GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Kerio connect behind reverse proxy? (Can kerio connect be configured to log IP from X-forwarded-for when behind a proxy?)
Kerio connect behind reverse proxy? [message #147601] Thu, 20 February 2020 12:04 Go to next message
MigSelv is currently offline  MigSelv
Messages: 7
Registered: February 2020
Hi,

I have been searching the forum and via google, but cannot seem to find an answer. I need to run Kerio connect behind a reverse proxy, but still have Connect log the correct client ip in the log files. I have not been able to find any information on how to tell Connect what header(like x-forwarded-for) to log as the IP address, so right now all connections are being logged as coming from our reverse proxy IP.

Any help is much appreciated.
Re: Kerio connect behind reverse proxy? [message #147621 is a reply to message #147601] Tue, 25 February 2020 07:51 Go to previous messageGo to next message
MigSelv is currently offline  MigSelv
Messages: 7
Registered: February 2020
Not anyone who knows this? Is there any people from Kerio/GFI who looks at this forum?
Re: Kerio connect behind reverse proxy? [message #147622 is a reply to message #147621] Tue, 25 February 2020 09:07 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 666
Registered: March 2017
Location: Malta
There are but this is a community-driven forum. For support questions, it might be easier to reach out to GFI Support.

To answer your question what version of Kerio Connect do you have installed?


Ian Bugeja
GFI Software
Re: Kerio connect behind reverse proxy? [message #147651 is a reply to message #147622] Fri, 28 February 2020 07:11 Go to previous messageGo to next message
MigSelv is currently offline  MigSelv
Messages: 7
Registered: February 2020
Hi Ian,

I have 9.2.3 installed.

I have reached out to GFI support. but no response on my ticket yet.

Thank you.
Re: Kerio connect behind reverse proxy? [message #147659 is a reply to message #147651] Mon, 02 March 2020 09:02 Go to previous messageGo to next message
simion.chis is currently offline  simion.chis
Messages: 20
Registered: February 2014

@MigSelv,
if you receive an answer to your question please put him here. I am interested in this subject and if you can, what reverse-proxy do you intend to use (and other details). I have more (web) servers on the same IP and now I use port forwarding for some apps. My future plan it is to go with nginex (or HAProxy?)
I hope that I'm on the right track Smile

Thanks!
Re: Kerio connect behind reverse proxy? [message #147663 is a reply to message #147659] Mon, 02 March 2020 13:22 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 666
Registered: March 2017
Location: Malta
Hi all

Kerio Connect 9.2.10+ should automatically detect proxy IPs and use the proper IPs. So, please upgrade


Ian Bugeja
GFI Software
Re: Kerio connect behind reverse proxy? [message #147670 is a reply to message #147663] Mon, 02 March 2020 15:39 Go to previous messageGo to next message
phl is currently offline  phl
Messages: 12
Registered: December 2012
Location: FRANCE
Hello
I use Apache ProxyPass and ProxyPassReverse

Here are my settings :
ServerName mail.domain.tld
 
ProxyRequests Off 
 
SSLStrictSNIVHostCheck Off 
SSLEngine on
 
 
SSLProxyEngine On
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off 
SSLProxyVerify none 
 
 
ProxyPass / https://192.168.1.10/         -> My server ip address
ProxyPassReverse / https://192.168.1.10/
ProxyPreserveHost On
 
RewriteCond %{HTTPS} off 
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 

But, be carreful, it's only for an ActiveSync connexion. (Port 443). It's not working with the others ports ( 993, 25, 465, 587 etc)

In this proxy, I also have the integration of Letsencrypt certificates

Surprised
Re: Kerio connect behind reverse proxy? [message #147681 is a reply to message #147663] Tue, 03 March 2020 18:04 Go to previous messageGo to next message
MigSelv is currently offline  MigSelv
Messages: 7
Registered: February 2020
Hi,

I'm using Kerio Connect 9.2.11. Not sure where I got the 9.2.3 from.

How does Kerio connect detect the Reverse proxy IP. It must be looking for some headers, what are those, and can you customize Kerio connect to use a specific one? I'm only interested in doing it for the Webmail and active sync(port 443).

I'm currently using NGINX and this setting, and Kerio connect still reports my Reverse proxy Ip when using webmail and Active sync:
server {
	listen	443 ssl http2;
	include /etc/nginx/conf.d/ssl.conf;
	
	location / {
		proxy_pass MyKerioConnectIP;
		client_max_body_size 0;
		proxy_http_version 1.1;
		proxy_next_upstream timeout error;
		proxy_read_timeout 4000;
		proxy_set_header Connection "";
		proxy_set_header    X-Real-IP           $remote_addr;
		proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
		proxy_set_header    X-Forwarded-Proto   $scheme;
		proxy_set_header    Host                $host;
		proxy_set_header    X-Forwarded-Host    $host;
		proxy_set_header    X-Forwarded-Port    $server_port;
		proxy_set_header 	X-Request-Start		$msec;

	}
}
And this is what I see in my security log in kerio connect(10.0.0.18 is my reverse proxy):
[03/Mar/2020 15:56:42] HTTP/ActiveSync: Invalid password for user xxxxxx. Attempt from IP address 10.0.0.18.

I have verified using tcpdump, that the headers are present in the requests coming to kerio connect from my reverse proxy.
Re: Kerio connect behind reverse proxy? [message #147694 is a reply to message #147663] Thu, 05 March 2020 21:03 Go to previous messageGo to next message
MigSelv is currently offline  MigSelv
Messages: 7
Registered: February 2020
Any inputs as to why it's not working for me using 9.2.11?

How exactly is Kerio connect detecting it's behind a proxy?
Re: Kerio connect behind reverse proxy? [message #147699 is a reply to message #147601] Fri, 06 March 2020 11:50 Go to previous messageGo to next message
vmolaev is currently offline  vmolaev
Messages: 1
Registered: August 2017
Kerio Connect is able to detect that connection is behind a proxy (since 9.2.11) if the following HTTP headers are present:
X-Forwarded-Proto
X-Forwarded-For

Steps to enable this:
1) Create IP Address group in Configuration -> IP Address Groups, add subnets that contains your proxy servers
2) Update mailserver.cfg
Table "Http", set "UseProxiedInfo" to 1
Table "Http", set "TrustedProxyAddressGroup" to previously created IP Address group name
Re: Kerio connect behind reverse proxy? [message #147704 is a reply to message #147601] Fri, 06 March 2020 13:58 Go to previous messageGo to next message
brauner is currently offline  brauner
Messages: 106
Registered: February 2010
If you have few http/https servers in your LAN, all use the same public IP address, you can use Kerio control as reverse proxy server - very easy.

set your domain dns entries, like mail.mycompany.com, bb.mycompany.com, backup.mycompany.com etc. to point to your public IP address.

if you use Kerio Control as your router, then set reverse proxy rules to forward the 80/443 trafic according to the host (for example, mail.mycompany.com > 192.168.1.4, bb.mycompany.com > 192.168.1.9....)

if you don't want to use Kerio Control as a router, config your router to forward all 80,433 trafic to kerio control, and the control will do the rest. in that case, you must disable DHCP in kerio control and other services.

I use this configuration in my office.

-Roei
Re: Kerio connect behind reverse proxy? [message #147705 is a reply to message #147704] Sat, 07 March 2020 20:33 Go to previous messageGo to next message
Mister-Magoo is currently offline  Mister-Magoo
Messages: 18
Registered: April 2005

I have tested the configuration and i can't log real ip address but only proxy address
Re: Kerio connect behind reverse proxy? [message #147707 is a reply to message #147699] Mon, 09 March 2020 08:38 Go to previous messageGo to next message
MigSelv is currently offline  MigSelv
Messages: 7
Registered: February 2020
Hi,

Thx for helping out!

I have:
#1 Stopped the kerio-connect service
#2 changed the mailserver.cfg so it now has
  <variable name="UseProxiedInfo">1</variable>
  <variable name="TrustedProxyAddressGroup">Proxy</variable>
and i have created a "Proxy" ip address group(This is a test environment, so the IP's are different than in my previous posts):
  <listitem>
    <variable name="Name">Proxy</variable>
    <variable name="Value">192.168.1.218/255.255.255.0</variable>
    <variable name="Enabled">1</variable>
    <variable name="Desc">Proxy</variable>
    <variable name="Guid">e0960fb1-7aa3-4da7-bfa9-fca6771d65dd</variable>
    <variable name="GroupGuid">267f75df-dd79-4752-8b19-96e6019fcad5</variable>
  </listitem>

#3 Started the kerio service after doing the changes

After doing these changes, I can now see the real IP address in the log files.

Why is this not documented anywhere, or mentioned in your KB article section?
Re: Kerio connect behind reverse proxy? [message #147710 is a reply to message #147601] Mon, 09 March 2020 11:11 Go to previous messageGo to next message
zva is currently offline  zva
Messages: 1
Registered: March 2020
It works for me also. Thanks. Now all my log are ok.

Only active connection list in web admin still shows proxy ip.

Z
Re: Kerio connect behind reverse proxy? [message #147721 is a reply to message #147710] Mon, 09 March 2020 21:22 Go to previous messageGo to previous message
Mister-Magoo is currently offline  Mister-Magoo
Messages: 18
Registered: April 2005

Thank you, it working for me also. Now Kerio, can you display real IP in active connection ...
Previous Topic: Folders with diacritics missing in Outlook
Next Topic: MacOS Cataline and lost access to my database
Goto Forum:
  


Current Time: Sun Oct 02 11:26:42 CEST 2022

Total time taken to generate the page: 0.02186 seconds