| Kerio connect behind reverse proxy? [message #147601] |
Thu, 20 February 2020 12:04  |
MigSelv
Messages: 7
Registered: February 2020
|
|
|
|
Hi,
I have been searching the forum and via google, but cannot seem to find an answer. I need to run Kerio connect behind a reverse proxy, but still have Connect log the correct client ip in the log files. I have not been able to find any information on how to tell Connect what header(like x-forwarded-for) to log as the IP address, so right now all connections are being logged as coming from our reverse proxy IP.
Any help is much appreciated.
|
|
|
|
|
|
|
|
|
|
| Re: Kerio connect behind reverse proxy? [message #147659 is a reply to message #147651] |
Mon, 02 March 2020 09:02  |
simion.chis
Messages: 20
Registered: February 2014
|
|
|
|
@MigSelv,
if you receive an answer to your question please put him here. I am interested in this subject and if you can, what reverse-proxy do you intend to use (and other details). I have more (web) servers on the same IP and now I use port forwarding for some apps. My future plan it is to go with nginex (or HAProxy?)
I hope that I'm on the right track 
Thanks!
|
|
|
|
|
|
| Re: Kerio connect behind reverse proxy? [message #147670 is a reply to message #147663] |
Mon, 02 March 2020 15:39 |
phl
Messages: 14
Registered: December 2012
Location: FRANCE
|
|
|
|
Hello
I use Apache ProxyPass and ProxyPassReverse
Here are my settings :
ServerName mail.domain.tld
ProxyRequests Off
SSLStrictSNIVHostCheck Off
SSLEngine on
SSLProxyEngine On
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyVerify none
ProxyPass / https://192.168.1.10/ -> My server ip address
ProxyPassReverse / https://192.168.1.10/
ProxyPreserveHost On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
But, be carreful, it's only for an ActiveSync connexion. (Port 443). It's not working with the others ports ( 993, 25, 465, 587 etc)
In this proxy, I also have the integration of Letsencrypt certificates
|
|
|
|
| Re: Kerio connect behind reverse proxy? [message #147681 is a reply to message #147663] |
Tue, 03 March 2020 18:04 |
MigSelv
Messages: 7
Registered: February 2020
|
|
|
|
Hi,
I'm using Kerio Connect 9.2.11. Not sure where I got the 9.2.3 from.
How does Kerio connect detect the Reverse proxy IP. It must be looking for some headers, what are those, and can you customize Kerio connect to use a specific one? I'm only interested in doing it for the Webmail and active sync(port 443).
I'm currently using NGINX and this setting, and Kerio connect still reports my Reverse proxy Ip when using webmail and Active sync:
server {
listen 443 ssl http2;
include /etc/nginx/conf.d/ssl.conf;
location / {
proxy_pass MyKerioConnectIP;
client_max_body_size 0;
proxy_http_version 1.1;
proxy_next_upstream timeout error;
proxy_read_timeout 4000;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Request-Start $msec;
}
}
[03/Mar/2020 15:56:42] HTTP/ActiveSync: Invalid password for user xxxxxx. Attempt from IP address 10.0.0.18.
I have verified using tcpdump, that the headers are present in the requests coming to kerio connect from my reverse proxy.
|
|
|
|
|
|
| Re: Kerio connect behind reverse proxy? [message #147699 is a reply to message #147601] |
Fri, 06 March 2020 11:50 |
vmolaev
Messages: 1
Registered: August 2017
|
|
|
|
Kerio Connect is able to detect that connection is behind a proxy (since 9.2.11) if the following HTTP headers are present:
X-Forwarded-Proto
X-Forwarded-For
Steps to enable this:
1) Create IP Address group in Configuration -> IP Address Groups, add subnets that contains your proxy servers
2) Update mailserver.cfg
Table "Http", set "UseProxiedInfo" to 1
Table "Http", set "TrustedProxyAddressGroup" to previously created IP Address group name
|
|
|
|
| Re: Kerio connect behind reverse proxy? [message #147704 is a reply to message #147601] |
Fri, 06 March 2020 13:58 |
brauner
Messages: 114
Registered: February 2010
|
|
|
|
If you have few http/https servers in your LAN, all use the same public IP address, you can use Kerio control as reverse proxy server - very easy.
set your domain dns entries, like mail.mycompany.com, bb.mycompany.com, backup.mycompany.com etc. to point to your public IP address.
if you use Kerio Control as your router, then set reverse proxy rules to forward the 80/443 trafic according to the host (for example, mail.mycompany.com > 192.168.1.4, bb.mycompany.com > 192.168.1.9....)
if you don't want to use Kerio Control as a router, config your router to forward all 80,433 trafic to kerio control, and the control will do the rest. in that case, you must disable DHCP in kerio control and other services.
I use this configuration in my office.
-Roei
|
|
|
|
|
|
| Re: Kerio connect behind reverse proxy? [message #147707 is a reply to message #147699] |
Mon, 09 March 2020 08:38 |
MigSelv
Messages: 7
Registered: February 2020
|
|
|
|
Hi,
Thx for helping out!
I have:
#1 Stopped the kerio-connect service
#2 changed the mailserver.cfg so it now has
<variable name="UseProxiedInfo">1</variable>
<variable name="TrustedProxyAddressGroup">Proxy</variable>
<listitem>
<variable name="Name">Proxy</variable>
<variable name="Value">192.168.1.218/255.255.255.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Proxy</variable>
<variable name="Guid">e0960fb1-7aa3-4da7-bfa9-fca6771d65dd</variable>
<variable name="GroupGuid">267f75df-dd79-4752-8b19-96e6019fcad5</variable>
</listitem>
#3 Started the kerio service after doing the changes
After doing these changes, I can now see the real IP address in the log files.
Why is this not documented anywhere, or mentioned in your KB article section?
|
|
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
