[Users] Did anyone have any issue with some balancer in front of Zimbra?

Fabio S. Schmidt fabio at bktech.com.br
Mon May 27 19:03:04 CEST 2019 

Hello Jim, 

Thank you for your reply. 

Zimbra support has sent us a change to be applied in the Nginx configuration and it solved the issue with the "OIP". It's displaying now only the client IP. 

We hope this solves an issue we are facing that causes a high CPU load (100% sometimes) on all our servers. 

These are the commands I have used to fix the OIP: 

cd /opt/zimbra/conf/nginx/templates 
sed -i 's/$proxy_add_x_forwarded_for/$http_x_forwarded_for/g' * 
zmproxyctl restart 


Atenciosamente, 
Fabio S. Schmidt 

Diretor técnico 

E-mail: fabio at bktech.com.br 
www.bktech.com.br 
Tel.: +55 (61) 3226-7932 

Cel.: +55 (61) 99116-3941 


De: "Jim Dunphy" <jad at aesir.com> 
Para: "Fabio Schmidt" <fabio at bktech.com.br> 
Cc: "Brando Beaumont" <branzo at itaserv.net>, "users" <users at lists.zetalliance.org> 
Enviadas: Segunda-feira, 27 de maio de 2019 13:15:57 
Assunto: Re: [Users] Did anyone have any issue with some balancer in front of Zimbra? 

If you need something faster, 

I followed this link's advice ... using the set_real_ip_from, real_ip_recursive on and real_ip_header X-Forwarded-For. 

Explained in detail here: 

https://serverfault.com/questions/314574/nginx-real-ip-header-and-x-forwarded-for-seems-wrong 

I tested various spoofing chaining scenarios and it appeared to do the correct thing. I don't use this with zimbra however only our web farms. 

>From my perspective, this is a security bug at least in the 8.7.11+ branch and not a RFE given how trivial it is to spoof a client side header that allows an attacker to hide in the logs. 

w/r 

Jim 


----- On May 27, 2019, at 8:50 AM, Fabio S. Schmidt <fabio at bktech.com.br> wrote: 



Greetings Brando, 

Thank you for your reply. I've submitted to Zimbra an RFE to support the origin IP with this format. 

Best regards. 

Atenciosamente, 
Fabio S. Schmidt 

Diretor técnico 

E-mail: fabio at bktech.com.br 
www.bktech.com.br 
Tel.: +55 (61) 3226-7932 

Cel.: +55 (61) 99116-3941 


De: "Brando Beaumont" <branzo at itaserv.net> 
Para: "Fabio Schmidt" <fabio at bktech.com.br> 
Cc: "users" <users at lists.zetalliance.org> 
Enviadas: Segunda-feira, 27 de maio de 2019 5:28:54 
Assunto: Re: [Users] Did anyone have any issue with some balancer in front of Zimbra? 

Good morning Fabio, 

as stated here [1], X-Forwaded-For can pass multiple IPs. Including the IP of the Netscaler should add another IP to the list.. 

cya, 
Brando B. 

[1] - [ https://en.wikipedia.org/wiki/X-Forwarded-For | https://en.wikipedia.org/wiki/X-Forwarded-For ] 



BQ_BEGIN
Da: "Fabio S. Schmidt" <fabio at bktech.com.br> 
A: "users" <users at lists.zetalliance.org> 
Inviato: Venerdì, 24 maggio 2019 15:25:13 
Oggetto: [Users] Did anyone have any issue with some balancer in front of Zimbra? 




BQ_BEGIN

Hello guys, 

Our customers always use a balancer in front of Zimbra to balance the load and implement H.A. at least for the proxy servers. 

A particular customer use Netscaler and we have noticed that it is displaying both the IPs (client and the balancer) on our logs: 

;mid=231 ;oip=10.32.90.33, 172.16.5.1 

These logs are being displayed on zmmailboxd.out: 

Ignoring malformed remote address 10.32.90.33, 172.16.5.1 

Maybe should we include the Netscaler IP on the Zimbra trusted IP parameter? 

Best regards. 
Fabio S. Schmidt 

BQ_END


BQ_END


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20190527/c33ebdeb/attachment.html>

More information about the Users mailing list