Enabling Zimbra Proxy and memcached

(Redirected from Enabling Zimbra Proxy)

Enabling Zimbra Proxy and memcached

   KB 2792        Last updated on 2022-07-1  




0.00
(0 votes)

Recommended Way To Deploy Proxy and memcached In Existing Non-Proxy Environments

800px-ADDING_PROXY_-_NEW.png

Using new servers

Here you are installing the proxy on a brand new server, and all of your existing mailbox servers are being accessed through the proxy on this new server. Simply use the installer script (install.sh) and select the proxy and memcached packages ('Y' by default with ZCS 8.5+, just need to hit enter). This will ask you for LDAP hostname/password, then the bind password for nginx ldap user (do 'zmlocalconfig -s ldap_nginx_password' on the host running ldap to get this), and then the Proxy configuration menu will be displayed.

Proxy configuration

   1) Status:                                  Enabled                       
   2) Enable POP/IMAP Proxy:                   TRUE                          
   3) IMAP server port:                        7143                          
   4) IMAP server SSL port:                    7993                          
   5) IMAP proxy port:                         143                           
   6) IMAP SSL proxy port:                     993                           
   7) POP server port:                         7110                          
   8) POP server SSL port:                     7995                          
   9) POP proxy port:                          110                           
  10) POP SSL proxy port:                      995                           
  11) Bind password for nginx ldap user:       set                           
  12) Enable HTTP[S] Proxy:                    TRUE                          
  13) Web server HTTP port:                    8080                          
  14) Web server HTTPS port:                   8443                          
  15) HTTP proxy port:                         80                            
  16) HTTPS proxy port:                        443                           
  17) Proxy server mode:                       https          

If you need to change any of these, you can do that by selecting the corresponding config item from the menu (say for eg. to disable POP/IMAP proxy, select '2' from the above menu). Otherwise, proceed with the defaults, and the proxy+memcached is installed on this new server. Now, to have all the mailbox servers use the proxy, simply set the zimbraMailReferMode to reverse-proxied on each mailbox server and restart mailboxd to have all the traffic go through the proxy.

Using existing servers

800px-ADDING_PROXY_-_ACTUAL.png

Assuming you are running ZCS version with no proxy/memcached, zimbraMailMode as https, and want to upgrade to 8.5, or above, along with adding proxy & memcached, follow these steps

Start 8.5, or above, installer (install.sh script)

Do you wish to upgrade? [Y] y
Install zimbra-memcached [N] y
Install zimbra-proxy [N] y

After the install is done, enable web/mail proxy, and set the proxy mode and ports:

  • If localconfig key 'zimbra_require_interprocess_security' is set, Only "https" and "both" are valid modes
/opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x <https/both>  -H `zmhostname`
  • Else if 'zimbra_require_interprocess_security' is unset, Only "http" and "both" are valid modes
/opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x <http/both>  -H `zmhostname`
  • Set the mail proxy ports
/opt/zimbra/libexec/zmproxyconfig -e -m -o -i 7143:143:7993:993 -p 7110:110:7995:995 -H `zmhostname`
  • If setting a Proxy server on a Multi-Server for IMAPS and POPS
    • On the Mailbox Server
/opt/zimbra/libexec/zmproxyconfig -e -m -H mailbox.node.service.hostname
zmcontrol restart
    • On the Proxy Server
/opt/zimbra/libexec/zmproxyconfig -e -m -H proxy.node.service.hostname
 zmcontrol restart
  • If setting a Proxy server on a Single-Server for IMAPS and POPS
/opt/zimbra/libexec/zmproxyconfig -e -m -H mailbox.node.service.hostname
zmcontrol restart

Now, to have all the mailbox servers use the proxy, simply set the zimbraMailReferMode to reverse-proxied on each mailbox server and restart mailboxd. All the traffic will now go through the proxy. Do a 'zmcontrol restart' on this node, and you should be up and running.

zmprov ms `zmhostname` zimbraMailReferMode reverse-proxied
zmmailboxdctl restart

Test if Proxy and memcached are listening properly

Verify if nginx is listening on port 443, you must see something like the next:

lsof -i :443
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   31418 zimbra   10u  IPv4 314934      0t0  TCP *:https (LISTEN)
nginx   31419 zimbra   10u  IPv4 314934      0t0  TCP *:https (LISTEN)
nginx   31420 zimbra   10u  IPv4 314934      0t0  TCP *:https (LISTEN)
nginx   31421 zimbra   10u  IPv4 314934      0t0  TCP *:https (LISTEN)

To verify that memcached is listening properly on port 11211, you should see something like the next:

lsof -i :11211
COMMAND     PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
memcached 32456 zimbra   26u  IPv4  97167      0t0  TCP *:11211 (LISTEN)
memcached 32456 zimbra   27u  IPv6  97168      0t0  TCP *:11211 (LISTEN)
memcached 32456 zimbra   28u  IPv4  97171      0t0  UDP *:11211 
memcached 32456 zimbra   29u  IPv4  97171      0t0  UDP *:11211 
memcached 32456 zimbra   30u  IPv4  97171      0t0  UDP *:11211 
memcached 32456 zimbra   31u  IPv4  97171      0t0  UDP *:11211 
memcached 32456 zimbra   32u  IPv6  97172      0t0  UDP *:11211 
memcached 32456 zimbra   33u  IPv6  97172      0t0  UDP *:11211 
memcached 32456 zimbra   34u  IPv6  97172      0t0  UDP *:11211 
memcached 32456 zimbra   35u  IPv6  97172      0t0  UDP *:11211 
memcached 32456 zimbra   36u  IPv4  97232      0t0  TCP zimbra87.zimbra.io:11211->zimbra87.zimbra.io:39996 (ESTABLISHED)
memcached 32456 zimbra   37u  IPv4  97236      0t0  TCP zimbra87.zimbra.io:11211->zimbra87.zimbra.io:39997 (ESTABLISHED)
memcached 32456 zimbra   38u  IPv4  97238      0t0  TCP zimbra87.zimbra.io:11211->zimbra87.zimbra.io:39998 (ESTABLISHED)
memcached 32456 zimbra   39u  IPv4  97239      0t0  TCP zimbra87.zimbra.io:11211->zimbra87.zimbra.io:39999 (ESTABLISHED)
nginx     32481 zimbra   13u  IPv4 103880      0t0  TCP zimbra87.zimbra.io:39998->zimbra87.zimbra.io:11211 (ESTABLISHED)
nginx     32482 zimbra   15u  IPv4 103879      0t0  TCP zimbra87.zimbra.io:39997->zimbra87.zimbra.io:11211 (ESTABLISHED)
nginx     32483 zimbra   17u  IPv4 103881      0t0  TCP zimbra87.zimbra.io:39999->zimbra87.zimbra.io:11211 (ESTABLISHED)
nginx     32484 zimbra   19u  IPv4 103875      0t0  TCP zimbra87.zimbra.io:39996->zimbra87.zimbra.io:11211 (ESTABLISHED)

If memcached is not activated after the installation, you should run the next command:

zmprov ms `zmhostname` +zimbraServiceEnabled memcached
zmcontrol restart

Manually Modifying Proxy & related Variables via CLI

Simple Command With Defaults

The zmproxyconfig command can be run with limited arguments if the command defaults are acceptable. Run /opt/zimbra/libexec/zmproxyconfig to view all the argument options and the usage

Protocol Requirements Including HTTPS Redirect

HTTP proxy can support protocol modes for HTTP or HTTPS only, both HTTP and HTTPS, mixed HTTP and HTTPS or HTTPS redirect from HTTP. Redirect is a popular configuration. This configuration must be made to the proxy servers.

  • HTTPS redirect from HTTP
zmprov ms proxy.server.name zimbraReverseProxyMailMode redirect
  • HTTP and HTTPS (support both)
zmprov ms proxy.server.name zimbraReverseProxyMailMode both
  • HTTPS only
zmprov ms proxy.server.name zimbraReverseProxyMailMode https
  • HTTP only
zmprov ms proxy.server.name zimbraReverseProxyMailMode http
  • "mixed" will cause only authentication to be sent over HTTPS
zmprov ms proxy.server.name zimbraReverseProxyMailMode mixed

Documents & Sharing

It is important to consider access to documents (Briefcase) and shares when setting up HTTP proxy. A publicly reachable address must be configured to be used for the REST and SOAP proxy interfaces otherwise components requiring access to these interfaces will fail. Calendar sharing is an example of one component. Set zimbraPublicServiceHostname, zimbraPublicServiceProtocol, and zimbraPublicServicePort when applicable. These values are usually not required without proxy since the REST and SOAP proxy interfaces take the value of the Zimbra mailbox service hostname by default. These attributes can be set globally to be inherited by all domains or per domain.

Set zimbraPublicServiceHostname to the value of the host that will be used in the URL for access to the HTTP proxy.

  • This command sets mail.domain.com as the public hostname to be used for access to all domains in the Zimbra directory:
zmprov mcf zimbraPublicServiceHostname mail.domain.com
  • This command sets mail.domaina.com as the public hostname to be used for access to domaina.com domain:
zmprov md domaina.com zimbraPublicServiceHostname mail.domaina.com
  • Set zimbraPublicServiceProtocol to http or https depending on the protocol requirements for HTTP proxy:
zmprov md domaina.com zimbraPublicServiceProtocol https
  • Set zimbraPublicServicePort to the value that corresponds to the HTTP proxy port used in the URL (optional if standard ports 80 or 443 are used for proxy listeners):
zmprov md domaina.com zimbraPublicServicePort 443

Troubleshooting

Proxy Login Slow

A common nginx misconfiguration is to have incorrectly designated non-mailbox servers as routing/zmlookup handlers. Only mailbox servers can perform route handler functions. To view the zmlookup lookup handlers, review the zm_lookup_handlers parameter in /opt/zimbra/conf/nginx/includes/nginx.conf.zmlookup

grep zm_lookup_handlers /opt/zimbra/conf/nginx/includes/nginx.conf.zmlookup

If a non-mailbox server is listed, set the zimbraReverseProxyLookupTarget server configuration attribute to FALSE for that server.

zmprov ms `zmhostname` zimbraReverseProxyLookupTarget FALSE

Additionally, zimbraReverseProxyLookupTarget is a server inherited attribute from the global configuration, so check if zimbraReverseProxyLookupTarget has been incorrectly designated in global config.

zmprov gcf zimbraReverseProxyLookupTarget
Verified Against: Date Created: 6/05/2014
Article ID: https://wiki.zimbra.com/index.php?title=Enabling_Zimbra_Proxy_and_memcached Date Modified: 2022-07-01



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search