mailu + nginx reverse proxy: 502 error (tls invalid response) #2720
Comments
|
certbot uses port 80 in standalone mode to get the certificate; your reverse-proxy configuration is breaking it by redirecting to the HTTPS handler. Reverse-proxy both to Mailu and it will work. It is arguable whether Mailu/core/nginx/conf/nginx.conf Line 156 in 1b7de12 |
2 tasks
bors bot
added a commit
that referenced
this issue
Apr 12, 2023
2767: Fix #2720: make letsencrypt work when reverse proxies are misconfigured r=mergify[bot] a=nextgens ## What type of PR? bug-fix ## What does this PR do? Letsencrypt only works if port 80 is reachable. Users behind reverse-proxies don't read instructions... this makes the common misconfiguration work too. ### Related issue(s) - closes #2720 - closes #2766 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
|
Update to 2.0.5, that will fix it without any configuration change. |
bors bot
added a commit
that referenced
this issue
Apr 12, 2023
2768: Fix #2720: make letsencrypt work when reverse proxies are misconfigured (backport #2767) r=mergify[bot] a=mergify[bot] This is an automatic backport of pull request #2767 done by [Mergify](https://mergify.com). --- <details> <summary>Mergify commands and options</summary> <br /> More conditions and actions can be found in the [documentation](https://docs.mergify.com/). You can also trigger Mergify actions by commenting on this pull request: - ``@Mergifyio` refresh` will re-evaluate the rules - ``@Mergifyio` rebase` will rebase this PR on its base branch - ``@Mergifyio` update` will merge the base branch into this PR - ``@Mergifyio` backport <destination>` will backport this PR on `<destination>` branch Additionally, on Mergify [dashboard](https://dashboard.mergify.com) you can: - look at your merge queues - generate the Mergify configuration with the config editor. Finally, you can contact us on https://mergify.com </details> Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
AliKhadivi
added a commit
to AliKhadivi/Mailu
that referenced
this issue
Aug 2, 2023
* Update tests/compose/test.py Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com> * Update docs/cli.rst Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com> * Update tests/compose/test.py Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com> * Update docs/cli.rst Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com> * Update docs/cli.rst Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com> * Czech translation Czech translation * Update messages.po * Apply DEFAULT_QUOTA to user creation admin ui page * Fix UserForm of Admin UI * Fix updating the default quota_bytes in the form * Fix user create form * Change rspamd override system to use include with lowest priority. All override files are used as if they were placed in the rspamd local.d folder. From the newsfragment: New override system for Rspamd. In the old system, all files were placed in the Rspamd overrides folder. These overrides would override everything, including the Mailu Rspamd config. Now overrides are placed in /overrides. If you use your own map files, change the location to /override/myMapFile.map in the corresponding conf file. It works as following. * If the override file overrides a Mailu defined config file, it will be included in the Mailu config file with lowest priority. It will merge with existing sections. * If the override file does not override a Mailu defined config file, then the file will be placed in the rspamd local.d folder. It will merge with existing sections. For more information, see the description of the local.d folder on the rspamd website: https://www.rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories * Fix some small errors * bring back removed blank lines * fix Mailu#2693 * fixes suggested by diman0 * Maybe fix the tests * the space may or may not exist * Renumber and clarify * Add changelog entry for PR2676 * Introduce AUTH_PROXY_LOGOUT_URL * Make the login page guess where to redirect * Fix 2692: make the external auth proxy usable * doh * Make it work for /admin/antispam too * Handle WEBROOT_REDIRECT better * Set snappymail autologout time according to PERMANENT_SESSION_LIFETIME closes Mailu#2680 * Upgrade snappymail to v2.26.4 * Fix broken link. Add extra clarification for login targets. * Paranoia: drop the headers we don't use * Check https://attackshipsonfi.re/p/exploiting-cors-misconfigurations out * Switch the container registry used for deploying images from docker to ghcr.io (github). Images are now first build with '-build' appended to the tag. E.g. ghcr.io/mailu/admin:master-build. This is to prevent the image being available before automatic testing has completed. In the deploy job, the final image is pushed (this still works the same). Update setup & documentation for switch to ghcr.io * Add changelog entry. * Add missing () * Extend roundcube's session lifetime * Fix typo and wording in faq.rst * Update changelog with extra info. * Fix build.hcl / CI.yml regarding labels The version label and versions passed to docs image were based on the tag. Now we first build the images with -build appended to the tag, we cannot use the tag as version label. A new env var is introduced to pass the version to the build.hcl file. This will be used to set the VERSION label in the image, and pass as build arguments to the docs image. * Proxy endpoint was checking real client ip instead of proxy ip for validating PROXY_AUTH_WHITELIST * Add fallback just in case X-Forwarded-By is empty. * Add fix for wrong redirect in proxy scenario and accessing WEBROOT_REDIRECT * Fix a typo. * Fix error in check for proxy scenario * Don't use the header when we don't need it. * Provide a changelog for minor releases. The github release will now: * Provide the changelog message from the newsfragment of the PR that triggered the backport. * Provide a github link to the PR/issue of the PR that was backported. Switch to building multi-arch images. The images build for pull requests, master and production are now multi-arch images for the architectures: * linux/amd64 * linux/arm64/v8 * linux/arm/v7 Enhance CI/CD workflow with retry functionality. All steps for building images are now automatically retried. If a build temporarily fails due to a network error, the retried step will still succeed. * Forgot to change the target. * Also forgot the --push argument. * Prevent creation of unknown/unknown arch. Set more forgiving timeouts for scenario where image is build without cache. Set better readable tags. * Update docs/compose/requirements.rst * Update docs/compose/requirements.rst * Update docs/setup.rst * Update docs/setup.rst * Update setup.rst * Introduce connection string (database url) for roundcube. Remove database choice from setup. Remove the old *DB_* database env variables from the documentation. The env vars are deprecated now. They will be removed after the upcoming Mailu release. * Sigh. Forgot to actually save the modified requirements-dev.txt file. Remove the pinned version for requirements for dev. The blocking issue is resolved, so no need to pin the old version. * Rephrase the doc * Make sure that the arm build also uses build-cache. Remove the step of building the base image. This is not required. when it is build for the first time for an image, it will be part of the build cache of that image. * Fix a later/latter typo * nginx: Allow http and/or mail servers to accept the PROXY protocol See Mailu#2300 for the initial proposal * nginx: fix proxy settings when PROXY protocol is used Tested-By: Didier Raboud <odyx@raksha.ch> * nginx with PROXY protocol; much stronger wording * nginx behind proxy: attackers are not only men * nginx with PROXY protocol for mail; only set_real_ip_from in 'all' and 'mail' alternatives * l10n fr: fix Relayed domains' plural * l10n fr: add DNS TLS and autoconfig translations * l10n fr: uppercase accented 'status' * nginx behind proxy: provide a healthcheck for localhost over port 10204 * nginx with proxy protocol: clarify documentation * Mirror alpine image to ghcr.io/mailu docker org to prevent docker pull rate limit. Use mirrored ghcr.io/mailu/alpine image as base image. * Adapt mirror.yml that it can only be run manually When starting it manually, you can provide the tag that must be synchronised * Update instructions for syncing alpine image * Fix access to radicale * Remove not needed mailu.env file. * Only account for distinct attempts in rate limits * should never happen but heh * Ensure we always ask for the existing password before allowing a change * resets don't need the current password * This won't work * LOG_DRIVER just doesn't work * Update core/admin/mailu/limiter.py Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com> * s/docker-/mailu-/g * No need for that * Initial changes for Mailu 2.0 release * Update releases.rst * Update releases.rst * Make the journald container tag changes consistent * Fix doc * Process latest towncrier entries into changelog.md * doh * fix bug * Clarify * Clarify * Don't rate-limit port 25, ever. * Update dependencies with CVEs * Fix unmet dependency * Further improve releases.rst * Newsfragment for releasing Mailu 2.0 * Fix tag-release step in workflow which prevented github releases from being created automatically. Cause was that a specific method is required for assigning multi-line strings in github workflow files: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings * Improve releases.rst. Add extra links to relevant sections in documentation. Add example of using the new override location for rspamd. Add clarification in rspamd section for rspamd override change and new autoconfig.* endpoint * Update releases.rst * Add reminder to configure mta-sts * Use intermediate images for CI workflow First the base and assets images are build and pushed to ghcr.io. After that all main images are build. These images use the previously build base/assets image by pulling it from ghcr.io. * Forgot to update the hcl file to the new build-ci.hcl file * Add release note for PR 2748 * Fix config-import. Config with dkim key could not be imported. * Add test to show it's broken * Fix it * maybe fix eval * fix 2757 * review * Unique exit codes * Fix Mailu#2720 * Fix Mailu#2766 * Sanitize logs as appropriate * fix Mailu#2764 * Always exempt app-tokens from rate limits * doh * ratelimit: ensure we hit the ip-ratelimit on unsuccesful attempts against a valid account * Make it happen post-deduplication * Whitelist all mailso* stream types in snuffleupagus for snappymail For attachment download in snappymail to work, at least mailsoliteral is needed. The additionally used stream types (from looking at the snappymail source) have also been added, to ensure compatability with whatever feature might rely on them …. * adapted to v2 release and a docker change - v2 changed the path - docker deprecated/removed the scale command, you have to do it like this now * Update antispam.rst shorter variant (scale isn't needed as there's only 1 at a time anyway) * Implement managesieve support * add tests * LD_PRELOAD may not be in ENV * Try to do the same for ARM64, log a message if we do * warning is enough * Remove another useless message * Add health-check * tweak-logs * Make it generic. Should we implement TARPIT? * maybe fix healthcheck * Ensure we log rport * Send rport too * Fix logs in the SMTP container * dovecot is creating zombies * Simplify the health-check * fix Mailu#2139 * COMPRESSION_LEVEL too * as requested in review * noticket * Deal with certwatcher too * Fix roundcube's spellchecker * Document in the FAQ * typo * Another typo * doh * grmll. * Fix typo * Fix2805 * Improve auth-related logging * change healtcheck again * Add this endpoint back too * Make webmails use a different port without proxy protocol * Need this too * Update version to 2.+ in release template * Rename as requested by reviewer * review * add token.comment too * Update nginx.py Doh * Update nginx.py Fix typo * quote the comments * Don't send ooo messages to noreply@ * update docs * Note ports that need to be open in the firewall The primary purpose of this change is to include the keyword "firwall" because when I went to open up ports in my network security group I expected a search for "firewall" in the docs to instantly bring this information up, but it didn't. * Authentication failed for email clients when the password contained a non latin-1 character. * Also url encode the password when authentication fails * Get the password from the source. Remove password from response (not needed) * Retrieve raw password on the correct location * Update 05_connectivity test to use UTF8 password. * Update core/admin/mailu/internal/views/auth.py * Ensure we log which account is invalid * Fix the bug @ghost has reported * Use dovecot-proxy where appropriate * Add doc for DEFAULT_QUOTA * Allow multiple IP addresses/networks to be set for tokens * add migration * bugfix for dovecot-proxy * bugfix for dovecot-proxy * newsfragment * increase the number of postfix workers * Document that the default config for netplan is broken * Add a clue * Fix issue Mailu#2811. Clamav Healthcheck created zombie processes --------- Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com> Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com> Co-authored-by: bors[bot] <26634292+bors[bot]@users.noreply.github.com> Co-authored-by: score <seejay.11@gmail.com> Co-authored-by: Florent Daigniere <nextgens@freenetproject.org> Co-authored-by: S474N <S474N@users.noreply.github.com> Co-authored-by: PM Extra <pm@jubeat.net> Co-authored-by: Dimitri Huisman <diman@huisman.xyz> Co-authored-by: Dario Ernst <dario@kanojo.de> Co-authored-by: Dimitri Huisman <52963853+Diman0@users.noreply.github.com> Co-authored-by: Didier 'OdyX' Raboud <odyx@raksha.ch> Co-authored-by: Didier Raboud <odyx@debian.org> Co-authored-by: Dario Ernst <dario.ernst@rommelag.com> Co-authored-by: elandorr <56206745+elandorr@users.noreply.github.com> Co-authored-by: AJ Jordan <alex@strugee.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Environment & Version
Environment
Version
1.9Description
i set up mailu using the mailu setup utility and configured nginx to act as a reverse proxy with an ssl certificate provided by certbot. however, attempting to access webmail gives me a 502 error
Replication Steps
docker-compose.yml:mailu.env:/etc/nginx/sites-enabled/mailu:Observed behaviour
i am unable to access the webmail ui via mail.my.domain/webmail; it returns a 502 error
Expected behaviour
i should be able to access the webmail ui
Logs
The text was updated successfully, but these errors were encountered: