 23004249 -
tcp 0 0 192.168.3.25:49216 192.168.3.25:389 ESTABLISHED 998 23520894 5594/java
tcp 0 0 192.168.3.25:47540 192.168.3.25:389 ESTABLISHED 998 23002345 8249/opendkim
tcp 0 0 192.168.3.25:389 192.168.3.25:47502 ESTABLISHED 998 22999287 -
tcp 0 0 192.168.3.25:47538 192.168.3.25:389 ESTABLISHED 998 23002344 8249/opendkim
tcp 0 0 127.0.0.1:7306 127.0.0.1:33238 ESTABLISHED 998 22996926 7027/mysqld
tcp 0 0 192.168.3.25:389 192.168.3.25:47428 ESTABLISHED 998 22967395 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47580 ESTABLISHED 998 23002669 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47540 ESTABLISHED 998 23001699 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47606 ESTABLISHED 998 23000000 -
tcp 0 0 192.168.3.25:47568 192.168.3.25:389 ESTABLISHED 998 23000648 7511/amavisd (ch9-a
tcp 0 0 192.168.3.25:49672 192.168.3.25:389 ESTABLISHED 998 23627467 -
tcp 0 0 192.168.3.25:389 192.168.3.25:49392 ESTABLISHED 998 23563902 -
tcp 0 0 127.0.0.1:33284 127.0.0.1:7306 ESTABLISHED 998 23002109 -
tcp 0 0 192.168.3.25:11211 192.168.3.25:42186 ESTABLISHED 998 23649296 7378/memcached
tcp 0 0 192.168.3.25:11211 192.168.3.25:42184 ESTABLISHED 998 23649295 7378/memcached
tcp 0 0 192.168.3.25:47674 192.168.3.25:389 ESTABLISHED 998 23003666 7517/amavisd (ch3-a
tcp6 0 0 ::1:10024 :::* LISTEN 998 22999308 7453/amavisd (maste
tcp6 0 0 :::11211 :::* LISTEN 998 22998772 7378/memcached
[zimbra@mailsrv-zbr ~]$ lsof -P -n -i :25,465,389,636,7025,7047,80,8080,443,8443,110,7110,995,7995,143,7143,993,7993,3443,9443,7071,9071,7072,7306,7307,7780,10024,10025,11211
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 5594 zimbra 153u IPv4 22962167 0t0 TCP 192.168.3.25:47424->192.168.3.25:389 (ESTABLISHED)
java 5594 zimbra 155u IPv4 22962168 0t0 TCP 192.168.3.25:47426->192.168.3.25:389 (ESTABLISHED)
java 5594 zimbra 156u IPv4 22967394 0t0 TCP 192.168.3.25:47428->192.168.3.25:389 (ESTABLISHED)
java 5594 zimbra 157u IPv4 23520894 0t0 TCP 192.168.3.25:49216->192.168.3.25:389 (ESTABLISHED)
mysqld 7027 zimbra 22u IPv4 22999190 0t0 TCP 127.0.0.1:7306 (LISTEN)
mysqld 7027 zimbra 49u IPv4 22996926 0t0 TCP 127.0.0.1:7306->127.0.0.1:33238 (ESTABLISHED)
mysqld 7027 zimbra 291u IPv4 22999822 0t0 TCP 127.0.0.1:7306->127.0.0.1:33284 (ESTABLISHED)
mysqld 7027 zimbra 292u IPv4 22999823 0t0 TCP 127.0.0.1:7306->127.0.0.1:33286 (ESTABLISHED)
mysqld 7027 zimbra 293u IPv4 22999824 0t0 TCP 127.0.0.1:7306->127.0.0.1:33288 (ESTABLISHED)
memcached 7378 zimbra 26u IPv4 22998771 0t0 TCP *:11211 (LISTEN)
memcached 7378 zimbra 27u IPv6 22998772 0t0 TCP *:11211 (LISTEN)
memcached 7378 zimbra 28u IPv4 23649293 0t0 TCP 192.168.3.25:11211->192.168.3.25:42180 (ESTABLISHED)
memcached 7378 zimbra 29u IPv4 23649294 0t0 TCP 192.168.3.25:11211->192.168.3.25:42182 (ESTABLISHED)
memcached 7378 zimbra 30u IPv4 23649295 0t0 TCP 192.168.3.25:11211->192.168.3.25:42184 (ESTABLISHED)
memcached 7378 zimbra 31u IPv4 23649296 0t0 TCP 192.168.3.25:11211->192.168.3.25:42186 (ESTABLISHED)
/opt/zimb 7453 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7453 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7511 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7511 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7511 zimbra 22u IPv4 23000648 0t0 TCP 192.168.3.25:47568->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7514 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7514 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7514 zimbra 22u IPv4 23003677 0t0 TCP 192.168.3.25:47684->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7516 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7516 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7516 zimbra 22u IPv4 23002826 0t0 TCP 192.168.3.25:47652->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7517 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7517 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7517 zimbra 22u IPv4 23003666 0t0 TCP 192.168.3.25:47674->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7518 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7518 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7518 zimbra 22u IPv4 22999958 0t0 TCP 192.168.3.25:47580->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7519 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7519 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7519 zimbra 22u IPv4 23000724 0t0 TCP 192.168.3.25:47606->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7521 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7521 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7521 zimbra 22u IPv4 23000788 0t0 TCP 192.168.3.25:47634->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7522 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7522 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7522 zimbra 22u IPv4 22999984 0t0 TCP 192.168.3.25:47596->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7525 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7525 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7525 zimbra 22u IPv4 23002695 0t0 TCP 192.168.3.25:47590->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7526 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7526 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7526 zimbra 22u IPv4 23000011 0t0 TCP 192.168.3.25:47612->192.168.3.25:389 (ESTABLISHED)
opendkim 8249 zimbra 3u IPv4 23002344 0t0 TCP 192.168.3.25:47538->192.168.3.25:389 (ESTABLISHED)
opendkim 8249 zimbra 4u IPv4 23002345 0t0 TCP 192.168.3.25:47540->192.168.3.25:389 (ESTABLISHED)
opendkim 8250 zimbra 3u IPv4 23002344 0t0 TCP 192.168.3.25:47538->192.168.3.25:389 (ESTABLISHED)
opendkim 8250 zimbra 4u IPv4 23002345 0t0 TCP 192.168.3.25:47540->192.168.3.25:389 (ESTABLISHED)
nginx 8861 zimbra 6u IPv4 23646084 0t0 TCP *:143 (LISTEN)
nginx 8861 zimbra 7u IPv4 23646085 0t0 TCP *:993 (LISTEN)
nginx 8861 zimbra 8u IPv4 23646086 0t0 TCP *:110 (LISTEN)
nginx 8861 zimbra 9u IPv4 23646087 0t0 TCP *:995 (LISTEN)
nginx 8861 zimbra 10u IPv4 23646088 0t0 TCP *:443 (LISTEN)
nginx 8861 zimbra 13u IPv4 23646102 0t0 TCP 192.168.3.25:42180->192.168.3.25:11211 (ESTABLISHED)
nginx 8862 zimbra 6u IPv4 23646084 0t0 TCP *:143 (LISTEN)
nginx 8862 zimbra 7u IPv4 23646085 0t0 TCP *:993 (LISTEN)
nginx 8862 zimbra 8u IPv4 23646086 0t0 TCP *:110 (LISTEN)
nginx 8862 zimbra 9u IPv4 23646087 0t0 TCP *:995 (LISTEN)
nginx 8862 zimbra 10u IPv4 23646088 0t0 TCP *:443 (LISTEN)
nginx 8862 zimbra 15u IPv4 23648449 0t0 TCP 192.168.3.25:42186->192.168.3.25:11211 (ESTABLISHED)
nginx 8863 zimbra 6u IPv4 23646084 0t0 TCP *:143 (LISTEN)
nginx 8863 zimbra 7u IPv4 23646085 0t0 TCP *:993 (LISTEN)
nginx 8863 zimbra 8u IPv4 23646086 0t0 TCP *:110 (LISTEN)
nginx 8863 zimbra 9u IPv4 23646087 0t0 TCP *:995 (LISTEN)
nginx 8863 zimbra 10u IPv4 23646088 0t0 TCP *:443 (LISTEN)
nginx 8863 zimbra 17u IPv4 23648448 0t0 TCP 192.168.3.25:42184->192.168.3.25:11211 (ESTABLISHED)
nginx 8864 zimbra 6u IPv4 23646084 0t0 TCP *:143 (LISTEN)
nginx 8864 zimbra 7u IPv4 23646085 0t0 TCP *:993 (LISTEN)
nginx 8864 zimbra 8u IPv4 23646086 0t0 TCP *:110 (LISTEN)
nginx 8864 zimbra 9u IPv4 23646087 0t0 TCP *:995 (LISTEN)
nginx 8864 zimbra 10u IPv4 23646088 0t0 TCP *:443 (LISTEN)
nginx 8864 zimbra 19u IPv4 23646103 0t0 TCP 192.168.3.25:42182->192.168.3.25:11211 (ESTABLISHED)
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$ zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled zimbraReverseProxyLookupTarget zimbraReverseProxyHttpEnabled zimbraMailReferMode zimbraMailPort zimbraMailProxyPort zimbraMailSSLPort zimbraMailSSLProxyPort zimbraMailMode zimbraReverseProxyMailEnabled zimbraReverseProxyMailMode zimbraImapBindPort zimbraImapProxyBindPort zimbraImapSSLBindPort zimbraImapSSLProxyBindPort zimbraImapCleartextLoginEnabled zimbraPop3BindPort zimbraPop3ProxyBindPort zimbraPop3SSLBindPort zimbraPop3SSLProxyBindPort zimbraPop3CleartextLoginEnabled zimbraAdminPort zimbraAdminProxyPort zimbraReverseProxyAdminEnabled ; zmprov gs `zmhostname` zimbraServiceEnabled | egrep 'memcache|proxy|mailbox'
# name mailsrv-zbr.saigon-inttech.local
zimbraAdminPort: 7071
zimbraAdminProxyPort: 9071
zimbraImapBindPort: 7143
zimbraImapCleartextLoginEnabled: TRUE
zimbraImapProxyBindPort: 143
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraMailMode: https
zimbraMailPort: 8080
zimbraMailProxyPort: 80
zimbraMailReferMode: reverse-proxied
zimbraMailSSLPort: 8443
zimbraMailSSLProxyPort: 443
zimbraPop3BindPort: 7110
zimbraPop3CleartextLoginEnabled: TRUE
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyHttpEnabled: TRUE
zimbraReverseProxyLookupTarget: TRUE
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxyMailMode: https
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbraServiceEnabled: mailbox
zimbraServiceEnabled: proxy
zimbraServiceEnabled: memcached
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$
Everyone help, thanks