Using Kolab Behind a Reverse Proxy

Kolab’s HTTP services work well behind a reverse proxy when properly configured. This guide offers an example Apache configuration for a reverse SSL proxy.

Configuring the Proxy

The following configuration examples use https://example.com as external URL and http://192.168.0.1 as internal URL.

A simple Apache configuration could be as follows. It only allows secure connections, except for Thunderbird’s autodiscovery.

Define myservername example.com
Define mykolabip 192.168.0.1

<VirtualHost *:80>
    ServerName ${myservername}
    ServerAlias www.${myservername}
    ServerAlias autodiscover.${myservername}
    # use e.g. for ACME verification:
    DocumentRoot /var/www/html

    RewriteEngine On

    # Thunderbird Autodiscovery (proxy)
    ProxyPreserveHost On
    RewriteRule ^/mail/config-v1.1.xml$ http://${mykolabip}/mail/config-v1.1.xml [P]
    RewriteRule ^/.well-known/autoconfig/mail/config-v1.1.xml$ http://${mykolabip}/mail/config-v1.1.xml [P]

    # CalDAV autodiscovery (redirect)
    RewriteRule ^/.well-known/caldav   https://%{SERVER_NAME}/iRony/ [L,R=301]
    RewriteRule ^/.well-known/carddav  https://%{SERVER_NAME}/iRony/ [L,R=301]

    # Redirect to secure site
    RewriteRule !^/.well-known https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName ${myservername}
    ServerAlias www.${myservername}
    ServerAlias autodiscover.${myservername}
    DocumentRoot /var/www/html

    ProxyPreserveHost On
    RewriteEngine On

    # Microsoft autodiscovery
    RewriteCond "%{HTTP_HOST}" "=autodiscover.${myservername}"
    RewriteRule !^/autodiscover https://%{SERVER_NAME}/autodiscover/autodiscover.xml [L,R=301,NC]

    # CalDAV autodiscovery
    RewriteRule ^/.well-known/caldav   /iRony/ [L,R=301]
    RewriteRule ^/.well-known/carddav   /iRony/ [L,R=301]

    # Proxy everything to Kolab
    ProxyPass "/.well-known" "!"
    ProxyPass / http://${mykolabip}/
    ProxyPassReverse / http://${mykolabip}/

    # SSL configuration
    SSLEngine On
    SSLCertificateFile #PATH_TO_SSL_CERTIFICATE
    SSLCertificateKeyFile #PATH_TO_SSL_KEY
</VirtualHost>

Within a more complicated setup, it might be required that only Kolab services are proxied. In that case, add explicit ProxyPass and ProxyPassReverse directives for URLs used by Kolab:

ProxyPass /roundcubemail http://${mykolabip}/roundcubemail
ProxyPassReverse /roundcubemail http://${mykolabip}/roundcubemail
ProxyPass /Microsoft-Server-ActiveSync http://${mykolabip}/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync http://${mykolabip}/Microsoft-Server-ActiveSync
ProxyPass /freebusy http://${mykolabip}/freebusy
ProxyPassReverse /freebusy http://${mykolabip}/freebusy
ProxyPass /kolab-webadmin http://${mykolabip}/kolab-webadmin
ProxyPassReverse /kolab-webadmin http://${mykolabip}/kolab-webadmin
ProxyPass /iRony http://${mykolabip}/iRony
ProxyPassReverse /iRony http://${mykolabip}/iRony
ProxyPass /chwala http://${mykolabip}/chwala
ProxyPassReverse /chwala http://${mykolabip}/chwala

Configure the Kolab Backend

Chwala and the Kolab Web Administration Panel may need to be told explicitly which URLs to use for their APIs.

For Chwala and the Roundcube kolab_files plugin, add to the Roundcube configuration file (see Roundcube Settings Reference Guide):

$config['file_api_url'] = 'http://localhost/chwala/api/';
$config['kolab_files_url'] = 'https://example.com/chwala/';

For kolab-webadmin, add to /etc/kolab/kolab.conf:

[kolab_wap]
api_url = http://localhost/kolab-webadmin/api