Sunday, January 13, 2008

How to share HTTP and HTTPS port between Zimbra and Apache 2.2

After you have installed Zimbra, you could have some problem if you need to share http (port 80) and/or https (port 443) between Zimbra and Apache.
To do this you need change the http/https ports to a new values (port 8080/8443), remember to be logged as zimbra user:
$ zmprov ms zimbra.mydom.com zimbraMailPort 8080
$ zmprov ms zimbra.mydom.com zimbraMailSSLPort 8443
Look at zmtlsctl to see how to choose which port do you want enable: http, After you need to restart zimbra:
$ zmcontrol stop
$ zmcontrol start

Now you can check if the port are really changed:

$ netstat -ltnp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN     8802/slapd
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN     9310/amavisd (maste
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN     9358/master
tcp        0      0 127.0.0.1:7306          0.0.0.0:*               LISTEN     9101/mysqld
tcp        0      0 127.0.0.1:7307          0.0.0.0:*               LISTEN     9036/mysqld
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN     9358/master
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     9358/master
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN     9249/java
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN     9249/java
tcp        0      0 0.0.0.0:7780            0.0.0.0:*               LISTEN     9285/httpd
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN     9249/java
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN     9249/java
tcp        0      0 0.0.0.0:7025            0.0.0.0:*               LISTEN     9249/java
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     6040/sshd
tcp        0      0 0.0.0.0:7035            0.0.0.0:*               LISTEN     9249/java
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN     9249/java
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN     9249/java
tcp        0      0 0.0.0.0:7071            0.0.0.0:*               LISTEN     9249/java

Now you can begin to configure apache to access zimbra via reverse proxy. First of all you need to create a new file ssl-zimbra-reverse-proxy into /etc/apache2/sites-available representing the new virtual host

<VirtualHost *:443>
ServerName webmail.zimbra.tld
ServerAlias webmail.zimbra.tld

SSLProxyEngine On

ErrorLog /var/log/apache2/webmail.zimbra.tld-error_log
CustomLog /var/log/apache2/webmail.zimbra.tld-access_log combined

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLProtocol all

ProxyRequests Off

<proxy *>
Order deny,allow
Allow from all
</proxy>

ProxyPreserveHost On
ProxyPass / https://webmail.zimbra.tld:8443/
ProxyPassReverse / https://webmail.zimbra.tld:8443
</VirtualHost>

Now you can enable the proxy module and enable the site:

$ sudo a2enmod proxy
$ sudo a2enmod proxy_http
$ sudo a2ensite ssl-zimbra-reverse-proxy
This should be enough :-), anyway if you found this error in the log

[...] client denied by server configuration: proxy:https://192.168.100.2:8443/

be sure to add the proxy directive as follow:


Order deny,allow
Allow from all


...or if you found this error in the log

[...] [warn] proxy: No protocol handler was valid for the URL /. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

probabily you forgot to enable proxy_http:
$ sudo a2enmod proxy_http

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)