DigitalOcean

Report this

What is the reason for this report?
Question

NginX reverse proxy with iRedMail Apache2

Posted on April 15, 2014
sim4biz

By sim4biz

On an empty VPS hosting (Ubuntu 13.10 x64), I managed to run the base iRedMail installation with Apache2 and LDAP and my roundcubemail was accessible at:
https://www.mydomain.com/mail

then I installed NginX, shutdown Apache2, reconfigured iRedMail (without adding any extra A record in the DNS entry) and managed to run it on NginX base installation as well with roundcubemail accessible at:
https://mail.mydomain.com

Now, I want to run NginX reverse proxy with the base iRedMail Apache2 installation with roundcubemail accessible at:
https://mail.mydomain.com
and I’m kinda stuck with the following Apache2 config files:
/etc/apache2/ports.conf

Listen 8080

/etc/apahce2/sites-available/my-iredmail.conf

<VirtualHost *:8080>
DocumentRoot /var/www/
ServerName mail.mydomain.com

Alias / “/usr/share/apache2/roundcubemail/”
<Directory "/usr/share/apache2/roundcubemail">
Options Indexes FollowSymlinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

and following NginX config file:

/etc/nginx/sites-available/default

server {
listen 80 default_server;
listen [::]:80;

    root /usr/share/nginx/html;
    index index.html index.htm index.php;

    server_name mydomain.com www.mydomain.com mail.mydomain.com;

    location / {
            try_files $uri $uri/ /index.html;
    }

    location ~ \.php$ {
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header Host $host;
            proxy_pass http://127.0.0.1:8080/;
    }

    location ~ /\.ht {
            deny all;
    }

}

server {
listen 443 ssl;

    root /var/www;
    index index.html index.htm index.php;

    server_name mydomain.com www.mydomain.com mail.mydomain.com;

    ssl                  on;
    ssl_certificate      /etc/ssl/certs/iRedMail_CA.pem;
    ssl_certificate_key  /etc/ssl/private/iRedMail.key;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    location / {
            # Apache is listening here
            proxy_pass http://127.0.0.1:8080/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

   }

}

Hitting in browser:
https://mail.mydomain.com gives the usual SSL Connection Error.
Kindly advise.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Kamal Nasser
Kamal NasserDigitalOcean Employee badge
April 15, 2014

Check nginx’s error logs, it usually says what the error with the certificate is: <br><pre>tail -15 /var/log/nginx/error.log</pre> <br> <br>Make sure these paths are correct: <br><pre>ssl_certificate /etc/ssl/certs/iRedMail_CA.pem; <br>ssl_certificate_key /etc/ssl/private/iRedMail.key; </pre> <br>I’m not sure if iRedMail_CA.pem is the proper file – what other files are in <code>/etc/ssl/certs</code>?

0
Andrew SB
Andrew SBDigitalOcean Employee badge
April 15, 2014

Could you post any error messages that you are seeing in /var/log/nginx/error.log or /var/log/apache/error.log ? <br> <br>

0
sim4biz
sim4biz
April 16, 2014

The paths to ssl_certificate and ssl_certificate_key are correct but this path wasn’t accessible from my current_user. <br>Since, I installed iRedMail from root user and NginX from my current_user therefore I made current_user chown /etc/ssl <br>Do I need to make any modifications to permissions of www-data web server user as well? <br> <br>/etc/ssl/certs has tons of Verisign, StartCom etc. symlinks to /usr/share/ca-certificates/mozilla/xxxx-yyyy.crt files <br> <br>/var/log/nginx/error.log is: <br>2014/04/15 20:43:31 [emerg] 26997#0: “proxy_pass” cannot have URI part in location given by regular expression, or inside named location, or inside “if” statement, or inside “limit_except” block in /etc/nginx/sites-enabled/default:37 <br> <br>/val/log/apache2/error.log is: <br>[Tue Apr 15 20:43:40.712133 2014] [mpm_prefork:notice] [pid 20325] AH00169: caught SIGTERM, shutting down <br>[Tue Apr 15 20:43:42.030066 2014] [mpm_prefork:notice] [pid 27041] AH00163: Apache/2.4.6 (Ubuntu) OpenSSL/1.0.1e mod_wsgi/3.4 Python/2.7.5+ configured – resuming normal operations <br>[Tue Apr 15 20:43:42.030265 2014] [core:notice] [pid 27041] AH00094: Command line: ‘/usr/sbin/apache2’

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.