HTTPS ReverseProxy - How to configure chwala ?



  • Hi everyone,

    My system (Kolab 16 / CentOS 7) is running behind an https reverse proxy. Everything works fine except for chwala (Files in Roundcube).

    Anyone knows how to fix this ?

    For now, I have just disabled the plugin in roundcube configuration file.

    Thanks,
    Jean-Fran├žois



  • What (if anything) are you seeing in Roundcube log files when trying to use the files integration (chwala)?

    Was it working without the reverse proxy in place? If so, is the domain/hostname/IP that services are using to connect to chwala going through the reverse proxy, or?


  • Kolabian

    How did you configure the proxy and how did you configure kolab_files plugin in Roundcube. What are http host names used? Do they resolve from the client and the server to the same IP?



  • The proxy config is currently very simple:

    (I removed the server name & https parts here)
    location /
    {
    include proxy_params;
    proxy_pass http://192.168.0.210:80;
    proxy_connect_timeout 1800;
    proxy_read_timeout 1800;
    }

    I have roundcube, activesync & webadmin working fine (had to add the api_url in the kolab_wap config area for webadmin to work).

    If going http only, kolab_files work correctly. If I go with https, then the browser is complaining about mixing http & https queries.

    The browser console shows:
    VM65 ?_task=mail:15 Mixed Content: The page at 'https://mail.xxxxxx.net/webmail/8FJjMz7nUAmFQLJp/?_task=mail' was loaded over HTTPS, but requested an insecure stylesheet 'http://mail.xxxxxx.net/chwala//skins/default/images/mimetypes/style.css'. This request has been blocked; the content must be served over HTTPS.
    VM65 ?_task=mail:1 Mixed Content: The page at 'https://mail.xxxxxx.net/webmail/8FJjMz7nUAmFQLJp/?_task=mail' was loaded over HTTPS, but requested an insecure script 'http://mail.xxxxxx.net/chwala//js/files_api.js'. This request has been blocked; the content must be served over HTTPS.

    I tried fixing this with the following change in /usr/share/roundcubemail/config/kolab_files.inc.php
    $config['kolab_files_url'] = 'https://mail.xxxxxx.net/chwala/';

    Initially,the value was $config['kolab_files_url'] = '/chwala/';

    For some reason, Roundcube is changing the relative url into an absolute url which is probably a bug, isn't it ?

    Going with the absolute url fixed the insecure urls issue in the browser but it's still not working. Nothing shows up in Roundcube Files: the folder area is empty.

    I don't know which log to look from here. The folder /var/log/chwala is empty and I don't see anything related to chwala in /var/log/kolab*. In /var/log/httpd/*, no error shows up either.


  • Kolabian

    Is https://mail.xxxxxx.net resolvable and accessible from the Roundcube host? Did you try kolab_files_url='chwala' (without slashes)?

    Note: Roundcube (kolab_files) is connecting to chwala in two ways: 1. in PHP from Roundcube host to Chwala host, 2. in Javascript/browser from user browser to Chwala host.



  • No, https://mail.xxxxx.net is not accessible from the Roundcube host. And actually I wanted to avoid that (I prefer to manage all certs on the reverse proxy).

    Trying kolab_files_url='chwala' (without slashes) doens't work either.

    I'll try to go through the code and find out what is happening. And if I really cannot find, then I'll have to install certs on the server as well.



  • @jeanfrancois

    i had the same issue like you my solution was the link https://kolabsys.com/howtos/secure-kolab-server.html. when you insert the following lines all traffic will be rerouted to https on the kolab server.

    cat >> /etc/httpd/conf/httpd.conf << EOF
    <VirtualHost default:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
    </VirtualHost>
    EOF

    now you can configure https on revers proxy for the kolab server and now you can use https for all kolab sites.

    i think the problem is that the convertion from the https of reversproxy to http on kolab is not working


  • Kolabian

    I think that implementing a separate config option in kolab_files plugin for "local" connections would do this as well. Se add $config['kolab_files_url_local'] = 'http://192.168.0.210/chwala' to config file and change this line of code https://git.kolab.org/diffusion/RPK/browse/master/plugins/kolab_files/lib/kolab_files_engine.php;0029200a78e19e71f7821fc82571d9bf5a8e55a6$904 to:

    $url = $this->rc->config->get('kolab_files_url_local', $this->url) . '/api/';
    

Log in to reply