Nginx as reverse proxy and sabredav/z-push

ambrozy

Verified User
Joined
May 13, 2010
Messages
28
I've a Group-Office application on a shared hosting server. Recently I decided to add a reverse proxy (nginx) in front of a apache using custombuild2. Unfortunately since then carddav/caldav(sabredav) and ActiveSync (z-push) does not work anymore from mobile devices. When I try to access domain.com/carddav or domain.com/Microsoft-Server-ActiveSync it behaves correctly showing auth window. When accessing from mobile, in access logs on nginx I can see 444 errors:

ip - user [20/Nov/2014:10:12:45 +0100] "OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1" 444 0 "-" "Apple-iPhone6C2/1202.411"
ip - user [20/Nov/2014:10:18:05 +0100] "OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1" 444 0 "-" "Apple-iPhone6C2/1202.411"
ip - - [20/Nov/2014:10:32:26 +0100] "PROPFIND /carddav/ HTTP/1.1" 444 0 "-" "iOS/8.1 (12B411) accountsd/1.0"

I'm thankful for any advices that will help to solve the problem!


My configuration is as follows:
DirectAdmin 1.46.3
CloudLinux
Apache 2.4.10
Nginx 1.6.2
lsphp


apache:
<Directory "/home/groupoffic/public_html">
<IfModule mod_fcgid.c>
SuexecUserGroup groupoffic groupoffic
</IfModule>
<IfModule mod_fcgid.c>
<FilesMatch "\.php$">
SetHandler fcgid-script
FCGIWrapper '/usr/local/safe-bin/fcgid55.sh /usr/local/directadmin/data/users/groupoffic/php/www.domain.com.ini -d open_basedir="/home/groupoffic/:/tmp:/var/tmp:/usr/local/lib/php/:/usr/local/php55/lib/php/" -d mail.log="/home/groupoffic/.php/php-mail.log"' .php
Options +ExecCGI
</FilesMatch>
</IfModule>
</Directory>

<VirtualHost ip:8080 127.0.0.1:8080 >
ServerName www.domain.com
ServerAlias www.domain.com
ServerAdmin [email protected]
DocumentRoot /home/groupoffic/domains/domain.com/public_html
UseCanonicalName OFF
<IfModule !mod_ruid2.c>
SuexecUserGroup groupoffic groupoffic
</IfModule>
CustomLog /var/log/httpd/domains/domain.com.bytes bytes
CustomLog /var/log/httpd/domains/domain.com.log combined
ErrorLog /var/log/httpd/domains/domain.com.error.log
<Directory /home/groupoffic/domains/domain.com/public_html>
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
Options -ExecCGI
<IfModule mod_fcgid.c>
FCGIWrapper '/usr/local/safe-bin/fcgid55.sh /usr/local/directadmin/data/users/groupoffic/php/www.domain.com.ini -d sendmail_from="[email protected]" -d mail.log="/home/groupoffic/.php/php-mail.log"' .php
<FilesMatch "\.php$">
SetHandler fcgid-script
Options +ExecCGI
</FilesMatch>
</IfModule>
</Directory>
RewriteEngine on
RewriteOptions inherit
</VirtualHost>

<VirtualHost ip:8081 127.0.0.1:8081 >
SSLEngine on
SSLCertificateFile /usr/local/directadmin/data/users/groupoffic/domains/domain.com.cert
SSLCertificateKeyFile /usr/local/directadmin/data/users/groupoffic/domains/domain.com.key
SSLCACertificateFile /etc/httpd/conf/ssl.crt/CA.crt
ServerName www.domain.com
ServerAlias www.domain.com domain.com
ServerAdmin [email protected]
DocumentRoot /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2
Header add Strict-Transport-Security "max-age=15768000"
UseCanonicalName OFF
<IfModule !mod_ruid2.c>
SuexecUserGroup groupoffic groupoffic
</IfModule>
CustomLog /var/log/httpd/domains/domain.com.bytes bytes
CustomLog /var/log/httpd/domains/domain.com.log combined
ErrorLog /var/log/httpd/domains/domain.com.error.log
<Directory /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2>
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
Options -ExecCGI
<IfModule mod_fcgid.c>
FCGIWrapper '/usr/local/safe-bin/fcgid55.sh /usr/local/directadmin/data/users/groupoffic/php/www.domain.com.ini -d sendmail_from="[email protected]" -d mail.log="/home/groupoffic/.php/php-mail.log"' .php
<FilesMatch "\.php$">
SetHandler fcgid-script
Options +ExecCGI
</FilesMatch>
</IfModule>
</Directory>

<Directory /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/caldav>
Order allow,deny
Allow from all
</Directory>
<Directory /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/carddav>
Order allow,deny
Allow from all
</Directory>

RewriteEngine on
RewriteOptions inherit

Alias /caldav /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/caldav/calendar.php
Alias /carddav /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/carddav/addressbook.php
Alias /Microsoft-Server-ActiveSync /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/z-push21/index.php

# Service discovery, required for iOS7
Redirect 301 /.well-known/carddav /carddav
Redirect 301 /.well-known/caldav /caldav

</VirtualHost>

nginx:
server
{
listen ip:80;
server_name domain.com www.domain.com ;
access_log /var/log/nginx/domains/domain.com.log;
access_log /var/log/nginx/domains/domain.com.bytes bytes;
error_log /var/log/nginx/domains/domain.com.error.log;
root /home/groupoffic/domains/domain.com/public_html;
index index.php index.html index.htm;
include /usr/local/directadmin/data/users/groupoffic/nginx_php.conf;
location /
{
# access_log off;
proxy_buffering off;
proxy_pass http://ip:8080;
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header X-Accel-Internal /nginx_static_files;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /nginx_static_files/
{
# access_log /var/log/nginx/access_log_proxy;
alias /home/groupoffic/domains/domain.com/public_html/;
internal;
}
include /etc/nginx/webapps.conf;
}

server
{
listen ip:443 ssl spdy;
server_name domain.com www.domain.com ;
access_log /var/log/nginx/domains/domain.com.log;
access_log /var/log/nginx/domains/domain.com.bytes bytes;
error_log /var/log/nginx/domains/domain.com.error.log;
root /home/groupoffic/domains/domain.com/private_html;
index index.php index.html index.htm;
ssl on;
ssl_certificate /usr/local/directadmin/data/users/groupoffic/domains/domain.com.cert;
ssl_certificate_key /usr/local/directadmin/data/users/groupoffic/domains/domain.com.key;
ssl_trusted_certificate /etc/httpd/conf/ssl.crt/server.crt.combined;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# HSTS
add_header Strict-Transport-Security max-age=15768000;
add_header Alternate-Protocol 443:npn-spdy/3;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options DENY;
include /usr/local/directadmin/data/users/groupoffic/nginx_php.conf;
location /
{
# access_log off;
proxy_buffering off;
proxy_pass https://ip:8081;
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header X-Accel-Internal /nginx_static_files;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}


location /nginx_static_files/
{
# access_log /var/log/nginx/access_log_proxy;
alias /home/groupoffic/domains/domain.com/private_html/;
internal;
}
include /etc/nginx/webapps.ssl.conf;
}
 
Hello,

Since your issue relates to nginx_apache as a part of CustomBuild 2 your thread is now moved to its subforum.
I hope CustomBuild developers will check your issue soon and provide a solution for you.
 
I added nginx-dav-ext-module to the Nginx and required configuration, but nothing has changed.
Moreover, I found a post which says: "SabreDAV handles all the DAV methods. You must turn off nginx's dav module completely for it to work."
 
I think there are some not logical restrictions in the following files:

/etc/nginx/webapps.conf
/etc/nginx/webapps.hostname.conf
/etc/nginx/webapps.ssl.conf

They contain the following code:

Code:
        if ($request_method !~ ^(GET|HEAD|POST)$ ) {
                return 444;
        }

It's not logical to deny everything except GET|HEAD|POST, while nginx itself is built with ngx_http_dav_module module

The ngx_http_dav_module module is intended for file management automation via the WebDAV protocol. The module processes HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY, and MOVE.

http://nginx.org/en/docs/http/ngx_http_dav_module.html

So I'd rather suggest that it should be changed to

Code:
        if ($request_method !~ ^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT|DELETE|MKCOL|COPY|MOVE)$ ) {
                return 444;
        }

and nginx-dav-ext-module should be added by default. Apache (from CustomBuild/Directamin) supports WebDAV, so NGINX should do the same.

As a temporary solution one can copy

/etc/nginx/webapps.conf
/etc/nginx/webapps.hostname.conf
/etc/nginx/webapps.ssl.conf

to

/usr/local/directadmin/custombuild/custom/nginx/conf/webapps.conf
/usr/local/directadmin/custombuild/custom/nginx/conf/webapps.hostname.conf
/usr/local/directadmin/custombuild/custom/nginx/conf/webapps.ssl.conf


Note, currently it's still custom/nginx/conf even if you use nginx_apache. And you won't see the files in /usr/local/directadmin/custombuild/configure/nginx/conf/.
 
It's not logical to deny everything except GET|HEAD|POST, while nginx itself is built with ngx_http_dav_module module


Many moons later, I ran into this issue (scratching my head why my REST api wasn't responding to PUT and DELETE requests). Thanks for mentioning this here Alex, it saved me time. But I'd like to add my vote to Alex' request to update the defaults here.
 
Thank you for your vote, zmippie. It seems to be a matter of a security to have them disabled by default, anyway if it's possible I'd like to have an option to allow DAV methods in NGINX adjustable in custombuild, it's the most preferable way than to customize the templates:

/etc/nginx/webapps.conf
/etc/nginx/webapps.hostname.conf
/etc/nginx/webapps.ssl.conf

I hope they will add this feature.
 
I'm interested in installing sabreDAV in the same environment. Since the thread is quite old - has there been any progress, or is the situation still the same as described in this thread? Thanks!
 
Well, directadmin gives us an opportunity to specify HTTP methods in /usr/local/directadmin/custombuild/options.conf

Code:
http_methods=

Default value: GET:HEAD:pOST.

But be aware, that if you add methods which are not supported by Apache, it will mail Apache to fail to start/restart. Thus, depending on what methods you want to allow, you will probably need to re-compile Apache with the modules. Anyway please consult on the Apache's documentation.


Or... use the old way, described here in the thread.
 
Back
Top