I've a Group-Office application on a shared hosting server. Recently I decided to add a reverse proxy (nginx) in front of a apache using custombuild2. Unfortunately since then carddav/caldav(sabredav) and ActiveSync (z-push) does not work anymore from mobile devices. When I try to access domain.com/carddav or domain.com/Microsoft-Server-ActiveSync it behaves correctly showing auth window. When accessing from mobile, in access logs on nginx I can see 444 errors:
ip - user [20/Nov/2014:10:12:45 +0100] "OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1" 444 0 "-" "Apple-iPhone6C2/1202.411"
ip - user [20/Nov/2014:10:18:05 +0100] "OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1" 444 0 "-" "Apple-iPhone6C2/1202.411"
ip - - [20/Nov/2014:10:32:26 +0100] "PROPFIND /carddav/ HTTP/1.1" 444 0 "-" "iOS/8.1 (12B411) accountsd/1.0"
I'm thankful for any advices that will help to solve the problem!
My configuration is as follows:
DirectAdmin 1.46.3
CloudLinux
Apache 2.4.10
Nginx 1.6.2
lsphp
apache:
<Directory "/home/groupoffic/public_html">
<IfModule mod_fcgid.c>
SuexecUserGroup groupoffic groupoffic
</IfModule>
<IfModule mod_fcgid.c>
<FilesMatch "\.php$">
SetHandler fcgid-script
FCGIWrapper '/usr/local/safe-bin/fcgid55.sh /usr/local/directadmin/data/users/groupoffic/php/www.domain.com.ini -d open_basedir="/home/groupoffic/:/tmp:/var/tmp:/usr/local/lib/php/:/usr/local/php55/lib/php/" -d mail.log="/home/groupoffic/.php/php-mail.log"' .php
Options +ExecCGI
</FilesMatch>
</IfModule>
</Directory>
<VirtualHost ip:8080 127.0.0.1:8080 >
ServerName www.domain.com
ServerAlias www.domain.com
ServerAdmin [email protected]
DocumentRoot /home/groupoffic/domains/domain.com/public_html
UseCanonicalName OFF
<IfModule !mod_ruid2.c>
SuexecUserGroup groupoffic groupoffic
</IfModule>
CustomLog /var/log/httpd/domains/domain.com.bytes bytes
CustomLog /var/log/httpd/domains/domain.com.log combined
ErrorLog /var/log/httpd/domains/domain.com.error.log
<Directory /home/groupoffic/domains/domain.com/public_html>
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
Options -ExecCGI
<IfModule mod_fcgid.c>
FCGIWrapper '/usr/local/safe-bin/fcgid55.sh /usr/local/directadmin/data/users/groupoffic/php/www.domain.com.ini -d sendmail_from="[email protected]" -d mail.log="/home/groupoffic/.php/php-mail.log"' .php
<FilesMatch "\.php$">
SetHandler fcgid-script
Options +ExecCGI
</FilesMatch>
</IfModule>
</Directory>
RewriteEngine on
RewriteOptions inherit
</VirtualHost>
<VirtualHost ip:8081 127.0.0.1:8081 >
SSLEngine on
SSLCertificateFile /usr/local/directadmin/data/users/groupoffic/domains/domain.com.cert
SSLCertificateKeyFile /usr/local/directadmin/data/users/groupoffic/domains/domain.com.key
SSLCACertificateFile /etc/httpd/conf/ssl.crt/CA.crt
ServerName www.domain.com
ServerAlias www.domain.com domain.com
ServerAdmin [email protected]
DocumentRoot /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2
Header add Strict-Transport-Security "max-age=15768000"
UseCanonicalName OFF
<IfModule !mod_ruid2.c>
SuexecUserGroup groupoffic groupoffic
</IfModule>
CustomLog /var/log/httpd/domains/domain.com.bytes bytes
CustomLog /var/log/httpd/domains/domain.com.log combined
ErrorLog /var/log/httpd/domains/domain.com.error.log
<Directory /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2>
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
Options -ExecCGI
<IfModule mod_fcgid.c>
FCGIWrapper '/usr/local/safe-bin/fcgid55.sh /usr/local/directadmin/data/users/groupoffic/php/www.domain.com.ini -d sendmail_from="[email protected]" -d mail.log="/home/groupoffic/.php/php-mail.log"' .php
<FilesMatch "\.php$">
SetHandler fcgid-script
Options +ExecCGI
</FilesMatch>
</IfModule>
</Directory>
<Directory /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/caldav>
Order allow,deny
Allow from all
</Directory>
<Directory /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/carddav>
Order allow,deny
Allow from all
</Directory>
RewriteEngine on
RewriteOptions inherit
Alias /caldav /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/caldav/calendar.php
Alias /carddav /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/carddav/addressbook.php
Alias /Microsoft-Server-ActiveSync /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/z-push21/index.php
# Service discovery, required for iOS7
Redirect 301 /.well-known/carddav /carddav
Redirect 301 /.well-known/caldav /caldav
</VirtualHost>
nginx:
server
{
listen ip:80;
server_name domain.com www.domain.com ;
access_log /var/log/nginx/domains/domain.com.log;
access_log /var/log/nginx/domains/domain.com.bytes bytes;
error_log /var/log/nginx/domains/domain.com.error.log;
root /home/groupoffic/domains/domain.com/public_html;
index index.php index.html index.htm;
include /usr/local/directadmin/data/users/groupoffic/nginx_php.conf;
location /
{
# access_log off;
proxy_buffering off;
proxy_pass http://ip:8080;
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header X-Accel-Internal /nginx_static_files;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /nginx_static_files/
{
# access_log /var/log/nginx/access_log_proxy;
alias /home/groupoffic/domains/domain.com/public_html/;
internal;
}
include /etc/nginx/webapps.conf;
}
server
{
listen ip:443 ssl spdy;
server_name domain.com www.domain.com ;
access_log /var/log/nginx/domains/domain.com.log;
access_log /var/log/nginx/domains/domain.com.bytes bytes;
error_log /var/log/nginx/domains/domain.com.error.log;
root /home/groupoffic/domains/domain.com/private_html;
index index.php index.html index.htm;
ssl on;
ssl_certificate /usr/local/directadmin/data/users/groupoffic/domains/domain.com.cert;
ssl_certificate_key /usr/local/directadmin/data/users/groupoffic/domains/domain.com.key;
ssl_trusted_certificate /etc/httpd/conf/ssl.crt/server.crt.combined;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-DSS-AES128-SHA256HE-RSA-AES256-SHA256HE-DSS-AES256-SHAHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# HSTS
add_header Strict-Transport-Security max-age=15768000;
add_header Alternate-Protocol 443:npn-spdy/3;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options DENY;
include /usr/local/directadmin/data/users/groupoffic/nginx_php.conf;
location /
{
# access_log off;
proxy_buffering off;
proxy_pass https://ip:8081;
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header X-Accel-Internal /nginx_static_files;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /nginx_static_files/
{
# access_log /var/log/nginx/access_log_proxy;
alias /home/groupoffic/domains/domain.com/private_html/;
internal;
}
include /etc/nginx/webapps.ssl.conf;
}
ip - user [20/Nov/2014:10:12:45 +0100] "OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1" 444 0 "-" "Apple-iPhone6C2/1202.411"
ip - user [20/Nov/2014:10:18:05 +0100] "OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1" 444 0 "-" "Apple-iPhone6C2/1202.411"
ip - - [20/Nov/2014:10:32:26 +0100] "PROPFIND /carddav/ HTTP/1.1" 444 0 "-" "iOS/8.1 (12B411) accountsd/1.0"
I'm thankful for any advices that will help to solve the problem!
My configuration is as follows:
DirectAdmin 1.46.3
CloudLinux
Apache 2.4.10
Nginx 1.6.2
lsphp
apache:
<Directory "/home/groupoffic/public_html">
<IfModule mod_fcgid.c>
SuexecUserGroup groupoffic groupoffic
</IfModule>
<IfModule mod_fcgid.c>
<FilesMatch "\.php$">
SetHandler fcgid-script
FCGIWrapper '/usr/local/safe-bin/fcgid55.sh /usr/local/directadmin/data/users/groupoffic/php/www.domain.com.ini -d open_basedir="/home/groupoffic/:/tmp:/var/tmp:/usr/local/lib/php/:/usr/local/php55/lib/php/" -d mail.log="/home/groupoffic/.php/php-mail.log"' .php
Options +ExecCGI
</FilesMatch>
</IfModule>
</Directory>
<VirtualHost ip:8080 127.0.0.1:8080 >
ServerName www.domain.com
ServerAlias www.domain.com
ServerAdmin [email protected]
DocumentRoot /home/groupoffic/domains/domain.com/public_html
UseCanonicalName OFF
<IfModule !mod_ruid2.c>
SuexecUserGroup groupoffic groupoffic
</IfModule>
CustomLog /var/log/httpd/domains/domain.com.bytes bytes
CustomLog /var/log/httpd/domains/domain.com.log combined
ErrorLog /var/log/httpd/domains/domain.com.error.log
<Directory /home/groupoffic/domains/domain.com/public_html>
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
Options -ExecCGI
<IfModule mod_fcgid.c>
FCGIWrapper '/usr/local/safe-bin/fcgid55.sh /usr/local/directadmin/data/users/groupoffic/php/www.domain.com.ini -d sendmail_from="[email protected]" -d mail.log="/home/groupoffic/.php/php-mail.log"' .php
<FilesMatch "\.php$">
SetHandler fcgid-script
Options +ExecCGI
</FilesMatch>
</IfModule>
</Directory>
RewriteEngine on
RewriteOptions inherit
</VirtualHost>
<VirtualHost ip:8081 127.0.0.1:8081 >
SSLEngine on
SSLCertificateFile /usr/local/directadmin/data/users/groupoffic/domains/domain.com.cert
SSLCertificateKeyFile /usr/local/directadmin/data/users/groupoffic/domains/domain.com.key
SSLCACertificateFile /etc/httpd/conf/ssl.crt/CA.crt
ServerName www.domain.com
ServerAlias www.domain.com domain.com
ServerAdmin [email protected]
DocumentRoot /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2
Header add Strict-Transport-Security "max-age=15768000"
UseCanonicalName OFF
<IfModule !mod_ruid2.c>
SuexecUserGroup groupoffic groupoffic
</IfModule>
CustomLog /var/log/httpd/domains/domain.com.bytes bytes
CustomLog /var/log/httpd/domains/domain.com.log combined
ErrorLog /var/log/httpd/domains/domain.com.error.log
<Directory /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2>
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
Options -ExecCGI
<IfModule mod_fcgid.c>
FCGIWrapper '/usr/local/safe-bin/fcgid55.sh /usr/local/directadmin/data/users/groupoffic/php/www.domain.com.ini -d sendmail_from="[email protected]" -d mail.log="/home/groupoffic/.php/php-mail.log"' .php
<FilesMatch "\.php$">
SetHandler fcgid-script
Options +ExecCGI
</FilesMatch>
</IfModule>
</Directory>
<Directory /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/caldav>
Order allow,deny
Allow from all
</Directory>
<Directory /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/carddav>
Order allow,deny
Allow from all
</Directory>
RewriteEngine on
RewriteOptions inherit
Alias /caldav /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/caldav/calendar.php
Alias /carddav /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/carddav/addressbook.php
Alias /Microsoft-Server-ActiveSync /home/groupoffic/domains/domain.com/groupoffice-com-6.1.2/modules/z-push21/index.php
# Service discovery, required for iOS7
Redirect 301 /.well-known/carddav /carddav
Redirect 301 /.well-known/caldav /caldav
</VirtualHost>
nginx:
server
{
listen ip:80;
server_name domain.com www.domain.com ;
access_log /var/log/nginx/domains/domain.com.log;
access_log /var/log/nginx/domains/domain.com.bytes bytes;
error_log /var/log/nginx/domains/domain.com.error.log;
root /home/groupoffic/domains/domain.com/public_html;
index index.php index.html index.htm;
include /usr/local/directadmin/data/users/groupoffic/nginx_php.conf;
location /
{
# access_log off;
proxy_buffering off;
proxy_pass http://ip:8080;
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header X-Accel-Internal /nginx_static_files;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /nginx_static_files/
{
# access_log /var/log/nginx/access_log_proxy;
alias /home/groupoffic/domains/domain.com/public_html/;
internal;
}
include /etc/nginx/webapps.conf;
}
server
{
listen ip:443 ssl spdy;
server_name domain.com www.domain.com ;
access_log /var/log/nginx/domains/domain.com.log;
access_log /var/log/nginx/domains/domain.com.bytes bytes;
error_log /var/log/nginx/domains/domain.com.error.log;
root /home/groupoffic/domains/domain.com/private_html;
index index.php index.html index.htm;
ssl on;
ssl_certificate /usr/local/directadmin/data/users/groupoffic/domains/domain.com.cert;
ssl_certificate_key /usr/local/directadmin/data/users/groupoffic/domains/domain.com.key;
ssl_trusted_certificate /etc/httpd/conf/ssl.crt/server.crt.combined;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-DSS-AES128-SHA256HE-RSA-AES256-SHA256HE-DSS-AES256-SHAHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# HSTS
add_header Strict-Transport-Security max-age=15768000;
add_header Alternate-Protocol 443:npn-spdy/3;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options DENY;
include /usr/local/directadmin/data/users/groupoffic/nginx_php.conf;
location /
{
# access_log off;
proxy_buffering off;
proxy_pass https://ip:8081;
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header X-Accel-Internal /nginx_static_files;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /nginx_static_files/
{
# access_log /var/log/nginx/access_log_proxy;
alias /home/groupoffic/domains/domain.com/private_html/;
internal;
}
include /etc/nginx/webapps.ssl.conf;
}