<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Sounds like a good suggestion, if it works...</div><div><br data-mce-bogus="1"></div><div>Quanah, can you comment on the below, would it be possible to compile zimbra nginx</div><div>with the suggested options?</div><div><br data-mce-bogus="1"></div><div>Barry</div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"Yutaka Obuchi" <yutaka.obuchi@yahoo.com><br><b>To: </b>users@lists.zetalliance.org<br><b>Sent: </b>Monday, May 2, 2016 3:17:45 AM<br><b>Subject: </b>Re: [Users] Is there a nginx/zimbra proxy expert here?<br></div><br><div data-marker="__QUOTED_TEXT__"><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:10px"><div id="yiv6385988022"><div id="yui_3_16_0_ym19_1_1462089462229_2798"><div id="yui_3_16_0_ym19_1_1462089462229_2797" style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:10px;"><div id="yiv6385988022"><div id="yiv6385988022yui_3_16_0_ym19_1_1462071420588_2692"><div id="yiv6385988022yui_3_16_0_ym19_1_1462071420588_2691" style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:10px;"><div id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3083"><span></span></div><div id="yui_3_16_0_ym19_1_1462089462229_7509"><br> </div><div dir="ltr" id="yui_3_16_0_ym19_1_1462089462229_7508">You have to rebuild Zimbra Nginx if you use <a id="yui_3_16_0_ym19_1_1462089462229_7880" rel="nofollow" shape="rect" target="_blank" href="http://nginx.org/en/docs/http/ngx_http_auth_request_module.html">ngx_http_auth_request_module</a> from my understanding, <br></div><div id="yui_3_16_0_ym19_1_1462089462229_8550" dir="ltr">which makes it much harder for you to maintain the module and for user to use that.<br></div><div class="yiv6385988022qtdSeparateBR" dir="ltr" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3148"><div dir="ltr" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3208"><div id="yui_3_16_0_ym19_1_1462089462229_7481">So I did not look into that at that moment.<br></div><div id="yui_3_16_0_ym19_1_1462089462229_7908"><br></div><div id="yui_3_16_0_ym19_1_1462089462229_7480">Actually, I have never used <a rel="nofollow" shape="rect" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3207" target="_blank" href="http://nginx.org/en/docs/http/ngx_http_auth_request_module.html">http://nginx.org/en/docs/http/ngx_http_auth_request_module.html</a></div></div><div dir="ltr" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3960">so I am not quite sure.</div><div dir="ltr" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3961"><div dir="ltr" id="yui_3_16_0_ym19_1_1462089462229_8523">But from doc it looks promising as Stefan pointed out.<span size="2" data-mce-style="font-size: small;" style="font-size: small;"><span face="Arial" data-mce-style="font-family: Arial;" style="font-family: Arial;"> </span></span></div><div id="yui_3_16_0_ym19_1_1462089462229_8738"><br></div><div id="yui_3_16_0_ym19_1_1462089462229_9302">If rebuild could be your option,<br></div><div id="yui_3_16_0_ym19_1_1462089462229_8693">here is an example for extra nginx configuration to the one you have already done;<br></div></div><div dir="ltr" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3853">---------------------------------------------------------------------------------<br clear="none"></div><pre id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3874">location /extra-service/ {<br clear="none">  auth_request /_auth;
  <span id="yui_3_16_0_ym19_1_1462089462229_4937">error_page</span> <span id="yui_3_16_0_ym19_1_1462089462229_4938">401</span> <a id="yui_3_16_0_ym19_1_1462089462229_5332" href="https://myzimbra.com/service/zimlet" target="_blank">https://myzimbra.com/service/zimlet</a>;<br>  <br>  proxy_pass <a id="yui_3_16_0_ym19_1_1462089462229_5048" rel="nofollow" shape="rect" target="_blank" href="https://extra-service.example.com/extra-service/">https://extra-service.example.com/extra-service/</a>;
}<br clear="none"><br clear="none">upstream /_auth {<br>    internal;<br><br clear="none">    proxy_pass /home/~/inbox.rss;<br>    <span id="yui_3_16_0_ym19_1_1462089462229_5690">proxy_intercept_errors</span> <span id="yui_3_16_0_ym19_1_1462089462229_5691">on</span><span id="yui_3_16_0_ym19_1_1462089462229_5692">;<br></span>}<br clear="none"></pre><div dir="ltr" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3852"><div id="yui_3_16_0_ym19_1_1462089462229_9466">----------------------------------------------------------------------------------</div><div id="yui_3_16_0_ym19_1_1462089462229_9557"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1462089462229_9508">Again I have never used <a id="yui_3_16_0_ym19_1_1462089462229_9524" rel="nofollow" shape="rect" target="_blank" href="http://nginx.org/en/docs/http/ngx_http_auth_request_module.html">ngx_http_auth_request_module</a>, so you better test this first before anything.</div><div id="yui_3_16_0_ym19_1_1462089462229_9633" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1462089462229_9843" dir="ltr">Hope this could help you.<br></div><div id="yui_3_16_0_ym19_1_1462089462229_9634" dir="ltr">Yutaka<br></div></div><div dir="ltr" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3851"><a rel="nofollow" shape="rect" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3207" target="_blank" href="http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"><br clear="none"></a></div></div><div class="yiv6385988022yqt8855327851" id="yiv6385988022yqt15221"></div></div></div></div><div class="yiv6385988022yqt4396460718" id="yiv6385988022yqt72684"><div id="yui_3_16_0_ym19_1_1462089462229_2796"> <div id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3139" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:10px;"> <div id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3138" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3147"><span id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3146" face="Arial" size="2" data-mce-style="font-family: Arial; font-size: small;" style="font-family: Arial; font-size: small;"> On Tuesday, April 26, 2016 2:44 AM, Stefan Sänger <stefan.saenger@gr13.net> wrote:<br clear="none"></span></div>  <br clear="none"><br clear="none"> <div class="yiv6385988022y_msg_container" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3137">Hi All,<br clear="none"><br clear="none">this would basically be a situation where<br clear="none"><a rel="nofollow" shape="rect" id="yiv6385988022yui_3_16_0_ym19_1_1461899361457_3192" target="_blank" href="http://nginx.org/en/docs/http/ngx_http_auth_request_module.html">http://nginx.org/en/docs/http/ngx_http_auth_request_module.html </a>would be <br clear="none">handy. It could be used to query some REST URL...<br clear="none"><br clear="none">Unfortunately this is not part of current zimbra nginx.<br clear="none"><br clear="none">I already created patched nginx binaries (with other modules) in 8.6 - <br clear="none">and can not recommend doing so. Nginx version bundled with 8.6 is to <br clear="none">old, so this might only be a viable option for 8.7 and later.<br clear="none"><br clear="none">Using the zimbra nginx modules is also not an option, as far as I see <br clear="none">there will always be a route to a mailbox server available.<br clear="none"><br clear="none">So, no easy solution comes to my mind, but maybe this helps to think of <br clear="none">a proper solution.<br clear="none"><br clear="none"><br clear="none">Stefan<br clear="none"><div class="yiv6385988022yqt7744318065" id="yiv6385988022yqtfd00346"><br clear="none">Am 26.04.2016 um 08:02 schrieb Barry De Graaff:<br clear="none">> Hello Yutaka,<br clear="none">><br clear="none">> The webapp I want to proxy, cannot de the validation, so<br clear="none">> your suggestion would not work for me.<br clear="none">><br clear="none">> Thanks Barry<br clear="none">><br clear="none">> ------------------------------------------------------------------------<br clear="none">> *From: *"Yutaka Obuchi" <<a rel="nofollow" shape="rect" target="_blank" href="mailto:yutaka.obuchi@yahoo.com">yutaka.obuchi@yahoo.com</a>><br clear="none">> *To: *<a rel="nofollow" shape="rect" target="_blank" href="mailto:users@lists.zetalliance.org">users@lists.zetalliance.org</a><br clear="none">> *Sent: *Saturday, April 23, 2016 9:42:33 AM<br clear="none">> *Subject: *Re: [Users] Is there a nginx/zimbra proxy expert here?<br clear="none">><br clear="none">> Hi Barry,<br clear="none">><br clear="none">> I have been thinking about this lately.<br clear="none">> You want check not only if ZM_AUTH_TOKEN is in cookie or not,<br clear="none">> but also if the ZM_AUTH_TOKEN is valid or not before proxying request to<br clear="none">> your own web application, right??<br clear="none">><br clear="none">> That is difficult, because Zimbra Nginx itself does not make auth token<br clear="none">> validation from my understanding.<br clear="none">><br clear="none">> How about Zimbra Nginx proxying the request to your own web app which<br clear="none">> validates the authtoken??<br clear="none">> Does it work for you??<br clear="none">><br clear="none">><br clear="none">> On Wednesday, April 13, 2016 3:29 AM, Barry De Graaff<br clear="none">> <<a rel="nofollow" shape="rect" target="_blank" href="mailto:barrydg@zetalliance.org">barrydg@zetalliance.org</a>> wrote:<br clear="none">><br clear="none">><br clear="none">> Hello All,<br clear="none">><br clear="none">> is there a nginx/zimbra proxy expert here?<br clear="none">><br clear="none">> I would like to add additional reverse proxies to zimbra proxy,<br clear="none">> but only allow authenticated users, see:<br clear="none">><br clear="none">> <a id="yui_3_16_0_ym19_1_1462089462229_2823" rel="nofollow" shape="rect" target="_blank" href="https://bugzilla.zimbra.com/show_bug.cgi?id=101811">https://bugzilla.zimbra.com/show_bug.cgi?id=101811</a><br clear="none">><br clear="none">><br clear="none">> If you know how-to, please let me know.<br clear="none">><br clear="none">><br clear="none">> Barry<br clear="none">><br clear="none">><br clear="none">><br clear="none">><br clear="none"><br clear="none"></div><br clear="none"><br clear="none"></div>  </div> </div>  </div></div></div></div></div></div><br></div></div></body></html>