2

I am running roundcube webmail over a nginx webserver that only serves http.

This is proxied by another nginx which serves https.

Both are separate FreeBSD jails on the same machine.

I can basically access the roundcube webpage via the proxy's address, but a few features are not working. For example:

  • selecting an Item from the message list doesn't bring up the content in the preview iframe
  • selecting an Item from the message list and clicking on the top buttons the delete button doesn't delete the item. However the answer button as well as mark as read works.
  • Drag-and-dropping a message into a folder doesn't work. It shows all the highlighting and animations during dragging, but the message is not moved on drop
  • However double-clicking a message to open it in full-frame view works fine.

Does anyone have a clue what could be the issue here? The same proxy with the same setup is working just fine for my owncloud instance.

The error logs of both nginx instances don't show any entries when I select a message when logged in via the proxy.

However when selecting a message with no proxy in between, I see the following log in the access.log:

10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview HTTP/1.1" 200 11236 "http://10.0.0.211/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /skins/larry/styles.min.css?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /skins/larry/mail.min.css?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /plugins/jqueryui/themes/larry/jquery-ui-1.10.4.custom.css?s=1448290415 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /skins/larry/ui.min.js?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /program/js/jquery.min.js?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /program/js/common.min.js?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /program/js/app.min.js?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /plugins/jqueryui/js/jquery-ui-1.10.4.custom.min.js?s=1448290415 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /plugins/jqueryui/js/i18n/jquery.ui.datepicker-de.js?s=1448290415 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"

When I click a message WITH the proxy in between, the access log of both nginx instances show no new entries.

Does this maybe hint at what might be wrong with my config?

Here are my nginx configs:

nginx of the roundcube jail:

worker_processes  2;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    server {
                #listen      80;
                root        /usr/local/www/roundcubemail;

                # Logs
                access_log  /usr/home/webmail/roundcube-access.log;
                error_log   /usr/home/webmail/roundcube-error.log;

                # Default location settings
                location / {
                        index   index.php;
                        try_files $uri $uri/ /index.php?$args;
                }

                # Redirect server error pages to the static page /50x.html
                error_page 500 502 503 504 /50x.html;
                        location = /50x.html {
                        root /usr/share/nginx/html;
                }

                # Pass the PHP scripts to FastCGI server (locally with unix: param to avoid network overhead)
                location ~ \.php$ {
                        # Prevent Zero-day exploit
                        try_files $uri =404;

                        fastcgi_keep_conn on;
                        fastcgi_split_path_info       ^(.+\.php)(.*)$;
                        fastcgi_param PATH_INFO       $fastcgi_path_info;
                        fastcgi_param SCRIPT_FILENAME    $document_root$fastcgi_script_name;
                        fastcgi_pass    unix:/var/run/php-fpm.sock;
                        fastcgi_index   index.php;
                        include         fastcgi_params;
                }

                # Deny access to .htaccess files, if Apache's document root
                location ~ /\.ht {
                    deny  all;
                }

                # Exclude favicon from the logs to avoid bloating when it's not available
                location /favicon.ico {
                        log_not_found   off;
                        access_log      off;
                }
        }
}

nginx of the proxy jail:

worker_processes  2;

error_log  /usr/local/etc/nginx/proxy.error.log;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    server {
        listen 80;
        return 301 https://$host$request_uri;
    }

    server {
        listen 443;
        server_name mydomain.tld;

        ssl_certificate           /usr/local/etc/nginx/server.crt;
        ssl_certificate_key       /usr/local/etc/nginx/server.key;

        ssl on;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        resolver_timeout 5s;

        access_log            /usr/local/etc/nginx/proxy.access.log;

        location ^~ /owncloud {
            proxy_set_header X-Forwarded-Host mydomain.tld;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_pass http://10.0.0.202:80/owncloud;
            proxy_redirect http:// https://;
            client_max_body_size 2G;
        }
        location ^~ /mail {
            proxy_set_header X-Forwarded-Host mydomain.tld;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_pass http://10.0.0.211:80/;
            proxy_redirect http:// https://;
        }
    }
}
TorbenKorx
  • 31
  • 1
  • 5

2 Answers2

1

I found the soloution!

In the proxy config, the line

add_header X-Frame-Options DENY;

caused hazard.

If I comment it out all works fine.

Different from what I found in other sources, the option $config['x_frame_options'] = 'sameorigin'; in roundcube's defaults.inc.php can remain at its default value and needs not to be changed to false.

Maybe this helps somebody in the future with a similar problem.

TorbenKorx
  • 31
  • 1
  • 5
0

Your proxy is not transparent, it is translating URIs like /mail/xxx to /xxx on the mail server.

Looking at your access.log, the webpage contains embedded resources under /skins, /plugins, and /program. When these resources are accessed via the proxy, there is no rule to send the request to the mail server. Therefore your webpages are incomplete.

The simplest solution is probably to make your proxy transparent to the mail server, since you state that the owncloud proxy is working. Try:

location /owncloud {
    # owncloud proxy
}
location / {
    # mail proxy
}

So all URIs will be passed transparently to the mail server, except those URIs specifically targeted to the owncloud service.

Richard Smith
  • 12,834
  • 2
  • 21
  • 29
  • Thank you for your answer! Unfortunately this doesn't change anything. I am still experiencing the same symptoms. – TorbenKorx Jan 06 '16 at 06:25