roundcube 的 SSL Nginx 代理配置

tag-icon tag-icon nginx ssl proxy roundcube
roundcube 的 SSL Nginx 代理配置

我正在仅提供 http 服务的 nginx 网络服务器上运行 roundcube 网络邮件。

这是由另一个提供 https 服务的 nginx 代理的。

两者都是同一台机器上的独立的 FreeBSD jail。

我基本上可以通过代理的地址访问 roundcube 网页,但有些功能无法使用。例如:

  • 从邮件列表中选择一个项目不会在预览 iframe 中显示内容
  • 从消息列表中选择一个项目并点击顶部按钮,删除按钮不会删除该项目。但是回答按钮以及标记为已读按钮可以工作。
  • 无法将邮件拖放到文件夹中。拖动过程中会显示所有突出显示和动画,但邮件不会在拖放时移动
  • 但是双击消息以全屏视图打开它是可以的。

有人知道这里可能是什么问题吗?具有相同设置的相同代理对于我的 owncloud 实例运行良好。

当我通过代理登录时选择一条消息时,两个 nginx 实例的错误日志都没有显示任何条目。

但是,当选择中间没有代理的消息时,我会在 access.log 中看到以下日志:

10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview HTTP/1.1" 200 11236 "http://10.0.0.211/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /skins/larry/styles.min.css?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /skins/larry/mail.min.css?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /plugins/jqueryui/themes/larry/jquery-ui-1.10.4.custom.css?s=1448290415 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /skins/larry/ui.min.js?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /program/js/jquery.min.js?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /program/js/common.min.js?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /program/js/app.min.js?s=1448290416 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /plugins/jqueryui/js/jquery-ui-1.10.4.custom.min.js?s=1448290415 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
10.0.0.25 - - [05/Jan/2016:14:03:22 +0100] "GET /plugins/jqueryui/js/i18n/jquery.ui.datepicker-de.js?s=1448290415 HTTP/1.1" 304 0 "http://10.0.0.211/?_task=mail&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0&_uid=44613&_mbox=INBOX&_framed=1&_action=preview" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"

当我单击中间带有代理的消息时,两个 nginx 实例的访问日志都没有显示新条目。

这是否暗示我的配置可能有问题?

这是我的 nginx 配置:

roundcube jail 的 nginx:

worker_processes  2;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    server {
                #listen      80;
                root        /usr/local/www/roundcubemail;

                # Logs
                access_log  /usr/home/webmail/roundcube-access.log;
                error_log   /usr/home/webmail/roundcube-error.log;

                # Default location settings
                location / {
                        index   index.php;
                        try_files $uri $uri/ /index.php?$args;
                }

                # Redirect server error pages to the static page /50x.html
                error_page 500 502 503 504 /50x.html;
                        location = /50x.html {
                        root /usr/share/nginx/html;
                }

                # Pass the PHP scripts to FastCGI server (locally with unix: param to avoid network overhead)
                location ~ \.php$ {
                        # Prevent Zero-day exploit
                        try_files $uri =404;

                        fastcgi_keep_conn on;
                        fastcgi_split_path_info       ^(.+\.php)(.*)$;
                        fastcgi_param PATH_INFO       $fastcgi_path_info;
                        fastcgi_param SCRIPT_FILENAME    $document_root$fastcgi_script_name;
                        fastcgi_pass    unix:/var/run/php-fpm.sock;
                        fastcgi_index   index.php;
                        include         fastcgi_params;
                }

                # Deny access to .htaccess files, if Apache's document root
                location ~ /\.ht {
                    deny  all;
                }

                # Exclude favicon from the logs to avoid bloating when it's not available
                location /favicon.ico {
                        log_not_found   off;
                        access_log      off;
                }
        }
}

nginx的代理监狱:

worker_processes  2;

error_log  /usr/local/etc/nginx/proxy.error.log;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    server {
        listen 80;
        return 301 https://$host$request_uri;
    }

    server {
        listen 443;
        server_name mydomain.tld;

        ssl_certificate           /usr/local/etc/nginx/server.crt;
        ssl_certificate_key       /usr/local/etc/nginx/server.key;

        ssl on;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        resolver_timeout 5s;

        access_log            /usr/local/etc/nginx/proxy.access.log;

        location ^~ /owncloud {
            proxy_set_header X-Forwarded-Host mydomain.tld;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_pass http://10.0.0.202:80/owncloud;
            proxy_redirect http:// https://;
            client_max_body_size 2G;
        }
        location ^~ /mail {
            proxy_set_header X-Forwarded-Host mydomain.tld;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_pass http://10.0.0.211:80/;
            proxy_redirect http:// https://;
        }
    }
}

答案1

我找到解决办法了!

在代理配置中,该行

add_header X-Frame-Options DENY;

造成的危险。

如果我将其注释掉,一切都会正常。

与我在其他来源中发现的不同,roundcube 的 defaults.inc.php 中的选项$config['x_frame_options'] = 'sameorigin';可以保留其默认值,不需要更改为 false。

也许这可以帮助将来遇到类似问题的人。

答案2

您的代理不透明,它正在转换类似于/mail/xxx邮件/xxx服务器上的 URI。

查看您的access.log,网页包含 、 和 下的嵌入资源/skins/plugins/program通过代理访问这些资源时,没有规则将请求发送到邮件服务器。因此您的网页不完整。

最简单的解决方案可能是让您的代理对邮件服务器透明,因为您声明 owncloud 代理正在运行。尝试:

location /owncloud {
    # owncloud proxy
}
location / {
    # mail proxy
}

因此,除了专门针对 owncloud 服务的 URI 之外,所有 URI 都将透明地传递给邮件服务器。

相关内容