Using Kolab Behind a Reverse Proxy¶
Kolab’s HTTP services work well behind a reverse proxy when properly configured. This guide offers an example Apache configuration for a reverse SSL proxy.
Configuring the Proxy¶
The following configuration examples use https://example.com
as
external URL and http://192.168.0.1
as internal URL.
A simple Apache configuration could be as follows. It only allows secure connections, except for Thunderbird’s autodiscovery.
Define myservername example.com Define mykolabip 192.168.0.1 <VirtualHost *:80> ServerName ${myservername} ServerAlias www.${myservername} ServerAlias autodiscover.${myservername} # use e.g. for ACME verification: DocumentRoot /var/www/html RewriteEngine On # Thunderbird Autodiscovery (proxy) ProxyPreserveHost On RewriteRule ^/mail/config-v1.1.xml$ http://${mykolabip}/mail/config-v1.1.xml [P] RewriteRule ^/.well-known/autoconfig/mail/config-v1.1.xml$ http://${mykolabip}/mail/config-v1.1.xml [P] # CalDAV autodiscovery (redirect) RewriteRule ^/.well-known/caldav https://%{SERVER_NAME}/iRony/ [L,R=301] RewriteRule ^/.well-known/carddav https://%{SERVER_NAME}/iRony/ [L,R=301] # Redirect to secure site RewriteRule !^/.well-known https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] </VirtualHost> <VirtualHost *:443> ServerName ${myservername} ServerAlias www.${myservername} ServerAlias autodiscover.${myservername} DocumentRoot /var/www/html ProxyPreserveHost On RewriteEngine On # Microsoft autodiscovery RewriteCond "%{HTTP_HOST}" "=autodiscover.${myservername}" RewriteRule !^/autodiscover https://%{SERVER_NAME}/autodiscover/autodiscover.xml [L,R=301,NC] # CalDAV autodiscovery RewriteRule ^/.well-known/caldav /iRony/ [L,R=301] RewriteRule ^/.well-known/carddav /iRony/ [L,R=301] # Proxy everything to Kolab ProxyPass "/.well-known" "!" ProxyPass / http://${mykolabip}/ ProxyPassReverse / http://${mykolabip}/ # SSL configuration SSLEngine On SSLCertificateFile #PATH_TO_SSL_CERTIFICATE SSLCertificateKeyFile #PATH_TO_SSL_KEY </VirtualHost>
Within a more complicated setup, it might be required that only Kolab
services are proxied. In that case, add explicit ProxyPass
and
ProxyPassReverse
directives for URLs used by Kolab:
ProxyPass /roundcubemail http://${mykolabip}/roundcubemail
ProxyPassReverse /roundcubemail http://${mykolabip}/roundcubemail
ProxyPass /Microsoft-Server-ActiveSync http://${mykolabip}/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync http://${mykolabip}/Microsoft-Server-ActiveSync
ProxyPass /freebusy http://${mykolabip}/freebusy
ProxyPassReverse /freebusy http://${mykolabip}/freebusy
ProxyPass /kolab-webadmin http://${mykolabip}/kolab-webadmin
ProxyPassReverse /kolab-webadmin http://${mykolabip}/kolab-webadmin
ProxyPass /iRony http://${mykolabip}/iRony
ProxyPassReverse /iRony http://${mykolabip}/iRony
ProxyPass /chwala http://${mykolabip}/chwala
ProxyPassReverse /chwala http://${mykolabip}/chwala
Configure the Kolab Backend¶
Chwala and the Kolab Web Administration Panel may need to be told explicitly which URLs to use for their APIs.
For Chwala and the Roundcube kolab_files plugin, add to the Roundcube configuration file (see Roundcube Settings Reference Guide):
$config['file_api_url'] = 'http://localhost/chwala/api/';
$config['kolab_files_url'] = 'https://example.com/chwala/';
For kolab-webadmin, add to /etc/kolab/kolab.conf
:
[kolab_wap]
api_url = http://localhost/kolab-webadmin/api