[Users] Is there a nginx/zimbra proxy expert here?

Yutaka Obuchi yutaka.obuchi at yahoo.com
Mon May 2 03:17:45 CEST 2016 

 You have to rebuild Zimbra Nginx if you use ngx_http_auth_request_module from my understanding, 
which makes it much harder for you to maintain the module and for user to use that.
So I did not look into that at that moment.

Actually, I have never used http://nginx.org/en/docs/http/ngx_http_auth_request_module.htmlso I am not quite sure.But from doc it looks promising as Stefan pointed out. 
If rebuild could be your option,
here is an example for extra nginx configuration to the one you have already done;
---------------------------------------------------------------------------------
location /extra-service/ {
  auth_request /_auth;
  error_page 401 https://myzimbra.com/service/zimlet;
  
  proxy_pass https://extra-service.example.com/extra-service/;
}

upstream /_auth {
    internal;

    proxy_pass /home/~/inbox.rss;
    proxy_intercept_errors on;
}
----------------------------------------------------------------------------------
Again I have never used ngx_http_auth_request_module, so you better test this first before anything.
Hope this could help you.
Yutaka

    On Tuesday, April 26, 2016 2:44 AM, Stefan Sänger <stefan.saenger at gr13.net> wrote:
 

 Hi All,

this would basically be a situation where
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html would be 
handy. It could be used to query some REST URL...

Unfortunately this is not part of current zimbra nginx.

I already created patched nginx binaries (with other modules) in 8.6 - 
and can not recommend doing so. Nginx version bundled with 8.6 is to 
old, so this might only be a viable option for 8.7 and later.

Using the zimbra nginx modules is also not an option, as far as I see 
there will always be a route to a mailbox server available.

So, no easy solution comes to my mind, but maybe this helps to think of 
a proper solution.


Stefan

Am 26.04.2016 um 08:02 schrieb Barry De Graaff:
> Hello Yutaka,
>
> The webapp I want to proxy, cannot de the validation, so
> your suggestion would not work for me.
>
> Thanks Barry
>
> ------------------------------------------------------------------------
> *From: *"Yutaka Obuchi" <yutaka.obuchi at yahoo.com>
> *To: *users at lists.zetalliance.org
> *Sent: *Saturday, April 23, 2016 9:42:33 AM
> *Subject: *Re: [Users] Is there a nginx/zimbra proxy expert here?
>
> Hi Barry,
>
> I have been thinking about this lately.
> You want check not only if ZM_AUTH_TOKEN is in cookie or not,
> but also if the ZM_AUTH_TOKEN is valid or not before proxying request to
> your own web application, right??
>
> That is difficult, because Zimbra Nginx itself does not make auth token
> validation from my understanding.
>
> How about Zimbra Nginx proxying the request to your own web app which
> validates the authtoken??
> Does it work for you??
>
>
> On Wednesday, April 13, 2016 3:29 AM, Barry De Graaff
> <barrydg at zetalliance.org> wrote:
>
>
> Hello All,
>
> is there a nginx/zimbra proxy expert here?
>
> I would like to add additional reverse proxies to zimbra proxy,
> but only allow authenticated users, see:
>
> https://bugzilla.zimbra.com/show_bug.cgi?id=101811
>
>
> If you know how-to, please let me know.
>
>
> Barry
>
>
>
>



  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20160502/2c71e5eb/attachment.html>

More information about the Users mailing list