Zimbra with Apache using mod jk - mod proxy - mod proxy ajp
Article Information |
---|
This article applies to the following ZCS versions. |
These instructions will enable access to Zimbra and other web applications/pages through the same host/port.
For example, if the Zimbra web interface is running at http://your.domain.com:8080/, and a separate instance of Apache is running at http://your.domain.com/, follow these steps to enable access to the Zimbra web interface through http://your.domain.com/zimbra/.
Disclaimer
This procedure is not fully verified, so follow these directions at your own risk. Particularly, note that using mod_proxy requires you to secure your server first, according to the Apache documentation. Please edit this page if something is wrong or incomplete.
Methods
There are two different ways of accomplishing this:
- Creating an HTTP proxy to the Zimbra web interface, using Apache's mod_proxy. (This method is easier but is generally considered to be less secure.)
- Configuring the Zimbra web interface for the Apache JServ Protocol (AJP), and then using Apache's mod_proxy_ajp or mod_jk to access it.
Prerequisites
Zimbra and Apache should both be installed. mod_proxy_ajp requires Apache 2.1 or later.
If you are installing Apache after installing Zimbra, you may first need to change the specific port numbers that the Zimbra web interface uses. For example, if you originally configured Zimbra to use port 80, you will need to change it to another port (such as 8080) in order for Apache to run on port 80. You can do this with the zmprov command.
These instructions include the commands to use under Ubuntu Linux, which may need to be modified slightly under other distributions.
To see your current running web service, type the following:
# lsof -P -i -n|grep ":80"|grep java
It will show something similar to:
# TCP *:80 (LISTEN)
Now, to change Zimbra HTTP port from TCP/80 to TCP/8009, as Linux root:
# su zimbra $ zmprov zmprov> ms mail.example.com zimbraMailPort 8009 zmprov> exit $ exit # sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl restart
Now, to make sure Zimbra HTTP port has changed to TCP/8009, administrators can use above commandline with slightly changing parameter:
# lsof -P -i -n|grep ":8009"|grep java
It will show something similar to:
# TCP *:8009 (LISTEN)
Using an HTTP proxy
- Install and enable mod_proxy in Apache. Under Ubuntu, mod_proxy is installed by default, so just use this command to enable it:
sudo a2enmod proxy
sudo a2enmod proxy_http
We are installing proxy_http to avoid internal server error
- Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named /etc/apache2/sites-available/zimbra:
<IfModule mod_proxy.c> ProxyRequests On ProxyVia On # To allow all traffic of localhost:8080 <Proxy http://localhost:8080> AddDefaultCharset off Order allow,deny Allow from all </Proxy> OR You can specify <Proxy http://localhost:8080/service> AddDefaultCharset off Order allow,deny Allow from all </Proxy> <Proxy http://localhost:8080/zimbra> AddDefaultCharset off Order allow,deny Allow from all </Proxy> <Proxy http://localhost:8080/home> AddDefaultCharset off Order allow,deny Allow from all </Proxy> <Location "/service"> # Modify to your setup, but do NOT skip these lines -- # you MUST configure access controls securely! Order deny,allow Deny from all Allow from 127.0.0.1 Allow from 192.168.0.5 Allow from your.domain.com # Replace this URL with the host/port that the # Zimbra user web interface is using ProxyPass http://localhost:8080/service ProxyPassReverse http://localhost:8080/service </Location> <Location "/zimbra"> # Modify to your setup, but do NOT skip these lines -- # you MUST configure access controls securely! Order deny,allow Deny from all Allow from 127.0.0.1 Allow from 192.168.0.5 Allow from your.domain.com # Replace this URL with the host/port that the # Zimbra user web interface is using ProxyPass http://localhost:8080/zimbra ProxyPassReverse http://localhost:8080/zimbra </Location> <Location "/home"> # Modify to your setup, but do NOT skip these lines -- # you MUST configure access controls securely! Order deny,allow Deny from all Allow from 127.0.0.1 Allow from 192.168.0.5 Allow from your.domain.com # Replace this URL with the host/port that the # Zimbra user web interface is using ProxyPass http://localhost:8080/home ProxyPassReverse http://localhost:8080/home </Location> # You cannot add zimbrAdmin here because the PROXY_HTTP doesn't support the Secure Socket HTTPS # So you don't need to add this section because it will not work <Location "/zimbraAdmin"> # Modify to your setup, but do NOT skip these lines -- # you MUST configure access controls securely! Order deny,allow Deny from all Allow from 127.0.0.1 Allow from 192.168.0.5 Allow from your.domain.com # Replace this URL with the host/port that the # Zimbra administrative web interface is using ProxyPass https://localhost:7071/zimbraAdmin ProxyPassReverse https://localhost:7071/zimbraAdmin </Location> </IfModule>
- Enable the site. Under Ubuntu, use the command:
sudo a2ensite zimbra
(Instead of creating a site, you could also add the previous configuration block to either apache2.conf, httpd.conf, or to a new file in conf.d/.) NOT RECOMMENDED
- Restart Apache. Under Ubuntu, use the command:
sudo /etc/init.d/apache2 force-reload
sudo /etc/init.d/apache2 restart
Using Apache JServ Protocol
The application server (Jetty for Zimbra 5.0, or Tomcat for Zimbra 4.5 and earlier) will be configured to bind to port 8009, and to serve requests on this port using the Apache JServ Protocol (AJP). (It will continue as well to bind to existing ports that are used for accessing Zimbra's web interfaces.)
An Apache site for Zimbra will then be configured; Apache will send requests to the application server through port 8009 using AJP. This will be accomplished using either mod_proxy_ajp or mod_jk.
Vote for AJP support in Zimbra: If you would prefer to not have to edit several of Zimbra's configuration files by hand to get AJP to work, but would rather be able to turn it on easily from the administrative console/UI -- and you would like AJP to be "supported" by Zimbra -- vote for bug 23269.
Configuring the application server
For Zimbra 5.0
Install the AJP library into Jetty. For Zimbra 5.0.0: download the Jetty 6.1.5 source and extract the file jetty-6.1.5/lib/ext/jetty-ajp-6.1.5.jar, saving it into /opt/zimbra/jetty/lib/ext/jetty-ajp-6.1.5.jar. (If you are using a later version of Zimbra, check first to see if it comes with a different version of Jetty -- look at the names of the other files in /opt/zimbra/jetty/lib/ext/.)
Next, edit the file /opt/zimbra/jetty/etc/jetty.xml.in:
- Search for these lines:
<!-- =========================================================== --> <!-- Set connectors --> <!-- =========================================================== -->
- Below them, add the following:
<Call name="addConnector"> <Arg> <New id="ajp" class="org.mortbay.jetty.ajp.Ajp13SocketConnector"> <Set name="port">8009</Set> </New> </Arg> </Call>
Then, edit the file /opt/zimbra/jetty/etc/service.web.xml.in:
- Search for instances of the allowed.ports parameter, which will look like this:
<init-param> <param-name>allowed.ports</param-name> <param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071</param-value> </init-param>
- If the parameter value already contains %%zimbraMailPort%% and %%zimbraMailSSLPort%%, as above, then add port 8009 to the end of the list, like this:
... <param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071, 8009</param-value> ...
- If you wish to enable access to the Zimbra administrative web interface, then also perform the above step on any instance of allowed.ports in which the value already contains 7071.
Additional steps were previously added here that are not believed to be correct/necessary. See the discussion page.
Finally, restart the application server. Under Ubuntu, type:
sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl restart
For Zimbra 4.5 and earlier
Edit the file /opt/zimbra/tomcat/conf/server.xml.in:
- Search for these lines in the file, and note the value of redirectPort:
<!-- HTTPBEGIN --> <Connector port="8080" acceptCount="1024" enableLookups="false" redirectPort="8443" maxThreads="100" minSpareThreads="100" maxSpareThreads="100"/> <!-- HTTPEND -->
- Then find this line:
<Engine name="Catalina" defaultHost="localhost">
- Just before this line, add the following:
<!-- AJPBEGIN --> <Connector port="8009" acceptCount="1024" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> <!-- AJPEND -->
Set redirectPort to the same value used in the existing lines for HTTP.
Next, edit the files /opt/zimbra/tomcat/conf/service.web.xml.in and /opt/zimbra/tomcat/conf/zimbra.web.xml.in (and, if you would like to access the Zimbra administrative web interface, /opt/zimbra/tomcat/conf/zimbraAdmin.web.xml.in):
- Search for instances of the allowed.ports parameter, which will look like this:
<init-param> <param-name>allowed.ports</param-name> <param-value>8080, 8443, 7070, 7443, 7071</param-value> </init-param>
- For each instance, add ports 80 and 443 to the end of the list, like this:
... <param-value>8080, 8443, 7070, 7443, 7071, 80, 443</param-value> ...
Finally, restart the application server. Under Ubuntu, type:
sudo -u zimbra /opt/zimbra/bin/tomcat restart
Configuring Apache
Using mod_proxy_ajp
mod_proxy_ajp requires Apache 2.1 or later, but is installed by default.
- Enable mod_proxy_ajp. Under Ubuntu, use the command:
sudo a2enmod proxy_ajp
- Create a new Apache site for Zimbra. Under Ubuntu, add these lines to a new file named /etc/apache2/sites-available/zimbra:
<IfModule mod_proxy_ajp.c> ProxyRequests On ProxyVia On <Location /service> Order allow,deny Allow from all ProxyPass ajp://localhost:8009/service ProxyPassReverse ajp://localhost:8009/service </Location> <Location /zimbra> Order allow,deny Allow from all ProxyPass ajp://localhost:8009/zimbra ProxyPassReverse ajp://localhost:8009/zimbra </Location> # Only include this section to enable access to # the Zimbra administrative web interface <Location /zimbraAdmin> Order allow,deny Allow from all ProxyPass ajp://localhost:8009/zimbraAdmin ProxyPassReverse ajp://localhost:8009/zimbraAdmin </Location> </IfModule>
- Enable the site. Under Ubuntu, use the command:
sudo a2ensite zimbra
(Instead of creating a site, you could also add the previous configuration block to either apache2.conf, httpd.conf, or to a new file in conf.d/.)
- Restart Apache. Under Ubuntu, use the command:
sudo /etc/init.d/apache2 force-reload
Using mod_jk
- Install mod_jk for Apache. Under Ubuntu, use the command:
sudo apt-get install libapache2-mod-jk
- In the Apache configuration directory (/etc/apache2 in Ubuntu), create a file named workers.properties and add the following lines to it:
worker.list=zimbra worker.zimbra.type=ajp13 worker.zimbra.host=localhost worker.zimbra.port=8009 worker.zimbra.lbfactor=1
- Add configuration for mod_jk to Apache. Under Ubuntu, create a file named /etc/apache2/mods-available/jk.conf and add the following lines:
# Modify the following two paths, according to your distribution's filesystem layout JkWorkersFile /etc/apache2/workers.properties JkLogFile /var/log/apache2/jk.log JkShmFile /var/tmp/jk.shm JkLogLevel info JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " JkRequestLogFormat "%w %V %T" JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkMount /zimbra zimbra JkMount /zimbra/ zimbra JkMount /zimbra/* zimbra JkMount /service zimbra JkMount /service/ zimbra JkMount /service/* zimbra # Add the following lines to enable access to the Zimbra administrative web interface JkMount /zimbraAdmin zimbra JkMount /zimbraAdmin/ zimbra JkMount /zimbraAdmin/* zimbra
(Alternatively, you can add the previous block to either apache2.conf, httpd.conf, or a new file in conf.d/.)
- Enable mod_jk. Under Ubuntu, use the command:
sudo a2enmod jk
- Restart Apache. Under Ubuntu, use the command:
sudo /etc/init.d/apache2 force-reload
Fixing access to Documents, Briefcase etc
When using the Documents Wiki (zmwiki), the links on the wiki page use the port that Zimbra is configured for (i.e., 8080). you can change this with the following parameters:
- zimbraPublicServiceHostname
- zimbraPublicServiceProtocol
- zimbraPublicServicePort
these can be set on global or domain level. note that you should set all of them for them to have an effect.
Credits
Thanks to everyone at the Forums for posting about their problems and efforts in trying to run Zimbra with Apache using mod_jk. Also, thanks to the original Using_Tomcat_with_Apache_(mod_jk) entry (a lot has been borrowed from it). This how-to is a result of their efforts.
See Also
- Using_Tomcat_with_Apache_(mod_jk)
- ZimbraApache
- Provide_HTTP(s)_Integration_with_Apache
- Hosting_other_sites_with_Zimbra