400 Bad Request - nginx

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
buiphezzz
Posts: 5
Joined: Fri Feb 22, 2019 6:12 am

400 Bad Request - nginx

Postby buiphezzz » Sun Feb 24, 2019 7:02 am

Hi everybody,

I am from Vietnam, my English is very bad, so this topic I translated from google, so there are spelling errors, I am sorry, please excuse me.

Recently, I have deployed Zimbra's single-server, and when I deploy I do not install Zimbra Proxy. But when using 1 week, I want to deploy more NextCloud to Drive in Zimbra, then read the document that requires Zimbra Proxy.

So I installed Zimbra Proxy on the current server, but when the deployment is complete, every trial works well, only the zimbra web proxy service has a "400 Bad Request" error, the non-proxy web service is still working normally.

Can anyone tell me how to fix this problem?

Code: Select all

[zimbra@mailsrv-zbr ~]$ zmproxyconf
# NGINX POP/IMAP proxy configuration file for use with Zimbra
#

working_directory /opt/zimbra;
# change UID/GID to zimbra/zimbra upon startup
#
user zimbra zimbra;

# number of worker processes to start
# multiply this by worker_connections to get the maximum number of connections
# that can be simultaneously handled by nginx (the product should not exceed
# 65536, since that is the 16-bit limit of the TCP port range)
#
worker_processes  4;

pid        /opt/zimbra/log/nginx.pid;
error_log  /opt/zimbra/log/nginx.log info;


events {
    # number of simultaneous connections that each worker process can
    # handle simultaneously
    # note that this number should not exceed the hard limit of the
    # RLIMIT_NOFILE resource limit that is set for the zimbra user, because
    # RLIMIT_NOFILE defines the maximum number of open file descriptors that
    # a process running as a user can have - by default, limits.conf on a
    # zimbra system will ensure that the zimbra user has more than 10k file
    # descriptors allowed for a zimbra process

    # (note) also see worker_rlimit_nofile at
    # http://wiki.codemongers.com/NginxMainModule#worker_rlimit_nofile
    #
    worker_connections  10240;
    accept_mutex        on;
}

# environment variables for worker processes
#

# Kerberos 5 keytab location
env KRB5_KTNAME=/opt/zimbra/conf/krb5.keytab;

memcache
{
    # memcached server configuration
    # configure one or more memcached servers that will cache the route
    # information for pop/imap users
    #
      servers   192.168.3.25:11211;


    # The time that NGINX will wait for a cached result from a memcached
    # server, after which the request will be considered timed out,
    # and NGINX will fall back to an http routing lookup handler
    #
    timeout     3000ms;

    # The amount of time that NGINX will wait before attempting to reconnect
    # to a memcache server that unexpectedly terminated (or shut down) its
    # connection with NGINX
    #
    reconnect   60000ms;

    # The time to live (TTL) for an entry added to the memcached server
    # This value represents the amount of time that the route information
    # that is cached into the memcached servers will be available, before
    # the memcached daemon expires it
    # Memcached expects the TTL for an entry to be specified in seconds,
    # therefore any value specified in milliseconds here will be rounded
    # up to the next integer value in seconds. If not specified, the TTL
    # defaults to 0, which indicates an infinite time to live for the
    # routing information
    #
    ttl         3600000ms;
}

zm_lookup {

    zm_lookup_handlers  https://192.168.3.25:7072/service/extension/nginx-lookup;

    # The timeout to lookup in the lookup handler. This timeout
    # does not include the time out accessing memcache, which is
    # controlled by "timeout" in nginx.conf.memecache.
    #
    zm_lookup_timeout   15000ms;

    # The interval that nginx will try to reconnect to a failed lookup handler.
    #
    zm_lookup_handler_retry_interval 60000ms;

    # Whether to turn on lookup result caching. This should be always
    # turn on in the production environment.
    #
    zm_lookup_caching   on;

    # master authenticating user for cases where nginx must authenticate
    # on behalf of the end user -- this is required in those sasl auth
    # mechanisms where the user's plain-text password is not available,
    # in these cases, after nginx has deemed that the user has authenticated
    # himself/herself correctly, then nginx will use the master auth user
    # name and master auth password, along with the end user's user name,
    # in order to log in to the upstream server
    # such authentication will be done as per the PLAIN sasl mechanism as
    # defined in RFC 4616
    # (presently, this feature are used in GSSAPI & cert auth)
    #
    zm_lookup_master_auth_username "zmnginx";
    zm_lookup_master_auth_password "sdjksxys";

    # Whether or not to cache unqualified login names in the "account-->route cache"
    # When this option is set "off", and the login name to be cached is unqualified,
    # the client IP will be appended to the login name in the format:
    # <login name>@<client ip>
    #
    zm_lookup_allow_unqualified   off;

    # URL prefix for the upstream server
    zm_prefix_url /;
}
mail
{
    # mail proxy connection timeout
    proxy_ctimeout              120000ms;

    # pass error messages from the backend server to the client
    # if true, the error messages are passed to the client verbatim, else
    # nginx logs the original error message in its log file and sends back
    # a generic error message to the client
    #
    proxy_pass_error_message    on;

    # HTTP lookup handlers that will return the route information for a
    # pop3/imap login
    #
    zm_auth_http;

    # Wether to use ssl to connect the upstream mail servers
    #
    proxy_ssl on;

    # IMAP/POP3 greeting messages
    #
    imap_greeting            "";
    pop3_greeting            "";

    pop3_capabilities         "EXPIRE 31 USER" "TOP" "UIDL" "USER" "XOIP";
    imap_capabilities         "ACL" "BINARY" "CATENATE" "CHILDREN" "CONDSTORE" "ENABLE" "ESEARCH" "ESORT" "I18NLEVEL=1" "ID" "IDLE" "IMAP4rev1" "LIST-EXTENDED" "LIST-STATUS" "LITERAL+" "MULTIAPPEND" "NAMESPACE" "QRESYNC" "QUOTA" "RIGHTS=ektx" "SASL-IR" "SEARCHRES" "SORT" "THREAD=ORDEREDSUBJECT" "UIDPLUS" "UNSELECT" "WITHIN" "XLIST";

    # IMAP4 ID Extension support (RFC 2971)
    # Use the imap_id directive to specify the string that should be sent
    # back by the proxy server back to the client upon receipt of an
    # IMAP ID command as described by RFC 2971
    # There MUST be an even number of strings specified against
    # this directive, because RFC 2971 defines the server response to be
    # a list of field-value pairs (refer Formal Syntax, RFC 2971 Section 4)
    # Each string in this list should be enclosed within double quotes
    # If not quoted, they will be automatically quoted by nginx, but the
    # use of quotes allows the space character to be included within an
    # ID field or a value
    # The odd numbered strings are treated as ID fields, with the following
    # even-numbered string considered to be the ID value corresponding to
    # the field name
    # If omitted, the response to the ID command will be nil, which
    # according to RFC 2971, is permissible in lieu of the field-value list
    # The imap_id directive may be overridden in a server block
    #
    imap_id         "NAME" "Zimbra" "VERSION" "8.8.11_GA_3772" "RELEASE" "20190128052127";

    # Default realm (kerberos)
    # For GSSAPI authentication, when the server's realm is the same as
    # the default realm as defined in the default_realm variable in the
    # [libdefaults] section of krb5.conf, then in this case, the SASL
    # GSSAPI library strips off the realm portion from the authenticating
    # principal. Therefore, the default realm name must be specified here
    # so that NGINX can append it to the authenticating principal for GSSAPI
    #
    default_realm           "";

    # Resolve IP address to SASL server name (kerberos)
    # For GSSAPI, in cases of multi-homed hosts, it may be that the proxy
    # server has multiple network interfaces, and we wish to reverse map
    # the incoming interface IP address (via DNS) to a host name, which will
    # be used as the service principal
    # Set this to on if gssapi clients will connect to a proxy server using
    # different FQDNs. Otherwise, set it to off, and the fully qualified
    # host name of the proxy (as returned by hostname), will be used as the
    # service principal
    # If not specified, this configuration defaults to off
    #
    sasl_host_from_ip       off;

    # sasl_app_name
    # This is the application name which nginx will use when initializing
    # the SASL library using the call to sasl_server_init()
    # The SASL library is initialized once per process, the application name
    # provided here is used for where to find the default configuration file
    # If not specified, sasl_app_name defaults to "nginx"
    #
    sasl_app_name           "nginx";

    # Login rate limiting directives
    #

    # mail_login_ip_max
    #
    # Sets the maximum number of times that any user is allowed to log in from
    # a particular IP over POP or IMAP to this proxy server before the login is
    # rejected with an appropriate protocol specific bye response
    # This counter is cumulative for all users that appear to the proxy to be
    # logging in from the same IP address
    # If multiple users appear to the proxy to be logging in from the same IP
    # address (usual with NATing), then each of the different users' login will
    # contribute to increasing the hit counter for that IP address, and when the
    # counter eventually exceeds mail_login_ip_max, then the connections from
    # that IP address will be throttled
    # Therefore, all users from the same IP will contribute to
    # (and be affected by) this counter
    # Logins using all protocols (POP3/POP3S/IMAP/IMAPS) will affect this
    # counter, (the counter is aggregate for all protocols, *not* separate)
    # See notes accompanying the mail_login_ip_ttl for reasonable values for
    # this directive
    # If this value is set to 0, then no throttling will take place for any IP
    #
    mail_login_ip_max               0;

    # mail_login_ip_ttl
    #
    # Sets the time-to-live for the hit counter for IP login throttling
    # Used in conjunction with mail_login_ip_max, this defines the semantics
    # of the throttling for IP logins. Therfore, if this is set to 3600s, and
    # if mail_login_ip_max is set to 1000, then it means that NGINX should not
    # allow more than 1000 users to log in to the proxy from the same IP,
    # within the time interval of an hour (=3600s)
    # The semantics for such a configuration would then be -
    # "allow maximum 1000 users per hour from any given IP address"
    #
    mail_login_ip_ttl               3600000ms;

    # mail_login_ip_imap_max
    #
    # Sets the maximum number of times that any user is allowed to log in from
    # a particular IP over IMAP to this proxy server before the login is rejected
    # with an appropriate protocol specific bye response.
    #
    # This counter is cumulative for all users that appear to the proxy to be
    # logging in from the same IP address.
    # If multiple users appear to the proxy to be logging in from the same IP
    # address (usual with NATing), then each of the different users' login will
    # contribute to increasing the hit counter for that IP address, and when the
    # counter eventually exceeds mail_login_ip_imap_max, then the connections from
    # that IP address will be throttled
    # Therefore, all users from the same IP will contribute to
    # (and be affected by) this counter
    # Logins using the IMAP protocol (IMAP/IMAPS) will affect this
    # counter, (the counter is aggregate for IMAP)
    # See notes accompanying the mail_login_ip_imap_ttl for reasonable values for
    # this directive
    # If this value is set to 0, the handling of imap connections will fall back to
    # using the mail_login_ip_max setting
    #
    mail_login_ip_imap_max          0;

    # mail_login_ip_imap_ttl
    #
    # Sets the time-to-live for the hit counter for IMAP login throttling
    # Used in conjunction with mail_login_ip_imap_max, this defines the semantics
    # of the throttling for IMAP logins. Therefore, if this is set to 3600s, and
    # if mail_login_ip_imap_max is set to 1000, then it means that NGINX should not
    # allow more than 1000 IMAP users to log in to the proxy from the same IP,
    # within the time interval of an hour (=3600s)
    # The semantics for such a configuration would then be -
    # "allow maximum 1000 IMAP users per hour from any given IP address"
    #
    mail_login_ip_imap_ttl          3600000ms;

    # mail_login_ip_pop3_max
    #
    # Sets the maximum number of times that any user is allowed to log in from
    # a particular IP over POP3 to this proxy server before the login is rejected
    # with an appropriate protocol specific bye response.
    #
    # This counter is cumulative for all users that appear to the proxy to be
    # logging in from the same IP address.
    # If multiple users appear to the proxy to be logging in from the same IP
    # address (usual with NATing), then each of the different users' login will
    # contribute to increasing the hit counter for that IP address, and when the
    # counter eventually exceeds mail_login_ip_pop3_max, then the connections from
    # that IP address will be throttled
    # Therefore, all users from the same IP will contribute to
    # (and be affected by) this counter
    # Logins using the POP3 protocol (POP3/POP3S) will affect this
    # counter, (the counter is aggregate for POP3)
    # See notes accompanying the mail_login_ip_pop3_ttl for reasonable values for
    # this directive
    # If this value is set to 0, the handling of pop3 connections will fall back to
    # using the mail_login_ip_max setting
    #
    mail_login_ip_pop3_max          0;

    # mail_login_ip_pop3_ttl
    #
    # Sets the time-to-live for the hit counter for POP3 login throttling
    # Used in conjunction with mail_login_ip_pop3_max, this defines the semantics
    # of the throttling for POP3 logins. Therefore, if this is set to 3600s, and
    # if mail_login_ip_pop3_max is set to 1000, then it means that NGINX should not
    # allow more than 1000 POP3 users to log in to the proxy from the same IP,
    # within the time interval of an hour (=3600s)
    # The semantics for such a configuration would then be -
    # "allow maximum 1000 IMAP users per hour from any given IP address"
    #
    mail_login_ip_pop3_ttl          3600000ms;

    # Define a textual message that should be displayed to the user when
    # his/her connection is rejected based on IP overusage
    # This message will be encapsulated in the proper protocol specific
    # response to the client ("* BYE" for IMAP, and "-ERR" for POP3)
    #
    mail_login_ip_rejectmsg         "Login rejected from this IP";

    # Similar semantics for Rate Limiting User Logins
    # Setting mail_login_user_max to 100 and mail_login_user_ttl to 3600s
    # implies "allow maximum 100 logins per hour for any user"
    # As with the ip counterparts, the user hit counter and timeout are
    # cumulative for all protocols
    # Also, for a given user's login, both counters are checked in succession,
    # with the IP counter being checked first
    # A login may be rejected (throttled) because the IP is over-usage, or
    # because the login name itself is over-usage
    # A value of 0 indicates that no throttling will take place for any user
    #
    mail_login_user_max             0;
    mail_login_user_ttl             3600000ms;
    mail_login_user_rejectmsg       "Login rejected for this user";

    # List of servers to which no ip throttling will be done


    # Sets the time-to-live of the list of servers for which no ip throttling
    # will be done
    mail_whitelist_ip_ttl   300;

    # Issue POP3 XOIP before logging in to upstream (Audit purposes)
    #
    proxy_issue_pop3_xoip   on;

    # Issue IMAP ID before logging in to upstream (Audit purposes)
    #
    proxy_issue_imap_id     on;

    # Supported SASL Authentication mechanisms
    #
    # Use the pop3_auth and imap_auth to specify which SASL mechanisms are
    # enabled for POP and IMAP respectively
    # These directives may be specified at mail{} level, or overridden at
    # server{} level
    # Even though an authentication mechanism may be listed against
    # pop3_auth and/or imap_auth, it may or may not be available depending
    # on whether cleartext login is available (see description for starttls)
    # For example, if starttls is set to only, then SASL PLAIN is not
    # available outside of TLS/SSL
    # SASL mechanisms may be specified all on one line (space separated)
    # against pop3_auth, or they may be specified on a separate line
    # Specifying the SASL mechanisms on a separate line has the advantage
    # that they can be enabled/disabled separately by zmmtaconfig using
    # different LDAP attributes
    # Currently, only PLAIN and GSSAPI mechanisms are supported
    #
    imap_auth          plain;
    #imap_auth         gssapi;

    pop3_auth          plain;
    #pop3_auth         gssapi;

    # Specify whether to use literal strings while issuing the LOGIN command
    # to the upstream server. If set to on, then it means that NGINX will use
    # literal strings to log in to the upstream server, and so the upstream
    # MUST support literal strings
    # If set to off, then NGINX uses quoted strings to log in to the upstream
    # server when using the LOGIN command
    # If not specified, imap_literalauth defaults to on
    #
    imap_literalauth        on;

    # Auth Wait Interval
    # Specifies the time interval that NGINX will wait before rejecting an
    # authentication attempt to the upstream mail server with invalid credentials.
    # This value is not related to the wait time when Zimbra lookup handler replies
    # some login error, which is controled by the "Auth-Wait" header returned by the
    # lookup handler.
    # If not specified, this value defaults to 10 seconds.
    #
    zm_auth_wait               10000ms;

    # TLS configuration
    #
    ssl_prefer_server_ciphers   on;
    ssl_certificate     /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key /opt/zimbra/conf/nginx.key;

    # SSL Protocols & Ciphers configuration
    # Enabled protocols & Permitted ciphers. Ciphers are assigned in the formats supported by OpenSSL
    #
    ssl_protocols            TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers             ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;

    # SSL ECDH cipher curve configuration
    ssl_ecdh_curve          prime256v1;

# IMAP proxy configuration
#
server
{
    server_name             mail.saigon-inttech.com;
    #listen                  113.176.64.96:143 ipv6only=off;
    listen                  113.176.64.96:143;
    #listen                  113.176.64.96:143;
    protocol                imap;
    proxy                   on;
    timeout                 60;
    proxy_timeout           2100;
    sasl_service_name       "imap";
    starttls                only;
    ssl_certificate         /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key     /opt/zimbra/conf/nginx.key;
}


# IMAP proxy default configuration
#
server
{
    #listen                  [::]:143 ipv6only=off;
    listen                143;
    #listen                [::]:143;
    ssl_dhparam         /opt/zimbra/conf/dhparam.pem;
    protocol                imap;
    proxy                   on;
    timeout                 60;
    proxy_timeout           2100;
    sasl_service_name       "imap";
    starttls                only;
    ssl_certificate         /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key     /opt/zimbra/conf/nginx.key;
}
# IMAPS proxy configuration
#
server
{
    server_name         mail.saigon-inttech.com;
    #listen              113.176.64.96:993 ipv6only=off;
    listen            113.176.64.96:993;
    #listen            113.176.64.96:993;
    protocol            imap;
    proxy               on;
    timeout             60;
    proxy_timeout       2100;
    ssl                 on;
    ssl_certificate     /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key /opt/zimbra/conf/nginx.key;
    sasl_service_name   "imap";
}


# IMAPS proxy default configuration
#
server
{
    #listen                  [::]:993 ipv6only=off;
    listen                993;
    #listen                [::]:993;
    ssl_dhparam         /opt/zimbra/conf/dhparam.pem;
    protocol            imap;
    proxy               on;
    timeout             60;
    proxy_timeout       2100;
    ssl                 on;
    ssl_certificate     /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key /opt/zimbra/conf/nginx.key;
    sasl_service_name   "imap";
}

# POP3 proxy configuration
#
server
{
    server_name             mail.saigon-inttech.com;
    #listen                  113.176.64.96:110 ipv6only=off;
    listen                  113.176.64.96:110;
    #listen                  113.176.64.96:110;
    protocol                pop3;
    proxy                   on;
    timeout                 60;
    proxy_timeout           60;
    sasl_service_name       "pop";
    starttls                only;
    ssl_certificate         /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key     /opt/zimbra/conf/nginx.key;
}


# POP3 proxy default configuration
#
server
{
    #listen                  [::]:110 ipv6only=off;
    listen                110;
    #listen                [::]:110;
    ssl_dhparam         /opt/zimbra/conf/dhparam.pem;
    protocol                pop3;
    proxy                   on;
    timeout                 60;
    proxy_timeout           60;
    sasl_service_name       "pop";
    starttls                only;
    ssl_certificate         /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key     /opt/zimbra/conf/nginx.key;
}


# POP3S proxy configuration
#
server
{
    server_name         mail.saigon-inttech.com;
    #listen              113.176.64.96:995 ipv6only=off;
    listen            113.176.64.96:995;
    #listen            113.176.64.96:995;
    protocol            pop3;
    proxy               on;
    timeout             60;
    proxy_timeout       60;
    ssl                 on;
    ssl_certificate     /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key /opt/zimbra/conf/nginx.key;
    sasl_service_name   "pop";
}


# POP3S proxy default configuration
#
server
{
    #listen              [::]:995 ipv6only=off;
    listen            995;
    #listen            [::]:995;
    ssl_dhparam     /opt/zimbra/conf/dhparam.pem;
    protocol            pop3;
    proxy               on;
    timeout             60;
    proxy_timeout       60;
    ssl                 on;
    ssl_certificate     /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key /opt/zimbra/conf/nginx.key;
    sasl_service_name   "pop";
}

}
http
{
    # disable nginx version on error pages
    server_tokens off;

    upstream_fair_shm_size 32k;

    root /opt/zimbra/data/nginx/html;

    # You need to customize these two values by setting local config
    # proxy_server_names_hash_max_size and proxy_names_hash_bucket_size
    # when too many virtual host names are added
    server_names_hash_max_size 512;
    server_names_hash_bucket_size 64;

    # Define whether nginx will match exact server version against the
    # version received in the client request. Defaults to 'on'
    # Setting this to off will make nginx compare only the major and minor
    # server versions (eg. all 8.5.x will be treated same by nginx)
    exact_version_check on;

    # Define the collection of upstream HTTP webclient servers to which we will proxy
    # Define each server:port against a server directive
    #
    upstream zimbra_webclient
    {
        server    mailsrv-zbr.saigon-inttech.local:8080 fail_timeout=10s version=8.8.11_GA_3737;

        zmauth;
    }

    #  Define the collection of upstream HTTP servers to which we will proxy
    #  Define each server:port against a server directive
    #
    upstream zimbra
    {
        server    mailsrv-zbr.saigon-inttech.local:8080 fail_timeout=10s version=8.8.11_GA_3737;

        zmauth;
    }

    #  Define the collection of upstream HTTPS webclient servers to which we will proxy
    #  Define each server:port against a server directive
    #
    upstream zimbra_ssl_webclient
    {
        server    mailsrv-zbr.saigon-inttech.local:8443 fail_timeout=10s version=8.8.11_GA_3737;

        zmauth;
    }

    #  Define the collection of upstream HTTPS servers to which we will proxy
    #  Define each server:port against a server directive
    upstream zimbra_ssl
    {
        server    mailsrv-zbr.saigon-inttech.local:8443 fail_timeout=10s version=8.8.11_GA_3737;

        zmauth;
    }

    #  Define the collection of upstream HTTP servers to dedicated zx port of jetty
    upstream zx
    {
        server    mailsrv-zbr.saigon-inttech.local:8742 fail_timeout=10s version=8.8.11_GA_3737;

        zmauth;
    }

    #  Define the collection of upstream HTTPS servers to dedicated zx ssl port of jetty
    upstream zx_ssl
    {
        server    mailsrv-zbr.saigon-inttech.local:8743 fail_timeout=10s version=8.8.11_GA_3737;

        zmauth;
    }

     #  Define the collection of upstream admin client servers to which we will
    #  proxy. Define each server:port against a server directive
    #
    upstream zimbra_adminclient
    {
        server    mailsrv-zbr.saigon-inttech.local:7071 fail_timeout=10s version=8.8.11_GA_3737;

        zmauth_admin;
    }

    #  Define the collection of upstream admin console servers to which we will
    #  proxy. Define each server:port against a server directive
    #
    upstream zimbra_admin
    {
        server    mailsrv-zbr.saigon-inttech.local:7071 fail_timeout=10s version=8.8.11_GA_3737;

        zmauth_admin;
    }


    #  Define the collection of upstream HTTP EWS servers to which we will
    #  proxy EWS request. Define each server:port against a server directive
    #
    # upstream zimbra_ews
    # {
    #
    #    zmauth;
    # }

    #  Define the collection of upstream HTTPS EWS servers to which we will
    #  proxy EWS request. Define each server:port against a server directive
    #
    # upstream zimbra_ews_ssl
    # {
    #
    #    zmauth;
    # }

    #  Define the collection of upstream HTTP Login servers to which we will
    #  proxy login request. Define each server:port against a server directive
    #
     upstream zimbra_login
     {
        server    mailsrv-zbr.saigon-inttech.local:8080 fail_timeout=10s version=8.8.11_GA_3737;

        zmauth;
     }

    #  Define the collection of upstream HTTPS Login servers to which we will
    #  proxy login request. Define each server:port against a server directive
    #
     upstream zimbra_login_ssl
     {
        server    mailsrv-zbr.saigon-inttech.local:8443 fail_timeout=10s version=8.8.11_GA_3737;

        zmauth;
     }

    # Enable Access logs for web traffic
    log_format upstream '$remote_addr:$remote_port - $remote_user [$time_local]  '
      '"$request_method $scheme://$host$request_uri $server_protocol" $status $bytes_sent '
      '"$http_referer" "$http_user_agent" "$upstream_addr" "$server_addr:$server_port"';
    access_log /opt/zimbra/log/nginx.access.log upstream;

    # Set proxy timeout
    proxy_connect_timeout 25;
    proxy_read_timeout 60;
    proxy_send_timeout 60;

    # Custom error pages for upstream connection errors
    error_page 502 /zmerror_upstream_502.html;
error_page 504 /zmerror_upstream_504.html;


    #ssl_client_certificate  /opt/zimbra/conf/nginx.client.ca.crt;

    # turn on tcp keepalive
    tcp_keepalive on;

    #include /opt/zimbra/conf/nginx/includes/nginx.conf.web.http;
    #include /opt/zimbra/conf/nginx/includes/nginx.conf.web.http.default;
# HTTPS Proxy Configuration
#
server
{
    server_name             mail.saigon-inttech.com;
    #listen                  113.176.64.96:443 ipv6only=off;
    listen                  113.176.64.96:443;
    #listen                  113.176.64.96:443;

    client_max_body_size    0;
    ssl                     on;
    ssl_protocols            TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache       shared:SSL:10m;
    ssl_session_timeout     600;
    ssl_ciphers             ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
    ssl_ecdh_curve          prime256v1;
    ssl_certificate         /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key     /opt/zimbra/conf/nginx.key;
    ssl_verify_client       off;
    proxy_ssl_protocols            TLSv1 TLSv1.1 TLSv1.2;
    proxy_ssl_ciphers             ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
    ssl_dhparam             /opt/zimbra/conf/dhparam.pem;
# HTTPS Mode Configuration For HTTPS

    set $login_upstream     https://zimbra_login_ssl;
    if ($http_cookie ~ "ZM_AUTH_TOKEN=") {
        set $login_upstream    https://zimbra_ssl_webclient;
    }

     location = //
     {
         set $mailhostport 8080;   # replace this with *the* mailhost port
         set $relhost $host;

         if ($mailhostport != 80) {   # standard HTTP port, do not replace
             set $relhost $host:$mailhostport;
         }

         # Proxy to Zimbra Login Upstream
         proxy_pass          $login_upstream;

         # For audit
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

         # For Virtual Hosting
         set $virtual_host $http_host;
         if ($virtual_host = '') {
            set $virtual_host $server_name:$server_port;
         }
         proxy_set_header Host            $virtual_host;

         # Location header fudging
         # Because NGINX SSL speaks plain HTTP to upstream, therefore any
         # redirects to http:// coming from the upstream need to be fudged
         # to https://
         #
         proxy_redirect http://$http_host/ https://$http_host/;

         # Fudge inter-mailbox redirects (kludge)
         proxy_redirect http://$relhost/ https://$http_host/;
     }

     location = /
     {
         set $mailhostport 8080;   # replace this with *the* mailhost port
         set $relhost $host;

         if ($mailhostport != 80) {   # standard HTTP port, do not replace
             set $relhost $host:$mailhostport;
         }

         # Proxy to Zimbra Login Upstream
         proxy_pass          $login_upstream;

         # For audit
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

         # For Virtual Hosting
         set $virtual_host $http_host;
         if ($virtual_host = '') {
            set $virtual_host $server_name:$server_port;
         }
         proxy_set_header Host            $virtual_host;

         # Location header fudging
         # Because NGINX SSL speaks plain HTTP to upstream, therefore any
         # redirects to http:// coming from the upstream need to be fudged
         # to https://
         #
         proxy_redirect http://$http_host/ https://$http_host/;

         # Fudge inter-mailbox redirects (kludge)
         proxy_redirect http://$relhost/ https://$http_host/;
     }

    location /
    {
        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        # End stray redirect hack

        # Proxy to Zimbra Webclient Upstream
        proxy_pass       https://zimbra_ssl_webclient;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_name:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, zimbraReverseProxyAvailableLookupTargetstherefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    #For long polling of Microsoft ActiveSync
    location ^~ /Microsoft-Server-ActiveSync
    {
        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        # End stray redirect hack

        # Proxy to Zimbra Upstream
        proxy_pass          https://zimbra_ssl;
        proxy_read_timeout  3600;
        proxy_buffering     off;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_name:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, therefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    location ^~ /zx/ws-
    {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass https://zx_ssl;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $http_host;
      proxy_http_version 1.1;
    }

    location ^~ /zx/
    {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://zx_ssl;
    }

    # For NoOpRequest
    location ^~ /service/soap/NoOpRequest {

        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        # End stray redirect hack

        # Proxy to Zimbra Upstream
        proxy_pass          https://zimbra_ssl;
        proxy_read_timeout  1220;
        proxy_buffering     off;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_name:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, therefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    # For WaitSetRequest
    location ^~ /service/soap/WaitSetRequest {

        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        # End stray redirect hack

        # Proxy to Zimbra Upstream
        proxy_pass          https://zimbra_ssl;
        proxy_read_timeout  1220;
        proxy_buffering     off;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_name:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, therefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    location ^~ /autodiscover
    {
        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        set $autodiscover_upstream     https://zimbra_ssl;
        #    if ($http_user_agent ~ "ExchangeWebServices") {
        #       set $autodiscover_upstream    https://zimbra_ews_ssl;
        #    }

        # End stray redirect hack

        # Proxy to Zimbra Mailbox Upstream
        proxy_pass       $autodiscover_upstream;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_name:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, therefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    location ^~ /nginx_status {
        # Location block to enable the stub status module

        stub_status on;
        access_log off;
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }

    # location ^~ /http-bind
    # {
    #     # Proxy to external XMPP server
    #     proxy_pass          http://:0;
    #     proxy_read_timeout  90;
    #     proxy_buffering     off;
    #
    #     # For audit
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #
    #     # For Virtual Hosting
    #     set $virtual_host $http_host;
    #     if ($virtual_host = '') {
    #         set $virtual_host $server_addr:$server_port;
    #     }
    #     proxy_set_header Host            $virtual_host;
    # }

    # location ~* ^/ews/Exchange.asmx
    # {
    #     # Proxy to Zimbra Upstream
    #     proxy_pass          https://zimbra_ews_ssl;
    #     proxy_read_timeout  3600;
    #     proxy_buffering     off;
    #
    #     # For audit
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #
    #     # For Virtual Hosting
    #     set $virtual_host $http_host;
    #     if ($virtual_host = '') {
    #        set $virtual_host $server_name:$server_port;
    #     }
    #     proxy_set_header Host            $virtual_host;
    #
    #     # Location header fudging
    #     # Because NGINX SSL speaks plain HTTP to upstream, therefore any
    #     # redirects to http:// coming from the upstream need to be fudged
    #     # to https://
    #     #
    #     proxy_redirect http://$http_host/ https://$http_host/;
    #
    #     # Fudge inter-mailbox redirects (kludge)
    #     proxy_redirect http://$relhost/ https://$http_host/;
    # }

    location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/
    {
        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        # End stray redirect hack

        # Proxy to Zimbra Mailbox Upstream
        proxy_pass       https://zimbra_ssl;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_name:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, therefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    location ~* ^/zmerror_.*\.html$ {
        # for custom error pages, internal use only
        internal;
    }

}


# HTTPS Proxy Default Configuration

# Strict servername enforcing block
# Enabled/disabled through the 'zimbraReverseProxyStrictServerName' configuration item
# The $\{listen.:addresses\} is NOT demarcated with web.strict.servername on purpose.
server {
    #listen                  [::]:443 default_server ipv6only=off;
    listen                443 default_server;
    #listen                [::]:443 default_server;
    server_name _;

    # Listen addresses extracted from `zimbraVirtualIPAddress` on each domain

    # Listen addresses extracted from `zimbraVirtualIPAddress` on each domain

    ssl                     on;
    ssl_protocols            TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache       shared:SSL:10m;
    ssl_session_timeout     600;
    ssl_ciphers             ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
    ssl_ecdh_curve          prime256v1;
    ssl_certificate         /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key     /opt/zimbra/conf/nginx.key;
    ssl_verify_client       off;
    ssl_verify_depth        10;
    ssl_dhparam             /opt/zimbra/conf/dhparam.pem;
    return 400;
}

server
{
    #listen                  [::]:443 ipv6only=off;
    listen                443;
    #listen                [::]:443;


    server_name             mailsrv-zbr.saigon-inttech.local; # add aliases and perhaps public
    client_max_body_size    0;
    ssl                     on;
    ssl_protocols            TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache       shared:SSL:10m;
    ssl_session_timeout     600;
    ssl_ciphers             ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
    ssl_ecdh_curve          prime256v1;
    ssl_certificate         /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key     /opt/zimbra/conf/nginx.key;
    ssl_verify_client       off;
    ssl_verify_depth        10;
    proxy_ssl_protocols            TLSv1 TLSv1.1 TLSv1.2;
    proxy_ssl_ciphers             ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
    ssl_dhparam             /opt/zimbra/conf/dhparam.pem;
# HTTPS Mode Configuration For HTTPS

    set $login_upstream     https://zimbra_login_ssl;
    if ($http_cookie ~ "ZM_AUTH_TOKEN=") {
        set $login_upstream    https://zimbra_ssl_webclient;
    }

     location = //
     {
         set $mailhostport 8080;   # replace this with *the* mailhost port
         set $relhost $host;

         if ($mailhostport != 80) {   # standard HTTP port, do not replace
             set $relhost $host:$mailhostport;
         }

         # Proxy to Zimbra Login Upstream
         proxy_pass          $login_upstream;

         # For audit
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

         # For Virtual Hosting
         set $virtual_host $http_host;
         if ($virtual_host = '') {
            set $virtual_host $server_addr:$server_port;
         }
         proxy_set_header Host            $virtual_host;

         # Location header fudging
         # Because NGINX SSL speaks plain HTTP to upstream, therefore any
         # redirects to http:// coming from the upstream need to be fudged
         # to https://
         #
         proxy_redirect http://$http_host/ https://$http_host/;

         # Fudge inter-mailbox redirects (kludge)
         proxy_redirect http://$relhost/ https://$http_host/;
     }

     location = /
     {
         set $mailhostport 8080;   # replace this with *the* mailhost port
         set $relhost $host;

         if ($mailhostport != 80) {   # standard HTTP port, do not replace
             set $relhost $host:$mailhostport;
         }

         # Proxy to Zimbra Login Upstream
         proxy_pass          $login_upstream;

         # For audit
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

         # For Virtual Hosting
         set $virtual_host $http_host;
         if ($virtual_host = '') {
            set $virtual_host $server_addr:$server_port;
         }
         proxy_set_header Host            $virtual_host;

         # Location header fudging
         # Because NGINX SSL speaks plain HTTP to upstream, therefore any
         # redirects to http:// coming from the upstream need to be fudged
         # to https://
         #
         proxy_redirect http://$http_host/ https://$http_host/;

         # Fudge inter-mailbox redirects (kludge)
         proxy_redirect http://$relhost/ https://$http_host/;
     }

    location /
    {
        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        # End stray redirect hack

        # Proxy to Zimbra Webclient Upstream
        proxy_pass       https://zimbra_ssl_webclient;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_addr:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, zimbraReverseProxyAvailableLookupTargetstherefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    #For long polling of Microsoft ActiveSync
    location ^~ /Microsoft-Server-ActiveSync
    {
        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        # End stray redirect hack

        # Proxy to Zimbra Upstream
        proxy_pass          https://zimbra_ssl;
        proxy_read_timeout  3600;
        proxy_buffering     off;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_addr:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, therefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    location ^~ /zx/ws-
    {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass https://zx_ssl;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $http_host;
      proxy_http_version 1.1;
    }

    location ^~ /zx/
    {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://zx_ssl;
    }

    # For NoOpRequest
    location ^~ /service/soap/NoOpRequest {

        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        # End stray redirect hack

        # Proxy to Zimbra Upstream
        proxy_pass          https://zimbra_ssl;
        proxy_read_timeout  1220;
        proxy_buffering     off;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_addr:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, therefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    # For WaitSetRequest
    location ^~ /service/soap/WaitSetRequest {

        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        # End stray redirect hack

        # Proxy to Zimbra Upstream
        proxy_pass          https://zimbra_ssl;
        proxy_read_timeout  1220;
        proxy_buffering     off;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_addr:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, therefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    location ^~ /autodiscover
    {
        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        set $autodiscover_upstream     https://zimbra_ssl;
        #    if ($http_user_agent ~ "ExchangeWebServices") {
        #       set $autodiscover_upstream    https://zimbra_ews_ssl;
        #    }

        # End stray redirect hack

        # Proxy to Zimbra Mailbox Upstream
        proxy_pass       $autodiscover_upstream;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_addr:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, therefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    location ^~ /nginx_status {
        # Location block to enable the stub status module

        stub_status on;
        access_log off;
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }

    # location ^~ /http-bind
    # {
    #     # Proxy to external XMPP server
    #     proxy_pass          http://:0;
    #     proxy_read_timeout  90;
    #     proxy_buffering     off;
    #
    #     # For audit
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #
    #     # For Virtual Hosting
    #     set $virtual_host $http_host;
    #     if ($virtual_host = '') {
    #         set $virtual_host $server_addr:$server_port;
    #     }
    #     proxy_set_header Host            $virtual_host;
    # }

    # location ~* ^/ews/Exchange.asmx
    # {
    #     # Proxy to Zimbra Upstream
    #     proxy_pass          https://zimbra_ews_ssl;
    #     proxy_read_timeout  3600;
    #     proxy_buffering     off;
    #
    #     # For audit
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #
    #     # For Virtual Hosting
    #     set $virtual_host $http_host;
    #     if ($virtual_host = '') {
    #        set $virtual_host $server_addr:$server_port;
    #     }
    #     proxy_set_header Host            $virtual_host;
    #
    #     # Location header fudging
    #     # Because NGINX SSL speaks plain HTTP to upstream, therefore any
    #     # redirects to http:// coming from the upstream need to be fudged
    #     # to https://
    #     #
    #     proxy_redirect http://$http_host/ https://$http_host/;
    #
    #     # Fudge inter-mailbox redirects (kludge)
    #     proxy_redirect http://$relhost/ https://$http_host/;
    # }

    location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/
    {
        # Begin stray redirect hack
        #
        # In some cases, we may get a stray redirect out of the mailhost,
        # which attempts to send us to $host:$mailhostport, where:
        #
        # $host is the host portion (excluding port) of the proxy URL
        # $mailhostport is the zimbraMailPort as applies to the mailhost
        #   server being redirected to
        #
        # This is the case when one mailhost in the upstream cluster is
        # trying to redirect to another mailhost in the same cluster
        # In this case, we need to trap and fudge this location header
        #
        # NOTE that this will only work in the cases where each mailhost
        # within the cluster has the same mailhostport (Limitation)
        #

        set $mailhostport 8080;   # replace this with *the* mailhost port
        set $relhost $host;

        if ($mailhostport != 80) {   # standard HTTP port, do not replace
            set $relhost $host:$mailhostport;
        }

        # End stray redirect hack

        # Proxy to Zimbra Mailbox Upstream
        proxy_pass       https://zimbra_ssl;

        # For audit
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # For Virtual Hosting
        set $virtual_host $http_host;
        if ($virtual_host = '') {
            set $virtual_host $server_addr:$server_port;
        }
        proxy_set_header Host            $virtual_host;

        # Location header fudging
        # Because NGINX SSL speaks plain HTTP to upstream, therefore any
        # redirects to http:// coming from the upstream need to be fudged
        # to https://
        #
        proxy_redirect http://$http_host/ https://$http_host/;

        # Fudge inter-mailbox redirects (kludge)
        proxy_redirect http://$relhost/ https://$http_host/;
    }

    location ~* ^/zmerror_.*\.html$ {
        # for custom error pages, internal use only
        internal;
    }

}
    #include /opt/zimbra/conf/nginx/includes/nginx.conf.web.sso;
    #include /opt/zimbra/conf/nginx/includes/nginx.conf.web.sso.default;
    #include /opt/zimbra/conf/nginx/includes/nginx.conf.web.admin;
    #include /opt/zimbra/conf/nginx/includes/nginx.conf.web.admin.default;
}

# Don't edit the below comment

#__SUCCESS__
[zimbra@mailsrv-zbr ~]$


Code: Select all

[zimbra@mailsrv-zbr ~]$ lsof -i :443
COMMAND  PID   USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
nginx   8861 zimbra   10u  IPv4 23646088      0t0  TCP *:https (LISTEN)
nginx   8862 zimbra   10u  IPv4 23646088      0t0  TCP *:https (LISTEN)
nginx   8863 zimbra   10u  IPv4 23646088      0t0  TCP *:https (LISTEN)
nginx   8864 zimbra   10u  IPv4 23646088      0t0  TCP *:https (LISTEN)
[zimbra@mailsrv-zbr ~]$ lsof -i :11211
COMMAND    PID   USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
memcached 7378 zimbra   26u  IPv4 22998771      0t0  TCP *:memcache (LISTEN)
memcached 7378 zimbra   27u  IPv6 22998772      0t0  TCP *:memcache (LISTEN)
memcached 7378 zimbra   28u  IPv4 23649293      0t0  TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42180 (ESTABLISHED)
memcached 7378 zimbra   29u  IPv4 23649294      0t0  TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42182 (ESTABLISHED)
memcached 7378 zimbra   30u  IPv4 23649295      0t0  TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42184 (ESTABLISHED)
memcached 7378 zimbra   31u  IPv4 23649296      0t0  TCP mailsrv-zbr.saigon-inttech.local:memcache->mailsrv-zbr.saigon-inttech.local:42186 (ESTABLISHED)
nginx     8861 zimbra   13u  IPv4 23646102      0t0  TCP mailsrv-zbr.saigon-inttech.local:42180->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
nginx     8862 zimbra   15u  IPv4 23648449      0t0  TCP mailsrv-zbr.saigon-inttech.local:42186->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
nginx     8863 zimbra   17u  IPv4 23648448      0t0  TCP mailsrv-zbr.saigon-inttech.local:42184->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
nginx     8864 zimbra   19u  IPv4 23646103      0t0  TCP mailsrv-zbr.saigon-inttech.local:42182->mailsrv-zbr.saigon-inttech.local:memcache (ESTABLISHED)
[zimbra@mailsrv-zbr ~]$ netstat -anltp | egrep '^tcp' | grep LISTEN | awk '{print $4 " "$7}' | sed -e 's/.*://' | sort -n | uniq
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)

22 -
25 -
53 -
389 -
465 -
587 -
953 -
3310 7902/clamd
5222 -
5269 -
7025 -
7071 -
7072 -
7073 -
7110 -
7143 -
7171 5594/java
7306 7027/mysqld
7993 -
7995 -
8080 -
8443 -
8465 8250/opendkim
10024 7453/amavisd
10025 -
10026 7453/amavisd
10027 -
10028 -
10029 -
10030 -
10032 7453/amavisd
11211 7378/memcached
23232 7421/perl
23233 7423/perl
[zimbra@mailsrv-zbr ~]$ netstat -anelpt | egrep ':25|:465|:389|:636|:7025|:7047|:80|:8080|:443|:8443|:110|:7110|:995|:7995|:143|:7143|:993|:7993|:3443|:9443|:7071|:9071|:7072|:7306|:7307|:7780|:10024|:10025|:11211'
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:7143            0.0.0.0:*               LISTEN      0          22999241   -
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      998        22999307   7453/amavisd (maste
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      0          23001904   -
tcp        0      0 127.0.0.1:7306          0.0.0.0:*               LISTEN      998        22999190   7027/mysqld
tcp        0      0 0.0.0.0:11211           0.0.0.0:*               LISTEN      998        22998771   7378/memcached
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      0          23646086   8861/nginx: worker
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      0          23646084   8861/nginx: worker
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      0          22999229   -
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      0          23001805   -
tcp        0      0 0.0.0.0:7025            0.0.0.0:*               LISTEN      0          22999243   -
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      0          23001793   -
tcp        0      0 0.0.0.0:7993            0.0.0.0:*               LISTEN      0          22999242   -
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          23646088   8861/nginx: worker
tcp        0      0 0.0.0.0:7995            0.0.0.0:*               LISTEN      0          22999240   -
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      0          22999237   -
tcp        0      0 0.0.0.0:7071            0.0.0.0:*               LISTEN      0          22999238   -
tcp        0      0 0.0.0.0:7072            0.0.0.0:*               LISTEN      0          22996855   -
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      0          23646085   8861/nginx: worker
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      0          23646087   8861/nginx: worker
tcp        0      0 192.168.3.25:389        0.0.0.0:*               LISTEN      0          22967372   -
tcp        0      0 0.0.0.0:7110            0.0.0.0:*               LISTEN      0          22999239   -
tcp        0      0 192.168.3.25:42180      192.168.3.25:11211      ESTABLISHED 998        23646102   8861/nginx: worker
tcp        0      0 127.0.0.1:7306          127.0.0.1:33286         ESTABLISHED 998        22999823   7027/mysqld
tcp        0      0 192.168.3.25:47612      192.168.3.25:389        ESTABLISHED 998        23000011   7526/amavisd (ch3-a
tcp        0      0 192.168.3.25:42182      192.168.3.25:11211      ESTABLISHED 998        23646103   8864/nginx: worker
tcp        0      0 192.168.3.25:47580      192.168.3.25:389        ESTABLISHED 998        22999958   7518/amavisd (ch8-a
tcp        0      0 192.168.3.25:389        192.168.3.25:47424      ESTABLISHED 998        22966524   -
tcp        0      0 192.168.3.25:47652      192.168.3.25:389        ESTABLISHED 998        23002826   7516/amavisd (ch6-a
tcp        0      0 192.168.3.25:389        192.168.3.25:47652      ESTABLISHED 998        23002827   -
tcp        0      0 192.168.3.25:47530      192.168.3.25:389        ESTABLISHED 998        23000306   -
tcp        0      0 192.168.3.25:47502      192.168.3.25:389        ESTABLISHED 998        22996904   -
tcp        0      0 192.168.3.25:51502      192.168.3.25:389        TIME_WAIT   0          0          -
tcp        0      0 192.168.3.25:7071       171.249.111.38:59814    ESTABLISHED 998        24400608   -
tcp        0      0 192.168.3.25:47596      192.168.3.25:389        ESTABLISHED 998        22999984   7522/amavisd (ch4-a
tcp        0      0 192.168.3.25:389        192.168.3.25:47538      ESTABLISHED 998        23001698   -
tcp        0      0 192.168.3.25:11211      192.168.3.25:42180      ESTABLISHED 998        23649293   7378/memcached
tcp        0      0 192.168.3.25:389        192.168.3.25:47522      ESTABLISHED 998        23001403   -
tcp        0      0 192.168.3.25:11211      192.168.3.25:42182      ESTABLISHED 998        23649294   7378/memcached
tcp        0      0 192.168.3.25:49392      192.168.3.25:389        ESTABLISHED 998        23558639   -
tcp        0      0 192.168.3.25:389        192.168.3.25:47634      ESTABLISHED 998        23003549   -
tcp        0      0 192.168.3.25:389        192.168.3.25:47524      ESTABLISHED 998        22999429   -
tcp        0      0 192.168.3.25:42184      192.168.3.25:11211      ESTABLISHED 998        23648448   8863/nginx: worker
tcp        0      0 127.0.0.1:7306          127.0.0.1:33284         ESTABLISHED 998        22999822   7027/mysqld
tcp        0      0 192.168.3.25:389        192.168.3.25:47612      ESTABLISHED 998        23000012   -
tcp        0      0 127.0.0.1:33238         127.0.0.1:7306          ESTABLISHED 998        22995909   -
tcp        0      0 192.168.3.25:47684      192.168.3.25:389        ESTABLISHED 998        23003677   7514/amavisd (ch5-a
tcp        0      0 192.168.3.25:47524      192.168.3.25:389        ESTABLISHED 998        23001404   -
tcp        0      0 192.168.3.25:389        192.168.3.25:47530      ESTABLISHED 998        23002174   -
tcp        0      0 192.168.3.25:47590      192.168.3.25:389        ESTABLISHED 998        23002695   7525/amavisd (ch11-
tcp        0      0 192.168.3.25:389        192.168.3.25:47674      ESTABLISHED 998        23004234   -
tcp        0      0 192.168.3.25:47606      192.168.3.25:389        ESTABLISHED 998        23000724   7519/amavisd (ch5-a
tcp        0      0 192.168.3.25:47522      192.168.3.25:389        ESTABLISHED 998        22999428   -
tcp        0      0 192.168.3.25:389        192.168.3.25:47988      ESTABLISHED 998        23048031   -
tcp        0      0 127.0.0.1:7306          127.0.0.1:33288         ESTABLISHED 998        22999824   7027/mysqld
tcp        0      0 192.168.3.25:389        192.168.3.25:47426      ESTABLISHED 998        22966089   -
tcp        0      0 192.168.3.25:48556      192.168.3.25:389        ESTABLISHED 998        23284842   -
tcp        0      0 192.168.3.25:389        192.168.3.25:47596      ESTABLISHED 998        22999985   -
tcp        0      0 192.168.3.25:389        192.168.3.25:47504      ESTABLISHED 998        22995908   -
tcp        0      0 192.168.3.25:389        192.168.3.25:47568      ESTABLISHED 998        23002660   -
tcp        0      0 192.168.3.25:389        192.168.3.25:49672      ESTABLISHED 998        23627468   -
tcp        0      0 127.0.0.1:33288         127.0.0.1:7306          ESTABLISHED 998        23002112   -
tcp        0      0 192.168.3.25:51500      192.168.3.25:389        TIME_WAIT   0          0          -
tcp        0      0 192.168.3.25:389        192.168.3.25:49216      ESTABLISHED 998        23524552   -
tcp        0      0 192.168.3.25:47428      192.168.3.25:389        ESTABLISHED 998        22967394   5594/java
tcp        0      0 192.168.3.25:389        192.168.3.25:47532      ESTABLISHED 998        23001502   -
tcp        0      0 127.0.0.1:33286         127.0.0.1:7306          ESTABLISHED 998        23002110   -
tcp        0      0 192.168.3.25:47532      192.168.3.25:389        ESTABLISHED 998        23001501   -
tcp        0      0 192.168.3.25:47504      192.168.3.25:389        ESTABLISHED 998        22995907   -
tcp        0      0 192.168.3.25:47988      192.168.3.25:389        ESTABLISHED 998        23051337   -
tcp        0      0 192.168.3.25:47634      192.168.3.25:389        ESTABLISHED 998        23000788   7521/amavisd (ch6-a
tcp        0      0 192.168.3.25:47424      192.168.3.25:389        ESTABLISHED 998        22962167   5594/java
tcp        0      0 192.168.3.25:389        192.168.3.25:47590      ESTABLISHED 998        22999971   -
tcp        0      0 192.168.3.25:47426      192.168.3.25:389        ESTABLISHED 998        22962168   5594/java
tcp        0      0 192.168.3.25:42186      192.168.3.25:11211      ESTABLISHED 998        23648449   8862/nginx: worker
tcp        0      0 192.168.3.25:389        192.168.3.25:48556      ESTABLISHED 998        23282797   -
tcp        0      0 192.168.3.25:389        192.168.3.25:47684      ESTABLISHED 998        23004249   -
tcp        0      0 192.168.3.25:49216      192.168.3.25:389        ESTABLISHED 998        23520894   5594/java
tcp        0      0 192.168.3.25:47540      192.168.3.25:389        ESTABLISHED 998        23002345   8249/opendkim
tcp        0      0 192.168.3.25:389        192.168.3.25:47502      ESTABLISHED 998        22999287   -
tcp        0      0 192.168.3.25:47538      192.168.3.25:389        ESTABLISHED 998        23002344   8249/opendkim
tcp        0      0 127.0.0.1:7306          127.0.0.1:33238         ESTABLISHED 998        22996926   7027/mysqld
tcp        0      0 192.168.3.25:389        192.168.3.25:47428      ESTABLISHED 998        22967395   -
tcp        0      0 192.168.3.25:389        192.168.3.25:47580      ESTABLISHED 998        23002669   -
tcp        0      0 192.168.3.25:389        192.168.3.25:47540      ESTABLISHED 998        23001699   -
tcp        0      0 192.168.3.25:389        192.168.3.25:47606      ESTABLISHED 998        23000000   -
tcp        0      0 192.168.3.25:47568      192.168.3.25:389        ESTABLISHED 998        23000648   7511/amavisd (ch9-a
tcp        0      0 192.168.3.25:49672      192.168.3.25:389        ESTABLISHED 998        23627467   -
tcp        0      0 192.168.3.25:389        192.168.3.25:49392      ESTABLISHED 998        23563902   -
tcp        0      0 127.0.0.1:33284         127.0.0.1:7306          ESTABLISHED 998        23002109   -
tcp        0      0 192.168.3.25:11211      192.168.3.25:42186      ESTABLISHED 998        23649296   7378/memcached
tcp        0      0 192.168.3.25:11211      192.168.3.25:42184      ESTABLISHED 998        23649295   7378/memcached
tcp        0      0 192.168.3.25:47674      192.168.3.25:389        ESTABLISHED 998        23003666   7517/amavisd (ch3-a
tcp6       0      0 ::1:10024               :::*                    LISTEN      998        22999308   7453/amavisd (maste
tcp6       0      0 :::11211                :::*                    LISTEN      998        22998772   7378/memcached
[zimbra@mailsrv-zbr ~]$ lsof -P -n -i :25,465,389,636,7025,7047,80,8080,443,8443,110,7110,995,7995,143,7143,993,7993,3443,9443,7071,9071,7072,7306,7307,7780,10024,10025,11211
COMMAND    PID   USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
java      5594 zimbra  153u  IPv4 22962167      0t0  TCP 192.168.3.25:47424->192.168.3.25:389 (ESTABLISHED)
java      5594 zimbra  155u  IPv4 22962168      0t0  TCP 192.168.3.25:47426->192.168.3.25:389 (ESTABLISHED)
java      5594 zimbra  156u  IPv4 22967394      0t0  TCP 192.168.3.25:47428->192.168.3.25:389 (ESTABLISHED)
java      5594 zimbra  157u  IPv4 23520894      0t0  TCP 192.168.3.25:49216->192.168.3.25:389 (ESTABLISHED)
mysqld    7027 zimbra   22u  IPv4 22999190      0t0  TCP 127.0.0.1:7306 (LISTEN)
mysqld    7027 zimbra   49u  IPv4 22996926      0t0  TCP 127.0.0.1:7306->127.0.0.1:33238 (ESTABLISHED)
mysqld    7027 zimbra  291u  IPv4 22999822      0t0  TCP 127.0.0.1:7306->127.0.0.1:33284 (ESTABLISHED)
mysqld    7027 zimbra  292u  IPv4 22999823      0t0  TCP 127.0.0.1:7306->127.0.0.1:33286 (ESTABLISHED)
mysqld    7027 zimbra  293u  IPv4 22999824      0t0  TCP 127.0.0.1:7306->127.0.0.1:33288 (ESTABLISHED)
memcached 7378 zimbra   26u  IPv4 22998771      0t0  TCP *:11211 (LISTEN)
memcached 7378 zimbra   27u  IPv6 22998772      0t0  TCP *:11211 (LISTEN)
memcached 7378 zimbra   28u  IPv4 23649293      0t0  TCP 192.168.3.25:11211->192.168.3.25:42180 (ESTABLISHED)
memcached 7378 zimbra   29u  IPv4 23649294      0t0  TCP 192.168.3.25:11211->192.168.3.25:42182 (ESTABLISHED)
memcached 7378 zimbra   30u  IPv4 23649295      0t0  TCP 192.168.3.25:11211->192.168.3.25:42184 (ESTABLISHED)
memcached 7378 zimbra   31u  IPv4 23649296      0t0  TCP 192.168.3.25:11211->192.168.3.25:42186 (ESTABLISHED)
/opt/zimb 7453 zimbra    4u  IPv4 22999307      0t0  TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7453 zimbra    6u  IPv6 22999308      0t0  TCP [::1]:10024 (LISTEN)
/opt/zimb 7511 zimbra    4u  IPv4 22999307      0t0  TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7511 zimbra    6u  IPv6 22999308      0t0  TCP [::1]:10024 (LISTEN)
/opt/zimb 7511 zimbra   22u  IPv4 23000648      0t0  TCP 192.168.3.25:47568->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7514 zimbra    4u  IPv4 22999307      0t0  TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7514 zimbra    6u  IPv6 22999308      0t0  TCP [::1]:10024 (LISTEN)
/opt/zimb 7514 zimbra   22u  IPv4 23003677      0t0  TCP 192.168.3.25:47684->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7516 zimbra    4u  IPv4 22999307      0t0  TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7516 zimbra    6u  IPv6 22999308      0t0  TCP [::1]:10024 (LISTEN)
/opt/zimb 7516 zimbra   22u  IPv4 23002826      0t0  TCP 192.168.3.25:47652->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7517 zimbra    4u  IPv4 22999307      0t0  TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7517 zimbra    6u  IPv6 22999308      0t0  TCP [::1]:10024 (LISTEN)
/opt/zimb 7517 zimbra   22u  IPv4 23003666      0t0  TCP 192.168.3.25:47674->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7518 zimbra    4u  IPv4 22999307      0t0  TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7518 zimbra    6u  IPv6 22999308      0t0  TCP [::1]:10024 (LISTEN)
/opt/zimb 7518 zimbra   22u  IPv4 22999958      0t0  TCP 192.168.3.25:47580->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7519 zimbra    4u  IPv4 22999307      0t0  TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7519 zimbra    6u  IPv6 22999308      0t0  TCP [::1]:10024 (LISTEN)
/opt/zimb 7519 zimbra   22u  IPv4 23000724      0t0  TCP 192.168.3.25:47606->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7521 zimbra    4u  IPv4 22999307      0t0  TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7521 zimbra    6u  IPv6 22999308      0t0  TCP [::1]:10024 (LISTEN)
/opt/zimb 7521 zimbra   22u  IPv4 23000788      0t0  TCP 192.168.3.25:47634->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7522 zimbra    4u  IPv4 22999307      0t0  TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7522 zimbra    6u  IPv6 22999308      0t0  TCP [::1]:10024 (LISTEN)
/opt/zimb 7522 zimbra   22u  IPv4 22999984      0t0  TCP 192.168.3.25:47596->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7525 zimbra    4u  IPv4 22999307      0t0  TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7525 zimbra    6u  IPv6 22999308      0t0  TCP [::1]:10024 (LISTEN)
/opt/zimb 7525 zimbra   22u  IPv4 23002695      0t0  TCP 192.168.3.25:47590->192.168.3.25:389 (ESTABLISHED)
/opt/zimb 7526 zimbra    4u  IPv4 22999307      0t0  TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 7526 zimbra    6u  IPv6 22999308      0t0  TCP [::1]:10024 (LISTEN)
/opt/zimb 7526 zimbra   22u  IPv4 23000011      0t0  TCP 192.168.3.25:47612->192.168.3.25:389 (ESTABLISHED)
opendkim  8249 zimbra    3u  IPv4 23002344      0t0  TCP 192.168.3.25:47538->192.168.3.25:389 (ESTABLISHED)
opendkim  8249 zimbra    4u  IPv4 23002345      0t0  TCP 192.168.3.25:47540->192.168.3.25:389 (ESTABLISHED)
opendkim  8250 zimbra    3u  IPv4 23002344      0t0  TCP 192.168.3.25:47538->192.168.3.25:389 (ESTABLISHED)
opendkim  8250 zimbra    4u  IPv4 23002345      0t0  TCP 192.168.3.25:47540->192.168.3.25:389 (ESTABLISHED)
nginx     8861 zimbra    6u  IPv4 23646084      0t0  TCP *:143 (LISTEN)
nginx     8861 zimbra    7u  IPv4 23646085      0t0  TCP *:993 (LISTEN)
nginx     8861 zimbra    8u  IPv4 23646086      0t0  TCP *:110 (LISTEN)
nginx     8861 zimbra    9u  IPv4 23646087      0t0  TCP *:995 (LISTEN)
nginx     8861 zimbra   10u  IPv4 23646088      0t0  TCP *:443 (LISTEN)
nginx     8861 zimbra   13u  IPv4 23646102      0t0  TCP 192.168.3.25:42180->192.168.3.25:11211 (ESTABLISHED)
nginx     8862 zimbra    6u  IPv4 23646084      0t0  TCP *:143 (LISTEN)
nginx     8862 zimbra    7u  IPv4 23646085      0t0  TCP *:993 (LISTEN)
nginx     8862 zimbra    8u  IPv4 23646086      0t0  TCP *:110 (LISTEN)
nginx     8862 zimbra    9u  IPv4 23646087      0t0  TCP *:995 (LISTEN)
nginx     8862 zimbra   10u  IPv4 23646088      0t0  TCP *:443 (LISTEN)
nginx     8862 zimbra   15u  IPv4 23648449      0t0  TCP 192.168.3.25:42186->192.168.3.25:11211 (ESTABLISHED)
nginx     8863 zimbra    6u  IPv4 23646084      0t0  TCP *:143 (LISTEN)
nginx     8863 zimbra    7u  IPv4 23646085      0t0  TCP *:993 (LISTEN)
nginx     8863 zimbra    8u  IPv4 23646086      0t0  TCP *:110 (LISTEN)
nginx     8863 zimbra    9u  IPv4 23646087      0t0  TCP *:995 (LISTEN)
nginx     8863 zimbra   10u  IPv4 23646088      0t0  TCP *:443 (LISTEN)
nginx     8863 zimbra   17u  IPv4 23648448      0t0  TCP 192.168.3.25:42184->192.168.3.25:11211 (ESTABLISHED)
nginx     8864 zimbra    6u  IPv4 23646084      0t0  TCP *:143 (LISTEN)
nginx     8864 zimbra    7u  IPv4 23646085      0t0  TCP *:993 (LISTEN)
nginx     8864 zimbra    8u  IPv4 23646086      0t0  TCP *:110 (LISTEN)
nginx     8864 zimbra    9u  IPv4 23646087      0t0  TCP *:995 (LISTEN)
nginx     8864 zimbra   10u  IPv4 23646088      0t0  TCP *:443 (LISTEN)
nginx     8864 zimbra   19u  IPv4 23646103      0t0  TCP 192.168.3.25:42182->192.168.3.25:11211 (ESTABLISHED)
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$ zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled zimbraReverseProxyLookupTarget zimbraReverseProxyHttpEnabled zimbraMailReferMode zimbraMailPort zimbraMailProxyPort zimbraMailSSLPort  zimbraMailSSLProxyPort zimbraMailMode zimbraReverseProxyMailEnabled zimbraReverseProxyMailMode zimbraImapBindPort zimbraImapProxyBindPort zimbraImapSSLBindPort zimbraImapSSLProxyBindPort zimbraImapCleartextLoginEnabled zimbraPop3BindPort zimbraPop3ProxyBindPort zimbraPop3SSLBindPort zimbraPop3SSLProxyBindPort zimbraPop3CleartextLoginEnabled zimbraAdminPort zimbraAdminProxyPort zimbraReverseProxyAdminEnabled ; zmprov gs `zmhostname` zimbraServiceEnabled | egrep 'memcache|proxy|mailbox'

# name mailsrv-zbr.saigon-inttech.local
zimbraAdminPort: 7071
zimbraAdminProxyPort: 9071
zimbraImapBindPort: 7143
zimbraImapCleartextLoginEnabled: TRUE
zimbraImapProxyBindPort: 143
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraMailMode: https
zimbraMailPort: 8080
zimbraMailProxyPort: 80
zimbraMailReferMode: reverse-proxied
zimbraMailSSLPort: 8443
zimbraMailSSLProxyPort: 443
zimbraPop3BindPort: 7110
zimbraPop3CleartextLoginEnabled: TRUE
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyHttpEnabled: TRUE
zimbraReverseProxyLookupTarget: TRUE
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxyMailMode: https
zimbraReverseProxySSLToUpstreamEnabled: TRUE

zimbraServiceEnabled: mailbox
zimbraServiceEnabled: proxy
zimbraServiceEnabled: memcached
[zimbra@mailsrv-zbr ~]$
[zimbra@mailsrv-zbr ~]$


But when using the FQDN hostname of the server, access is normal.

Everyone help, thanks
Last edited by buiphezzz on Mon Feb 25, 2019 4:26 am, edited 2 times in total.


User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: 400 Bad Request - nginx

Postby pup_seba » Sun Feb 24, 2019 10:42 am

Hi,

Did you tried following the installation guide while installing? If you are trying a single-server (which is not a good idea for any enterprise enviroment that aims to have a minimum of security). This is the guide for you:
https://zimbra.github.io/installguides/ ... ingle.html

You will find in that guide that as per zimbra 8.7, proxy is a requirement. I assume your Zimbra version is newer than this as per your comment of "Recently, I have deployed" :) (providing the output of zmcontrol -v is usually a good idea).

My guess is also that if you did not follow that basic instruction of installing a proxy as a required part of any installation, most likely you ignored other things too that sooner or later will be problematic. So my best advice here is, read that guide and try to stick to it as much as possible.

If you don't have the opportunity to start over (i mean, if this is not a lab environment, but a production server already), then you'll have to try to configure your proxy properly. So, beside reading the installation guide so you see and understand what things you missed during installation, you should also read the relevant parts of this guide:
https://zimbra.github.io/adminguide/latest/

In that guide you'll find some information about configuring your proxy, although an easier way to do most of that stuff is by using the adminUI. Just be sure that the server with the mailboxd service is marked as "end point for proxy" (or similar, I don't remember exactly the property), and that you modify the server configuration on your proxy server (not in the global config). Although you only have one server...better doing it like this in case you add more servers later.

good luck!
buiphezzz
Posts: 5
Joined: Fri Feb 22, 2019 6:12 am

Re: 400 Bad Request - nginx

Postby buiphezzz » Sun Feb 24, 2019 10:54 am

pup_seba wrote:Hi,

Did you tried following the installation guide while installing? If you are trying a single-server (which is not a good idea for any enterprise enviroment that aims to have a minimum of security). This is the guide for you:
https://zimbra.github.io/installguides/ ... ingle.html

You will find in that guide that as per zimbra 8.7, proxy is a requirement. I assume your Zimbra version is newer than this as per your comment of "Recently, I have deployed" :) (providing the output of zmcontrol -v is usually a good idea).

My guess is also that if you did not follow that basic instruction of installing a proxy as a required part of any installation, most likely you ignored other things too that sooner or later will be problematic. So my best advice here is, read that guide and try to stick to it as much as possible.

If you don't have the opportunity to start over (i mean, if this is not a lab environment, but a production server already), then you'll have to try to configure your proxy properly. So, beside reading the installation guide so you see and understand what things you missed during installation, you should also read the relevant parts of this guide:
https://zimbra.github.io/adminguide/latest/

In that guide you'll find some information about configuring your proxy, although an easier way to do most of that stuff is by using the adminUI. Just be sure that the server with the mailboxd service is marked as "end point for proxy" (or similar, I don't remember exactly the property), and that you modify the server configuration on your proxy server (not in the global config). Although you only have one server...better doing it like this in case you add more servers later.

good luck!


Thanks pup_seba, but one thing is that when using the server's FQDN server name, access is normal.
buiphezzz
Posts: 5
Joined: Fri Feb 22, 2019 6:12 am

Re: 400 Bad Request - nginx

Postby buiphezzz » Mon Feb 25, 2019 1:23 am

After reading the following topics, I fixed the 400 Nginx error

https://github.com/Zimbra/zm-build/pull/64/commits/8f4d266ff73916def35632be496068b2254730fa
https://github.com/Zimbra/zm-build/pull/64

[zimbra@mailsrv-zbr ~]$ zmprov gacf | grep -i zimbraReverseProxyStrictServerNameEnabled
zimbraReverseProxyStrictServerNameEnabled: TRUE
[zimbra@mailsrv-zbr ~]$ zmprov gs `zmhostname` | grep -i zimbraReverseProxyStrictServerNameEnabled
zimbraReverseProxyStrictServerNameEnabled: TRUE

[zimbra@mailsrv-zbr ~]$ zmprov ms `zmhostname` zimbraReverseProxyStrictServerNameEnabled FALSE
[zimbra@mailsrv-zbr ~]$ zmprov gs `zmhostname` | grep -i zimbraReverseProxyStrictServerNameEnabled
zimbraReverseProxyStrictServerNameEnabled: FALSE

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 9 guests