I am from Vietnam, my English is very bad, so this topic I translated from google, so there are spelling errors, I am sorry, please excuse me.
Recently, I have deployed Zimbra's single-server, and when I deploy I do not install Zimbra Proxy. But when using 1 week, I want to deploy more NextCloud to Drive in Zimbra, then read the document that requires Zimbra Proxy.
So I installed Zimbra Proxy on the current server, but when the deployment is complete, every trial works well, only the zimbra web proxy service has a "400 Bad Request" error, the non-proxy web service is still working normally.
Can anyone tell me how to fix this problem?
Code: Select all
[zimbra@mailsrv-zbr ~]$ zmproxyconf
# NGINX POP/IMAP proxy configuration file for use with Zimbra
#
working_directory /opt/zimbra;
# change UID/GID to zimbra/zimbra upon startup
#
user zimbra zimbra;
# number of worker processes to start
# multiply this by worker_connections to get the maximum number of connections
# that can be simultaneously handled by nginx (the product should not exceed
# 65536, since that is the 16-bit limit of the TCP port range)
#
worker_processes 4;
pid /opt/zimbra/log/nginx.pid;
error_log /opt/zimbra/log/nginx.log info;
events {
# number of simultaneous connections that each worker process can
# handle simultaneously
# note that this number should not exceed the hard limit of the
# RLIMIT_NOFILE resource limit that is set for the zimbra user, because
# RLIMIT_NOFILE defines the maximum number of open file descriptors that
# a process running as a user can have - by default, limits.conf on a
# zimbra system will ensure that the zimbra user has more than 10k file
# descriptors allowed for a zimbra process
# (note) also see worker_rlimit_nofile at
# http://wiki.codemongers.com/NginxMainModule#worker_rlimit_nofile
#
worker_connections 10240;
accept_mutex on;
}
# environment variables for worker processes
#
# Kerberos 5 keytab location
env KRB5_KTNAME=/opt/zimbra/conf/krb5.keytab;
memcache
{
# memcached server configuration
# configure one or more memcached servers that will cache the route
# information for pop/imap users
#
servers 192.168.3.25:11211;
# The time that NGINX will wait for a cached result from a memcached
# server, after which the request will be considered timed out,
# and NGINX will fall back to an http routing lookup handler
#
timeout 3000ms;
# The amount of time that NGINX will wait before attempting to reconnect
# to a memcache server that unexpectedly terminated (or shut down) its
# connection with NGINX
#
reconnect 60000ms;
# The time to live (TTL) for an entry added to the memcached server
# This value represents the amount of time that the route information
# that is cached into the memcached servers will be available, before
# the memcached daemon expires it
# Memcached expects the TTL for an entry to be specified in seconds,
# therefore any value specified in milliseconds here will be rounded
# up to the next integer value in seconds. If not specified, the TTL
# defaults to 0, which indicates an infinite time to live for the
# routing information
#
ttl 3600000ms;
}
zm_lookup {
zm_lookup_handlers https://192.168.3.25:7072/service/extension/nginx-lookup;
# The timeout to lookup in the lookup handler. This timeout
# does not include the time out accessing memcache, which is
# controlled by "timeout" in nginx.conf.memecache.
#
zm_lookup_timeout 15000ms;
# The interval that nginx will try to reconnect to a failed lookup handler.
#
zm_lookup_handler_retry_interval 60000ms;
# Whether to turn on lookup result caching. This should be always
# turn on in the production environment.
#
zm_lookup_caching on;
# master authenticating user for cases where nginx must authenticate
# on behalf of the end user -- this is required in those sasl auth
# mechanisms where the user's plain-text password is not available,
# in these cases, after nginx has deemed that the user has authenticated
# himself/herself correctly, then nginx will use the master auth user
# name and master auth password, along with the end user's user name,
# in order to log in to the upstream server
# such authentication will be done as per the PLAIN sasl mechanism as
# defined in RFC 4616
# (presently, this feature are used in GSSAPI & cert auth)
#
zm_lookup_master_auth_username "zmnginx";
zm_lookup_master_auth_password "sdjksxys";
# Whether or not to cache unqualified login names in the "account-->route cache"
# When this option is set "off", and the login name to be cached is unqualified,
# the client IP will be appended to the login name in the format:
# <login name>@<client ip>
#
zm_lookup_allow_unqualified off;
# URL prefix for the upstream server
zm_prefix_url /;
}
mail
{
# mail proxy connection timeout
proxy_ctimeout 120000ms;
# pass error messages from the backend server to the client
# if true, the error messages are passed to the client verbatim, else
# nginx logs the original error message in its log file and sends back
# a generic error message to the client
#
proxy_pass_error_message on;
# HTTP lookup handlers that will return the route information for a
# pop3/imap login
#
zm_auth_http;
# Wether to use ssl to connect the upstream mail servers
#
proxy_ssl on;
# IMAP/POP3 greeting messages
#
imap_greeting "";
pop3_greeting "";
pop3_capabilities "EXPIRE 31 USER" "TOP" "UIDL" "USER" "XOIP";
imap_capabilities "ACL" "BINARY" "CATENATE" "CHILDREN" "CONDSTORE" "ENABLE" "ESEARCH" "ESORT" "I18NLEVEL=1" "ID" "IDLE" "IMAP4rev1" "LIST-EXTENDED" "LIST-STATUS" "LITERAL+" "MULTIAPPEND" "NAMESPACE" "QRESYNC" "QUOTA" "RIGHTS=ektx" "SASL-IR" "SEARCHRES" "SORT" "THREAD=ORDEREDSUBJECT" "UIDPLUS" "UNSELECT" "WITHIN" "XLIST";
# IMAP4 ID Extension support (RFC 2971)
# Use the imap_id directive to specify the string that should be sent
# back by the proxy server back to the client upon receipt of an
# IMAP ID command as described by RFC 2971
# There MUST be an even number of strings specified against
# this directive, because RFC 2971 defines the server response to be
# a list of field-value pairs (refer Formal Syntax, RFC 2971 Section 4)
# Each string in this list should be enclosed within double quotes
# If not quoted, they will be automatically quoted by nginx, but the
# use of quotes allows the space character to be included within an
# ID field or a value
# The odd numbered strings are treated as ID fields, with the following
# even-numbered string considered to be the ID value corresponding to
# the field name
# If omitted, the response to the ID command will be nil, which
# according to RFC 2971, is permissible in lieu of the field-value list
# The imap_id directive may be overridden in a server block
#
imap_id "NAME" "Zimbra" "VERSION" "8.8.11_GA_3772" "RELEASE" "20190128052127";
# Default realm (kerberos)
# For GSSAPI authentication, when the server's realm is the same as
# the default realm as defined in the default_realm variable in the
# [libdefaults] section of krb5.conf, then in this case, the SASL
# GSSAPI library strips off the realm portion from the authenticating
# principal. Therefore, the default realm name must be specified here
# so that NGINX can append it to the authenticating principal for GSSAPI
#
default_realm "";
# Resolve IP address to SASL server name (kerberos)
# For GSSAPI, in cases of multi-homed hosts, it may be that the proxy
# server has multiple network interfaces, and we wish to reverse map
# the incoming interface IP address (via DNS) to a host name, which will
# be used as the service principal
# Set this to on if gssapi clients will connect to a proxy server using
# different FQDNs. Otherwise, set it to off, and the fully qualified
# host name of the proxy (as returned by hostname), will be used as the
# service principal
# If not specified, this configuration defaults to off
#
sasl_host_from_ip off;
# sasl_app_name
# This is the application name which nginx will use when initializing
# the SASL library using the call to sasl_server_init()
# The SASL library is initialized once per process, the application name
# provided here is used for where to find the default configuration file
# If not specified, sasl_app_name defaults to "nginx"
#
sasl_app_name "nginx";
# Login rate limiting directives
#
# mail_login_ip_max
#
# Sets the maximum number of times that any user is allowed to log in from
# a particular IP over POP or IMAP to this proxy server before the login is
# rejected with an appropriate protocol specific bye response
# This counter is cumulative for all users that appear to the proxy to be
# logging in from the same IP address
# If multiple users appear to the proxy to be logging in from the same IP
# address (usual with NATing), then each of the different users' login will
# contribute to increasing the hit counter for that IP address, and when the
# counter eventually exceeds mail_login_ip_max, then the connections from
# that IP address will be throttled
# Therefore, all users from the same IP will contribute to
# (and be affected by) this counter
# Logins using all protocols (POP3/POP3S/IMAP/IMAPS) will affect this
# counter, (the counter is aggregate for all protocols, *not* separate)
# See notes accompanying the mail_login_ip_ttl for reasonable values for
# this directive
# If this value is set to 0, then no throttling will take place for any IP
#
mail_login_ip_max 0;
# mail_login_ip_ttl
#
# Sets the time-to-live for the hit counter for IP login throttling
# Used in conjunction with mail_login_ip_max, this defines the semantics
# of the throttling for IP logins. Therfore, if this is set to 3600s, and
# if mail_login_ip_max is set to 1000, then it means that NGINX should not
# allow more than 1000 users to log in to the proxy from the same IP,
# within the time interval of an hour (=3600s)
# The semantics for such a configuration would then be -
# "allow maximum 1000 users per hour from any given IP address"
#
mail_login_ip_ttl 3600000ms;
# mail_login_ip_imap_max
#
# Sets the maximum number of times that any user is allowed to log in from
# a particular IP over IMAP to this proxy server before the login is rejected
# with an appropriate protocol specific bye response.
#
# This counter is cumulative for all users that appear to the proxy to be
# logging in from the same IP address.
# If multiple users appear to the proxy to be logging in from the same IP
# address (usual with NATing), then each of the different users' login will
# contribute to increasing the hit counter for that IP address, and when the
# counter eventually exceeds mail_login_ip_imap_max, then the connections from
# that IP address will be throttled
# Therefore, all users from the same IP will contribute to
# (and be affected by) this counter
# Logins using the IMAP protocol (IMAP/IMAPS) will affect this
# counter, (the counter is aggregate for IMAP)
# See notes accompanying the mail_login_ip_imap_ttl for reasonable values for
# this directive
# If this value is set to 0, the handling of imap connections will fall back to
# using the mail_login_ip_max setting
#
mail_login_ip_imap_max 0;
# mail_login_ip_imap_ttl
#
# Sets the time-to-live for the hit counter for IMAP login throttling
# Used in conjunction with mail_login_ip_imap_max, this defines the semantics
# of the throttling for IMAP logins. Therefore, if this is set to 3600s, and
# if mail_login_ip_imap_max is set to 1000, then it means that NGINX should not
# allow more than 1000 IMAP users to log in to the proxy from the same IP,
# within the time interval of an hour (=3600s)
# The semantics for such a configuration would then be -
# "allow maximum 1000 IMAP users per hour from any given IP address"
#
mail_login_ip_imap_ttl 3600000ms;
# mail_login_ip_pop3_max
#
# Sets the maximum number of times that any user is allowed to log in from
# a particular IP over POP3 to this proxy server before the login is rejected
# with an appropriate protocol specific bye response.
#
# This counter is cumulative for all users that appear to the proxy to be
# logging in from the same IP address.
# If multiple users appear to the proxy to be logging in from the same IP
# address (usual with NATing), then each of the different users' login will
# contribute to increasing the hit counter for that IP address, and when the
# counter eventually exceeds mail_login_ip_pop3_max, then the connections from
# that IP address will be throttled
# Therefore, all users from the same IP will contribute to
# (and be affected by) this counter
# Logins using the POP3 protocol (POP3/POP3S) will affect this
# counter, (the counter is aggregate for POP3)
# See notes accompanying the mail_login_ip_pop3_ttl for reasonable values for
# this directive
# If this value is set to 0, the handling of pop3 connections will fall back to
# using the mail_login_ip_max setting
#
mail_login_ip_pop3_max 0;
# mail_login_ip_pop3_ttl
#
# Sets the time-to-live for the hit counter for POP3 login throttling
# Used in conjunction with mail_login_ip_pop3_max, this defines the semantics
# of the throttling for POP3 logins. Therefore, if this is set to 3600s, and
# if mail_login_ip_pop3_max is set to 1000, then it means that NGINX should not
# allow more than 1000 POP3 users to log in to the proxy from the same IP,
# within the time interval of an hour (=3600s)
# The semantics for such a configuration would then be -
# "allow maximum 1000 IMAP users per hour from any given IP address"
#
mail_login_ip_pop3_ttl 3600000ms;
# Define a textual message that should be displayed to the user when
# his/her connection is rejected based on IP overusage
# This message will be encapsulated in the proper protocol specific
# response to the client ("* BYE" for IMAP, and "-ERR" for POP3)
#
mail_login_ip_rejectmsg "Login rejected from this IP";
# Similar semantics for Rate Limiting User Logins
# Setting mail_login_user_max to 100 and mail_login_user_ttl to 3600s
# implies "allow maximum 100 logins per hour for any user"
# As with the ip counterparts, the user hit counter and timeout are
# cumulative for all protocols
# Also, for a given user's login, both counters are checked in succession,
# with the IP counter being checked first
# A login may be rejected (throttled) because the IP is over-usage, or
# because the login name itself is over-usage
# A value of 0 indicates that no throttling will take place for any user
#
mail_login_user_max 0;
mail_login_user_ttl 3600000ms;
mail_login_user_rejectmsg "Login rejected for this user";
# List of servers to which no ip throttling will be done
# Sets the time-to-live of the list of servers for which no ip throttling
# will be done
mail_whitelist_ip_ttl 300;
# Issue POP3 XOIP before logging in to upstream (Audit purposes)
#
proxy_issue_pop3_xoip on;
# Issue IMAP ID before logging in to upstream (Audit purposes)
#
proxy_issue_imap_id on;
# Supported SASL Authentication mechanisms
#
# Use the pop3_auth and imap_auth to specify which SASL mechanisms are
# enabled for POP and IMAP respectively
# These directives may be specified at mail{} level, or overridden at
# server{} level
# Even though an authentication mechanism may be listed against
# pop3_auth and/or imap_auth, it may or may not be available depending
# on whether cleartext login is available (see description for starttls)
# For example, if starttls is set to only, then SASL PLAIN is not
# available outside of TLS/SSL
# SASL mechanisms may be specified all on one line (space separated)
# against pop3_auth, or they may be specified on a separate line
# Specifying the SASL mechanisms on a separate line has the advantage
# that they can be enabled/disabled separately by zmmtaconfig using
# different LDAP attributes
# Currently, only PLAIN and GSSAPI mechanisms are supported
#
imap_auth plain;
#imap_auth gssapi;
pop3_auth plain;
#pop3_auth gssapi;
# Specify whether to use literal strings while issuing the LOGIN command
# to the upstream server. If set to on, then it means that NGINX will use
# literal strings to log in to the upstream server, and so the upstream
# MUST support literal strings
# If set to off, then NGINX uses quoted strings to log in to the upstream
# server when using the LOGIN command
# If not specified, imap_literalauth defaults to on
#
imap_literalauth on;
# Auth Wait Interval
# Specifies the time interval that NGINX will wait before rejecting an
# authentication attempt to the upstream mail server with invalid credentials.
# This value is not related to the wait time when Zimbra lookup handler replies
# some login error, which is controled by the "Auth-Wait" header returned by the
# lookup handler.
# If not specified, this value defaults to 10 seconds.
#
zm_auth_wait 10000ms;
# TLS configuration
#
ssl_prefer_server_ciphers on;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
# SSL Protocols & Ciphers configuration
# Enabled protocols & Permitted ciphers. Ciphers are assigned in the formats supported by OpenSSL
#
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
# SSL ECDH cipher curve configuration
ssl_ecdh_curve prime256v1;
# IMAP proxy configuration
#
server
{
server_name mail.saigon-inttech.com;
#listen 113.176.64.96:143 ipv6only=off;
listen 113.176.64.96:143;
#listen 113.176.64.96:143;
protocol imap;
proxy on;
timeout 60;
proxy_timeout 2100;
sasl_service_name "imap";
starttls only;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
}
# IMAP proxy default configuration
#
server
{
#listen [::]:143 ipv6only=off;
listen 143;
#listen [::]:143;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
protocol imap;
proxy on;
timeout 60;
proxy_timeout 2100;
sasl_service_name "imap";
starttls only;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
}
# IMAPS proxy configuration
#
server
{
server_name mail.saigon-inttech.com;
#listen 113.176.64.96:993 ipv6only=off;
listen 113.176.64.96:993;
#listen 113.176.64.96:993;
protocol imap;
proxy on;
timeout 60;
proxy_timeout 2100;
ssl on;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
sasl_service_name "imap";
}
# IMAPS proxy default configuration
#
server
{
#listen [::]:993 ipv6only=off;
listen 993;
#listen [::]:993;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
protocol imap;
proxy on;
timeout 60;
proxy_timeout 2100;
ssl on;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
sasl_service_name "imap";
}
# POP3 proxy configuration
#
server
{
server_name mail.saigon-inttech.com;
#listen 113.176.64.96:110 ipv6only=off;
listen 113.176.64.96:110;
#listen 113.176.64.96:110;
protocol pop3;
proxy on;
timeout 60;
proxy_timeout 60;
sasl_service_name "pop";
starttls only;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
}
# POP3 proxy default configuration
#
server
{
#listen [::]:110 ipv6only=off;
listen 110;
#listen [::]:110;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
protocol pop3;
proxy on;
timeout 60;
proxy_timeout 60;
sasl_service_name "pop";
starttls only;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
}
# POP3S proxy configuration
#
server
{
server_name mail.saigon-inttech.com;
#listen 113.176.64.96:995 ipv6only=off;
listen 113.176.64.96:995;
#listen 113.176.64.96:995;
protocol pop3;
proxy on;
timeout 60;
proxy_timeout 60;
ssl on;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
sasl_service_name "pop";
}
# POP3S proxy default configuration
#
server
{
#listen [::]:995 ipv6only=off;
listen 995;
#listen [::]:995;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
protocol pop3;
proxy on;
timeout 60;
proxy_timeout 60;
ssl on;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
sasl_service_name "pop";
}
}
http
{
# disable nginx version on error pages
server_tokens off;
upstream_fair_shm_size 32k;
root /opt/zimbra/data/nginx/html;
# You need to customize these two values by setting local config
# proxy_server_names_hash_max_size and proxy_names_hash_bucket_size
# when too many virtual host names are added
server_names_hash_max_size 512;
server_names_hash_bucket_size 64;
# Define whether nginx will match exact server version against the
# version received in the client request. Defaults to 'on'
# Setting this to off will make nginx compare only the major and minor
# server versions (eg. all 8.5.x will be treated same by nginx)
exact_version_check on;
# Define the collection of upstream HTTP webclient servers to which we will proxy
# Define each server:port against a server directive
#
upstream zimbra_webclient
{
server mailsrv-zbr.saigon-inttech.local:8080 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTP servers to which we will proxy
# Define each server:port against a server directive
#
upstream zimbra
{
server mailsrv-zbr.saigon-inttech.local:8080 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTPS webclient servers to which we will proxy
# Define each server:port against a server directive
#
upstream zimbra_ssl_webclient
{
server mailsrv-zbr.saigon-inttech.local:8443 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTPS servers to which we will proxy
# Define each server:port against a server directive
upstream zimbra_ssl
{
server mailsrv-zbr.saigon-inttech.local:8443 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTP servers to dedicated zx port of jetty
upstream zx
{
server mailsrv-zbr.saigon-inttech.local:8742 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTPS servers to dedicated zx ssl port of jetty
upstream zx_ssl
{
server mailsrv-zbr.saigon-inttech.local:8743 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream admin client servers to which we will
# proxy. Define each server:port against a server directive
#
upstream zimbra_adminclient
{
server mailsrv-zbr.saigon-inttech.local:7071 fail_timeout=10s version=8.8.11_GA_3737;
zmauth_admin;
}
# Define the collection of upstream admin console servers to which we will
# proxy. Define each server:port against a server directive
#
upstream zimbra_admin
{
server mailsrv-zbr.saigon-inttech.local:7071 fail_timeout=10s version=8.8.11_GA_3737;
zmauth_admin;
}
# Define the collection of upstream HTTP EWS servers to which we will
# proxy EWS request. Define each server:port against a server directive
#
# upstream zimbra_ews
# {
#
# zmauth;
# }
# Define the collection of upstream HTTPS EWS servers to which we will
# proxy EWS request. Define each server:port against a server directive
#
# upstream zimbra_ews_ssl
# {
#
# zmauth;
# }
# Define the collection of upstream HTTP Login servers to which we will
# proxy login request. Define each server:port against a server directive
#
upstream zimbra_login
{
server mailsrv-zbr.saigon-inttech.local:8080 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Define the collection of upstream HTTPS Login servers to which we will
# proxy login request. Define each server:port against a server directive
#
upstream zimbra_login_ssl
{
server mailsrv-zbr.saigon-inttech.local:8443 fail_timeout=10s version=8.8.11_GA_3737;
zmauth;
}
# Enable Access logs for web traffic
log_format upstream '$remote_addr:$remote_port - $remote_user [$time_local] '
'"$request_method $scheme://$host$request_uri $server_protocol" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$upstream_addr" "$server_addr:$server_port"';
access_log /opt/zimbra/log/nginx.access.log upstream;
# Set proxy timeout
proxy_connect_timeout 25;
proxy_read_timeout 60;
proxy_send_timeout 60;
# Custom error pages for upstream connection errors
error_page 502 /zmerror_upstream_502.html;
error_page 504 /zmerror_upstream_504.html;
#ssl_client_certificate /opt/zimbra/conf/nginx.client.ca.crt;
# turn on tcp keepalive
tcp_keepalive on;
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.http;
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.http.default;
# HTTPS Proxy Configuration
#
server
{
server_name mail.saigon-inttech.com;
#listen 113.176.64.96:443 ipv6only=off;
listen 113.176.64.96:443;
#listen 113.176.64.96:443;
client_max_body_size 0;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 600;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_ecdh_curve prime256v1;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
ssl_verify_client off;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
# HTTPS Mode Configuration For HTTPS
set $login_upstream https://zimbra_login_ssl;
if ($http_cookie ~ "ZM_AUTH_TOKEN=") {
set $login_upstream https://zimbra_ssl_webclient;
}
location = //
{
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# Proxy to Zimbra Login Upstream
proxy_pass $login_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location = /
{
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# Proxy to Zimbra Login Upstream
proxy_pass $login_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location /
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Webclient Upstream
proxy_pass https://zimbra_ssl_webclient;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, zimbraReverseProxyAvailableLookupTargetstherefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
#For long polling of Microsoft ActiveSync
location ^~ /Microsoft-Server-ActiveSync
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 3600;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /zx/ws-
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://zx_ssl;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_http_version 1.1;
}
location ^~ /zx/
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://zx_ssl;
}
# For NoOpRequest
location ^~ /service/soap/NoOpRequest {
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 1220;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
# For WaitSetRequest
location ^~ /service/soap/WaitSetRequest {
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 1220;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /autodiscover
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
set $autodiscover_upstream https://zimbra_ssl;
# if ($http_user_agent ~ "ExchangeWebServices") {
# set $autodiscover_upstream https://zimbra_ews_ssl;
# }
# End stray redirect hack
# Proxy to Zimbra Mailbox Upstream
proxy_pass $autodiscover_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /nginx_status {
# Location block to enable the stub status module
stub_status on;
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
}
# location ^~ /http-bind
# {
# # Proxy to external XMPP server
# proxy_pass http://:0;
# proxy_read_timeout 90;
# proxy_buffering off;
#
# # For audit
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#
# # For Virtual Hosting
# set $virtual_host $http_host;
# if ($virtual_host = '') {
# set $virtual_host $server_addr:$server_port;
# }
# proxy_set_header Host $virtual_host;
# }
# location ~* ^/ews/Exchange.asmx
# {
# # Proxy to Zimbra Upstream
# proxy_pass https://zimbra_ews_ssl;
# proxy_read_timeout 3600;
# proxy_buffering off;
#
# # For audit
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#
# # For Virtual Hosting
# set $virtual_host $http_host;
# if ($virtual_host = '') {
# set $virtual_host $server_name:$server_port;
# }
# proxy_set_header Host $virtual_host;
#
# # Location header fudging
# # Because NGINX SSL speaks plain HTTP to upstream, therefore any
# # redirects to http:// coming from the upstream need to be fudged
# # to https://
# #
# proxy_redirect http://$http_host/ https://$http_host/;
#
# # Fudge inter-mailbox redirects (kludge)
# proxy_redirect http://$relhost/ https://$http_host/;
# }
location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Mailbox Upstream
proxy_pass https://zimbra_ssl;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_name:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ~* ^/zmerror_.*\.html$ {
# for custom error pages, internal use only
internal;
}
}
# HTTPS Proxy Default Configuration
# Strict servername enforcing block
# Enabled/disabled through the 'zimbraReverseProxyStrictServerName' configuration item
# The $\{listen.:addresses\} is NOT demarcated with web.strict.servername on purpose.
server {
#listen [::]:443 default_server ipv6only=off;
listen 443 default_server;
#listen [::]:443 default_server;
server_name _;
# Listen addresses extracted from `zimbraVirtualIPAddress` on each domain
# Listen addresses extracted from `zimbraVirtualIPAddress` on each domain
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 600;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_ecdh_curve prime256v1;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
ssl_verify_client off;
ssl_verify_depth 10;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
return 400;
}
server
{
#listen [::]:443 ipv6only=off;
listen 443;
#listen [::]:443;
server_name mailsrv-zbr.saigon-inttech.local; # add aliases and perhaps public
client_max_body_size 0;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 600;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_ecdh_curve prime256v1;
ssl_certificate /opt/zimbra/conf/nginx.crt;
ssl_certificate_key /opt/zimbra/conf/nginx.key;
ssl_verify_client off;
ssl_verify_depth 10;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
# HTTPS Mode Configuration For HTTPS
set $login_upstream https://zimbra_login_ssl;
if ($http_cookie ~ "ZM_AUTH_TOKEN=") {
set $login_upstream https://zimbra_ssl_webclient;
}
location = //
{
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# Proxy to Zimbra Login Upstream
proxy_pass $login_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location = /
{
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# Proxy to Zimbra Login Upstream
proxy_pass $login_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location /
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Webclient Upstream
proxy_pass https://zimbra_ssl_webclient;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, zimbraReverseProxyAvailableLookupTargetstherefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
#For long polling of Microsoft ActiveSync
location ^~ /Microsoft-Server-ActiveSync
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 3600;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /zx/ws-
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://zx_ssl;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_http_version 1.1;
}
location ^~ /zx/
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://zx_ssl;
}
# For NoOpRequest
location ^~ /service/soap/NoOpRequest {
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 1220;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
# For WaitSetRequest
location ^~ /service/soap/WaitSetRequest {
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Upstream
proxy_pass https://zimbra_ssl;
proxy_read_timeout 1220;
proxy_buffering off;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /autodiscover
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
set $autodiscover_upstream https://zimbra_ssl;
# if ($http_user_agent ~ "ExchangeWebServices") {
# set $autodiscover_upstream https://zimbra_ews_ssl;
# }
# End stray redirect hack
# Proxy to Zimbra Mailbox Upstream
proxy_pass $autodiscover_upstream;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ^~ /nginx_status {
# Location block to enable the stub status module
stub_status on;
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
}
# location ^~ /http-bind
# {
# # Proxy to external XMPP server
# proxy_pass http://:0;
# proxy_read_timeout 90;
# proxy_buffering off;
#
# # For audit
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#
# # For Virtual Hosting
# set $virtual_host $http_host;
# if ($virtual_host = '') {
# set $virtual_host $server_addr:$server_port;
# }
# proxy_set_header Host $virtual_host;
# }
# location ~* ^/ews/Exchange.asmx
# {
# # Proxy to Zimbra Upstream
# proxy_pass https://zimbra_ews_ssl;
# proxy_read_timeout 3600;
# proxy_buffering off;
#
# # For audit
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#
# # For Virtual Hosting
# set $virtual_host $http_host;
# if ($virtual_host = '') {
# set $virtual_host $server_addr:$server_port;
# }
# proxy_set_header Host $virtual_host;
#
# # Location header fudging
# # Because NGINX SSL speaks plain HTTP to upstream, therefore any
# # redirects to http:// coming from the upstream need to be fudged
# # to https://
# #
# proxy_redirect http://$http_host/ https://$http_host/;
#
# # Fudge inter-mailbox redirects (kludge)
# proxy_redirect http://$relhost/ https://$http_host/;
# }
location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/
{
# Begin stray redirect hack
#
# In some cases, we may get a stray redirect out of the mailhost,
# which attempts to send us to $host:$mailhostport, where:
#
# $host is the host portion (excluding port) of the proxy URL
# $mailhostport is the zimbraMailPort as applies to the mailhost
# server being redirected to
#
# This is the case when one mailhost in the upstream cluster is
# trying to redirect to another mailhost in the same cluster
# In this case, we need to trap and fudge this location header
#
# NOTE that this will only work in the cases where each mailhost
# within the cluster has the same mailhostport (Limitation)
#
set $mailhostport 8080; # replace this with *the* mailhost port
set $relhost $host;
if ($mailhostport != 80) { # standard HTTP port, do not replace
set $relhost $host:$mailhostport;
}
# End stray redirect hack
# Proxy to Zimbra Mailbox Upstream
proxy_pass https://zimbra_ssl;
# For audit
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# For Virtual Hosting
set $virtual_host $http_host;
if ($virtual_host = '') {
set $virtual_host $server_addr:$server_port;
}
proxy_set_header Host $virtual_host;
# Location header fudging
# Because NGINX SSL speaks plain HTTP to upstream, therefore any
# redirects to http:// coming from the upstream need to be fudged
# to https://
#
proxy_redirect http://$http_host/ https://$http_host/;
# Fudge inter-mailbox redirects (kludge)
proxy_redirect http://$relhost/ https://$http_host/;
}
location ~* ^/zmerror_.*\.html$ {
# for custom error pages, internal use only
internal;
}
}
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.sso;
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.sso.default;
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.admin;
#include /opt/zimbra/conf/nginx/includes/nginx.conf.web.admin.default;
}
# Don't edit the below comment
#__SUCCESS__
[zimbra@mailsrv-zbr ~]$
Code: Select all
[zimbra@mailsrv-zbr ~]$ lsof -i :443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 8861 zimbra 10u IPv4 23646088 0t0 TCP *:https (LISTEN)
nginx 8862 zimbra 10u IPv4 23646088 0t0 TCP *:https (LISTEN)
nginx 8863 zimbra 10u IPv4 23646088 0t0 TCP *:https (LISTEN)
nginx 8864 zimbra 10u IPv4 23646088 0t0 TCP *:https (LISTEN)
[zimbra@mailsrv-zbr ~]$ lsof -i :11211
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
memcached 7378 zimbra 26u IPv4 22998771 0t0 TCP *:memcache (LISTEN)
memcached 7378 zimbra 27u IPv6 22998772 0t0 TCP *:memcache (LISTEN)
memcached 7378 zimbra 28u IPv4 23649293 0t0 TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42180 (ESTABLISHED)
memcached 7378 zimbra 29u IPv4 23649294 0t0 TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42182 (ESTABLISHED)
memcached 7378 zimbra 30u IPv4 23649295 0t0 TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42184 (ESTABLISHED)
memcached 7378 zimbra 31u IPv4 23649296 0t0 TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42186 (ESTABLISHED)
nginx 8861 zimbra 13u IPv4 23646102 0t0 TCP mailsrv-zbr.saigon-inttech.local:42180->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
nginx 8862 zimbra 15u IPv4 23648449 0t0 TCP mailsrv-zbr.saigon-inttech.local:42186->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
nginx 8863 zimbra 17u IPv4 23648448 0t0 TCP mailsrv-zbr.saigon-inttech.local:42184->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
nginx 8864 zimbra 19u IPv4 23646103 0t0 TCP mailsrv-zbr.saigon-inttech.local:42182->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
[zimbra@mailsrv-zbr ~]$ netstat -anltp | egrep '^tcp' | grep LISTEN | awk '{print $4 " "$7}' | sed -e 's/.*://' | sort -n | uniq
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
22 -
25 -
53 -
389 -
465 -
587 -
953 -
3310 7902/clamd
5222 -
5269 -
7025 -
7071 -
7072 -
7073 -
7110 -
7143 -
7171 5594/java
7306 7027/mysqld
7993 -
7995 -
8080 -
8443 -
8465 8250/opendkim
10024 7453/amavisd
10025 -
10026 7453/amavisd
10027 -
10028 -
10029 -
10030 -
10032 7453/amavisd
11211 7378/memcached
23232 7421/perl
23233 7423/perl
[zimbra@mailsrv-zbr ~]$ netstat -anelpt | egrep ':25|:465|:389|:636|:7025|:7047|:80|:8080|:443|:8443|:110|:7110|:995|:7995|:143|:7143|:993|:7993|:3443|:9443|:7071|:9071|:7072|:7306|:7307|:7780|:10024|:10025|:11211'
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:7143 0.0.0.0:* LISTEN 0 22999241 -
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 998 22999307 7453/amavisd (maste
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 0 23001904 -
tcp 0 0 127.0.0.1:7306 0.0.0.0:* LISTEN 998 22999190 7027/mysqld
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 998 22998771 7378/memcached
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 0 23646086 8861/nginx: worker
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 0 23646084 8861/nginx: worker
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 0 22999229 -
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 0 23001805 -
tcp 0 0 0.0.0.0:7025 0.0.0.0:* LISTEN 0 22999243 -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0 23001793 -
tcp 0 0 0.0.0.0:7993 0.0.0.0:* LISTEN 0 22999242 -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 23646088 8861/nginx: worker
tcp 0 0 0.0.0.0:7995 0.0.0.0:* LISTEN 0 22999240 -
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 0 22999237 -
tcp 0 0 0.0.0.0:7071 0.0.0.0:* LISTEN 0 22999238 -
tcp 0 0 0.0.0.0:7072 0.0.0.0:* LISTEN 0 22996855 -
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 0 23646085 8861/nginx: worker
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 0 23646087 8861/nginx: worker
tcp 0 0 192.168.3.25:389 0.0.0.0:* LISTEN 0 22967372 -
tcp 0 0 0.0.0.0:7110 0.0.0.0:* LISTEN 0 22999239 -
tcp 0 0 192.168.3.25:42180 192.168.3.25:11211 ESTABLISHED 998 23646102 8861/nginx: worker
tcp 0 0 127.0.0.1:7306 127.0.0.1:33286 ESTABLISHED 998 22999823 7027/mysqld
tcp 0 0 192.168.3.25:47612 192.168.3.25:389 ESTABLISHED 998 23000011 7526/amavisd (ch3-a
tcp 0 0 192.168.3.25:42182 192.168.3.25:11211 ESTABLISHED 998 23646103 8864/nginx: worker
tcp 0 0 192.168.3.25:47580 192.168.3.25:389 ESTABLISHED 998 22999958 7518/amavisd (ch8-a
tcp 0 0 192.168.3.25:389 192.168.3.25:47424 ESTABLISHED 998 22966524 -
tcp 0 0 192.168.3.25:47652 192.168.3.25:389 ESTABLISHED 998 23002826 7516/amavisd (ch6-a
tcp 0 0 192.168.3.25:389 192.168.3.25:47652 ESTABLISHED 998 23002827 -
tcp 0 0 192.168.3.25:47530 192.168.3.25:389 ESTABLISHED 998 23000306 -
tcp 0 0 192.168.3.25:47502 192.168.3.25:389 ESTABLISHED 998 22996904 -
tcp 0 0 192.168.3.25:51502 192.168.3.25:389 TIME_WAIT 0 0 -
tcp 0 0 192.168.3.25:7071 171.249.111.38:59814 ESTABLISHED 998 24400608 -
tcp 0 0 192.168.3.25:47596 192.168.3.25:389 ESTABLISHED 998 22999984 7522/amavisd (ch4-a
tcp 0 0 192.168.3.25:389 192.168.3.25:47538 ESTABLISHED 998 23001698 -
tcp 0 0 192.168.3.25:11211 192.168.3.25:42180 ESTABLISHED 998 23649293 7378/memcached
tcp 0 0 192.168.3.25:389 192.168.3.25:47522 ESTABLISHED 998 23001403 -
tcp 0 0 192.168.3.25:11211 192.168.3.25:42182 ESTABLISHED 998 23649294 7378/memcached
tcp 0 0 192.168.3.25:49392 192.168.3.25:389 ESTABLISHED 998 23558639 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47634 ESTABLISHED 998 23003549 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47524 ESTABLISHED 998 22999429 -
tcp 0 0 192.168.3.25:42184 192.168.3.25:11211 ESTABLISHED 998 23648448 8863/nginx: worker
tcp 0 0 127.0.0.1:7306 127.0.0.1:33284 ESTABLISHED 998 22999822 7027/mysqld
tcp 0 0 192.168.3.25:389 192.168.3.25:47612 ESTABLISHED 998 23000012 -
tcp 0 0 127.0.0.1:33238 127.0.0.1:7306 ESTABLISHED 998 22995909 -
tcp 0 0 192.168.3.25:47684 192.168.3.25:389 ESTABLISHED 998 23003677 7514/amavisd (ch5-a
tcp 0 0 192.168.3.25:47524 192.168.3.25:389 ESTABLISHED 998 23001404 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47530 ESTABLISHED 998 23002174 -
tcp 0 0 192.168.3.25:47590 192.168.3.25:389 ESTABLISHED 998 23002695 7525/amavisd (ch11-
tcp 0 0 192.168.3.25:389 192.168.3.25:47674 ESTABLISHED 998 23004234 -
tcp 0 0 192.168.3.25:47606 192.168.3.25:389 ESTABLISHED 998 23000724 7519/amavisd (ch5-a
tcp 0 0 192.168.3.25:47522 192.168.3.25:389 ESTABLISHED 998 22999428 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47988 ESTABLISHED 998 23048031 -
tcp 0 0 127.0.0.1:7306 127.0.0.1:33288 ESTABLISHED 998 22999824 7027/mysqld
tcp 0 0 192.168.3.25:389 192.168.3.25:47426 ESTABLISHED 998 22966089 -
tcp 0 0 192.168.3.25:48556 192.168.3.25:389 ESTABLISHED 998 23284842 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47596 ESTABLISHED 998 22999985 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47504 ESTABLISHED 998 22995908 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47568 ESTABLISHED 998 23002660 -
tcp 0 0 192.168.3.25:389 192.168.3.25:49672 ESTABLISHED 998 23627468 -
tcp 0 0 127.0.0.1:33288 127.0.0.1:7306 ESTABLISHED 998 23002112 -
tcp 0 0 192.168.3.25:51500 192.168.3.25:389 TIME_WAIT 0 0 -
tcp 0 0 192.168.3.25:389 192.168.3.25:49216 ESTABLISHED 998 23524552 -
tcp 0 0 192.168.3.25:47428 192.168.3.25:389 ESTABLISHED 998 22967394 5594/java
tcp 0 0 192.168.3.25:389 192.168.3.25:47532 ESTABLISHED 998 23001502 -
tcp 0 0 127.0.0.1:33286 127.0.0.1:7306 ESTABLISHED 998 23002110 -
tcp 0 0 192.168.3.25:47532 192.168.3.25:389 ESTABLISHED 998 23001501 -
tcp 0 0 192.168.3.25:47504 192.168.3.25:389 ESTABLISHED 998 22995907 -
tcp 0 0 192.168.3.25:47988 192.168.3.25:389 ESTABLISHED 998 23051337 -
tcp 0 0 192.168.3.25:47634 192.168.3.25:389 ESTABLISHED 998 23000788 7521/amavisd (ch6-a
tcp 0 0 192.168.3.25:47424 192.168.3.25:389 ESTABLISHED 998 22962167 5594/java
tcp 0 0 192.168.3.25:389 192.168.3.25:47590 ESTABLISHED 998 22999971 -
tcp 0 0 192.168.3.25:47426 192.168.3.25:389 ESTABLISHED 998 22962168 5594/java
tcp 0 0 192.168.3.25:42186 192.168.3.25:11211 ESTABLISHED 998 23648449 8862/nginx: worker
tcp 0 0 192.168.3.25:389 192.168.3.25:48556 ESTABLISHED 998 23282797 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47684 ESTABLISHED 998 23004249 -
tcp 0 0 192.168.3.25:49216 192.168.3.25:389 ESTABLISHED 998 23520894 5594/java
tcp 0 0 192.168.3.25:47540 192.168.3.25:389 ESTABLISHED 998 23002345 8249/opendkim
tcp 0 0 192.168.3.25:389 192.168.3.25:47502 ESTABLISHED 998 22999287 -
tcp 0 0 192.168.3.25:47538 192.168.3.25:389 ESTABLISHED 998 23002344 8249/opendkim
tcp 0 0 127.0.0.1:7306 127.0.0.1:33238 ESTABLISHED 998 22996926 7027/mysqld
tcp 0 0 192.168.3.25:389 192.168.3.25:47428 ESTABLISHED 998 22967395 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47580 ESTABLISHED 998 23002669 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47540 ESTABLISHED 998 23001699 -
tcp 0 0 192.168.3.25:389 192.168.3.25:47606 ESTABLISHED 998 23000000 -
tcp 0 0 192.168.3.25:47568 192.168.3.25:389 ESTABLISHED 998 23000648 7511/amavisd (ch9-a
tcp 0 0 192.168.3.25:49672 192.168.3.25:389 ESTABLISHED 998 23627467 -
tcp 0 0 192.168.3.25:389 192.168.3.25:49392 ESTABLISHED 998 23563902 -
tcp 0 0 127.0.0.1:33284 127.0.0.1:7306 ESTABLISHED 998 23002109 -
tcp 0 0 192.168.3.25:11211 192.168.3.25:42186 ESTABLISHED 998 23649296 7378/memcached
tcp 0 0 192.168.3.25:11211 192.168.3.25:42184 ESTABLISHED 998 23649295 7378/memcached
tcp 0 0 192.168.3.25:47674 192.168.3.25:389 ESTABLISHED 998 23003666 7517/amavisd (ch3-a
tcp6 0 0 ::1:10024 :::* LISTEN 998 22999308 7453/amavisd (maste
tcp6 0 0 :::11211 :::* LISTEN 998 22998772 7378/memcached
[zimbra@mailsrv-zbr ~]$ lsof -P -n -i :25,465,389,636,7025,7047,80,8080,443,8443,110,7110,995,7995,143,7143,993,7993,3443,9443,7071,9071,7072,7306,7307,7780,10024,10025,11211
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 5594 zimbra 153u IPv4 22962167 0t0 TCP 192.168.3.25:47424->192.168.3.25:389 (ESTABLISHED)
java 5594 zimbra 155u IPv4 22962168 0t0 TCP 192.168.3.25:47426->192.168.3.25:389 (ESTABLISHED)
java 5594 zimbra 156u IPv4 22967394 0t0 TCP 192.168.3.25:47428->192.168.3.25:389 (ESTABLISHED)
java 5594 zimbra 157u IPv4 23520894 0t0 TCP 192.168.3.25:49216->192.168.3.25:389 (ESTABLISHED)
mysqld 7027 zimbra 22u IPv4 22999190 0t0 TCP 127.0.0.1:7306 (LISTEN)
mysqld 7027 zimbra 49u IPv4 22996926 0t0 TCP 127.0.0.1:7306->127.0.0.1:33238 (ESTABLISHED)
mysqld 7027 zimbra 291u IPv4 22999822 0t0 TCP 127.0.0.1:7306->127.0.0.1:33284 (ESTABLISHED)
mysqld 7027 zimbra 292u IPv4 22999823 0t0 TCP 127.0.0.1:7306->127.0.0.1:33286 (ESTABLISHED)
mysqld 7027 zimbra 293u IPv4 22999824 0t0 TCP 127.0.0.1:7306->127.0.0.1:33288 (ESTABLISHED)
memcached 7378 zimbra 26u IPv4 22998771 0t0 TCP *:11211 (LISTEN)
memcached 7378 zimbra 27u IPv6 22998772 0t0 TCP *:11211 (LISTEN)
memcached 7378 zimbra 28u IPv4 23649293 0t0 TCP 192.168.3.25:11211->192.168.3.25:42180 (ESTABLISHED)
memcached 7378 zimbra 29u IPv4 23649294 0t0 TCP 192.168.3.25:11211->192.168.3.25:42182 (ESTABLISHED)
memcached 7378 zimbra 30u IPv4 23649295 0t0 TCP 192.168.3.25:11211->192.168.3.25:42184 (ESTABLISHED)
memcached 7378 zimbra 31u IPv4 23649296 0t0 TCP 192.168.3.25:11211->192.168.3.25:42186 (ESTABLISHED)
/opt/zimb 7453 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7453 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7511 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7511 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7511 zimbra 22u IPv4 23000648 0t0 TCP 192.168.3.25:47568->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7514 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7514 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7514 zimbra 22u IPv4 23003677 0t0 TCP 192.168.3.25:47684->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7516 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7516 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7516 zimbra 22u IPv4 23002826 0t0 TCP 192.168.3.25:47652->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7517 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7517 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7517 zimbra 22u IPv4 23003666 0t0 TCP 192.168.3.25:47674->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7518 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7518 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7518 zimbra 22u IPv4 22999958 0t0 TCP 192.168.3.25:47580->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7519 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7519 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7519 zimbra 22u IPv4 23000724 0t0 TCP 192.168.3.25:47606->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7521 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7521 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7521 zimbra 22u IPv4 23000788 0t0 TCP 192.168.3.25:47634->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7522 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7522 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7522 zimbra 22u IPv4 22999984 0t0 TCP 192.168.3.25:47596->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7525 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7525 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7525 zimbra 22u IPv4 23002695 0t0 TCP 192.168.3.25:47590->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7526 zimbra 4u IPv4 22999307 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7526 zimbra 6u IPv6 22999308 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 7526 zimbra 22u IPv4 23000011 0t0 TCP 192.168.3.25:47612->192.168.3.25:389 (ESTABLISHED)
opendkim 8249 zimbra 3u IPv4 23002344 0t0 TCP 192.168.3.25:47538->192.168.3.25:389 (ESTABLISHED)
opendkim 8249 zimbra 4u IPv4 23002345 0t0 TCP 192.168.3.25:47540->192.168.3.25:389 (ESTABLISHED)
opendkim 8250 zimbra 3u IPv4 23002344 0t0 TCP 192.168.3.25:47538->192.168.3.25:389 (ESTABLISHED)
opendkim 8250 zimbra 4u IPv4 23002345 0t0 TCP 192.168.3.25:47540->192.168.3.25:389 (ESTABLISHED)
nginx 8861 zimbra 6u IPv4 23646084 0t0 TCP *:143 (LISTEN)
nginx 8861 zimbra 7u IPv4 23646085 0t0 TCP *:993 (LISTEN)
nginx 8861 zimbra 8u IPv4 23646086 0t0 TCP *:110 (LISTEN)
nginx 8861 zimbra 9u IPv4 23646087 0t0 TCP *:995 (LISTEN)
nginx 8861 zimbra 10u IPv4 23646088 0t0 TCP *:443 (LISTEN)
nginx 8861 zimbra 13u IPv4 23646102 0t0 TCP 192.168.3.25:42180->192.168.3.25:11211 (ESTABLISHED)
nginx 8862 zimbra 6u IPv4 23646084 0t0 TCP *:143 (LISTEN)
nginx 8862 zimbra 7u IPv4 23646085 0t0 TCP *:993 (LISTEN)
nginx 8862 zimbra 8u IPv4 23646086 0t0 TCP *:110 (LISTEN)
nginx 8862 zimbra 9u IPv4 23646087 0t0 TCP *:995 (LISTEN)
nginx 8862 zimbra 10u IPv4 23646088 0t0 TCP *:443 (LISTEN)
nginx 8862 zimbra 15u IPv4 23648449 0t0 TCP 192.168.3.25:42186->192.168.3.25:11211 (ESTABLISHED)
nginx 8863 zimbra 6u IPv4 23646084 0t0 TCP *:143 (LISTEN)
nginx 8863 zimbra 7u IPv4 23646085 0t0 TCP *:993 (LISTEN)
nginx 8863 zimbra 8u IPv4 23646086 0t0 TCP *:110 (LISTEN)
nginx 8863 zimbra 9u IPv4 23646087 0t0 TCP *:995 (LISTEN)
nginx 8863 zimbra 10u IPv4 23646088 0t0 TCP *:443 (LISTEN)
nginx 8863 zimbra 17u IPv4 23648448 0t0 TCP 192.168.3.25:42184->192.168.3.25:11211 (ESTABLISHED)
nginx 8864 zimbra 6u IPv4 23646084 0t0 TCP *:143 (LISTEN)
nginx 8864 zimbra 7u IPv4 23646085 0t0 TCP *:993 (LISTEN)
nginx 8864 zimbra 8u IPv4 23646086 0t0 TCP *:110 (LISTEN)
nginx 8864 zimbra 9u IPv4 23646087 0t0 TCP *:995 (LISTEN)
nginx 8864 zimbra 10u IPv4 23646088 0t0 TCP *:443 (LISTEN)
nginx 8864 zimbra 19u IPv4 23646103 0t0 TCP 192.168.3.25:42182->192.168.3.25:11211 (ESTABLISHED)
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$ zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled zimbraReverseProxyLookupTarget zimbraReverseProxyHttpEnabled zimbraMailReferMode zimbraMailPort zimbraMailProxyPort zimbraMailSSLPort zimbraMailSSLProxyPort zimbraMailMode zimbraReverseProxyMailEnabled zimbraReverseProxyMailMode zimbraImapBindPort zimbraImapProxyBindPort zimbraImapSSLBindPort zimbraImapSSLProxyBindPort zimbraImapCleartextLoginEnabled zimbraPop3BindPort zimbraPop3ProxyBindPort zimbraPop3SSLBindPort zimbraPop3SSLProxyBindPort zimbraPop3CleartextLoginEnabled zimbraAdminPort zimbraAdminProxyPort zimbraReverseProxyAdminEnabled ; zmprov gs `zmhostname` zimbraServiceEnabled | egrep 'memcache|proxy|mailbox'
# name mailsrv-zbr.saigon-inttech.local
zimbraAdminPort: 7071
zimbraAdminProxyPort: 9071
zimbraImapBindPort: 7143
zimbraImapCleartextLoginEnabled: TRUE
zimbraImapProxyBindPort: 143
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraMailMode: https
zimbraMailPort: 8080
zimbraMailProxyPort: 80
zimbraMailReferMode: reverse-proxied
zimbraMailSSLPort: 8443
zimbraMailSSLProxyPort: 443
zimbraPop3BindPort: 7110
zimbraPop3CleartextLoginEnabled: TRUE
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyHttpEnabled: TRUE
zimbraReverseProxyLookupTarget: TRUE
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxyMailMode: https
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbraServiceEnabled: mailbox
zimbraServiceEnabled: proxy
zimbraServiceEnabled: memcached
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$Everyone help, thanks
(providing the output of zmcontrol -v is usually a good idea).