Hi Rob,
Yeah, that makes sense. Not too familiar with reverse proxy setups myself, but this page struck me as helpful: https://serverfault.com/questions/1105912/apache-2-4-reverse-proxy-forward-credentials-basic-auth Von: users-requ...@sogo.nu <users-requ...@sogo.nu> Im Auftrag von "Robert Himics" Gesendet: Montag, 5. Februar 2024 03:39 An: users@sogo.nu Cc: r...@himicsfamily.com Betreff: RE: [SOGo] Activesync Error Thanks for the Help So Far - I believe I'm getting very close to having ActiveSync working. I have validated the apache sogo.conf File on My internal SOGo Groupware Server with what Raoul Schroeder Provided As a Recap -- This is what I have Internet Facing Server Apache 2.4 which Proxies to a separate SOGo groupware server. (I intend to have a few Different Domains Connecting to the Internal SOGo Groupware This is what I see in the Apache Log File 101.11.11.179 - - [04/Feb/2024:21:05:31 -0500] "OPTIONS /Microsoft-Server-ActiveSync/ HTTP/1.1" 401 381 [Sun Feb 04 21:05:31.249762 2024] [authn_file:error] [pid 8073:tid 8242] [client 101.11.11.179:48450] AH01619: AuthUserFile not specified in the configuration 101.11.11.179 - <mailto:u...@domain.com> u...@domain.com [04/Feb/2024:21:05:31 -0500] "OPTIONS /Microsoft-Server-ActiveSync/ HTTP/1.1" 500 533 I believe I'm having an issue with the validation of the user credential the Internal Apache Server is Blocking the access and It's not getting to the Internal SOGo Groupware Server Green Highlighted Section may be the issue Below are the Two Apache Server's configuration files for SOGo ====================================================================================================== Internet Facing Apache 2.4 Server has the Following: ====================================================================================================== RequestHeader set "x-webobjects-server-port" "443" RequestHeader set "x-webobjects-server-name" "katherineangela.com" RequestHeader set "x-webobjects-server-url" " <http://katherineangela.com> http://katherineangela.com"; ## Proxy Additions to enable access to Internal Mail Svr Web Client (SOGo) Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" Header set Pragma "no-cache" SetEnv proxy-nokeepalive 1 #SetEnv proxy-initial-not-pooled 1 SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On ProxyTimeout 720 ProxyVia Full SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off CheckSpelling on RequestHeader edit Transfer-Encoding Chunked chunked early RequestHeader unset Accept-Encoding <Location /Microsoft-Server-ActiveSync> ProxyPass <https://vmailsvrint.domain.net/Microsoft-Server-ActiveSync> https://vmailsvrint.domain.net/Microsoft-Server-ActiveSync acquire=3000 retry=60 connectiontimeout=600 timeout=4000 ProxyPassReverse <https://vmailsvrint.domain.net/Microsoft-Server-ActiveSync> https://vmailsvrint.domain.net/Microsoft-Server-ActiveSync SSLRequireSSL AllowMethods GET POST OPTIONS #Require all granted ## May Not be needed Header setifempty MS-Server-ActiveSync "2.5,12.0,12.1,14.0,14.1" Header setifempty MS-ASProtocolVersions "2.5,12.0,12.1,14.0,14.1" <IfModule headers_module> RequestHeader set "x-webobjects-server-port" "443" SetEnvIf Host (.*) HTTP_HOST=$1 RequestHeader set "x-webobjects-server-name" "%{HTTP_HOST}e" env=HTTP_HOST RequestHeader set "x-webobjects-server-url" " <https://%25%7bHTTP_HOST%7de> https://%{HTTP_HOST}e"; env=HTTP_HOST RequestHeader unset "x-webobjects-remote-user" RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0" </IfModule> </Location> ====================================================================================================== Internal Apache 2.4 Server has the Following: ====================================================================================================== Alias /SOGo.woa/WebServerResources/ \ /usr/lib64/GNUstep/SOGo/WebServerResources/ Alias /SOGo/WebServerResources/ \ /usr/lib64/GNUstep/SOGo/WebServerResources/ <Directory /usr/lib64/GNUstep/SOGo/> AllowOverride None <IfVersion < 2.4> Order deny,allow Allow from all </IfVersion> <IfVersion >= 2.4> Require all granted </IfVersion> # Explicitly allow caching of static content to avoid browser specific behavior. # A resource's URL MUST change in order to have the client load the new version. <IfModule expires_module> ExpiresActive On ExpiresDefault "access plus 1 year" </IfModule> </Directory> # Don't send the Referer header for cross-origin requests Header always set Referrer-Policy "same-origin" <Location /SOGo> # Don't cache dynamic content Header set Cache-Control "max-age=0, no-cache, no-store" </Location> ## Uncomment the following to enable proxy-side authentication, you will then ## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and ## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section ## below. # ## For full proxy-side authentication: #<Location /SOGo> # AuthName "SOGo" # AuthType Basic # Require valid-user # SetEnv proxy-nokeepalive 1 # Allow from all #</Location> # ## For proxy-side authentication only for CardDAV and GroupDAV from external ## clients: #<Location /SOGo/dav> # AuthType XXX # Require valid-user # SetEnv proxy-nokeepalive 1 # Allow from all #</Location> ProxyRequests Off ProxyPreserveHost On SetEnv proxy-nokeepalive 1 # Uncomment the following lines if you experience "Bad gateway" errors with mod_proxy SetEnv proxy-initial-not-pooled 1 SetEnv force-proxy-request-1.0 1 # When using CAS, you should uncomment this and install cas-proxy-validate.py # in /usr/lib64/cgi-bin to reduce server overloading # # ProxyPass /SOGo/casProxy <http://localhost/cgi-bin/cas-proxy-validate.py> http://localhost/cgi-bin/cas-proxy-validate.py # <Proxy <http://localhost/app/cas-proxy-validate.py> http://localhost/app/cas-proxy-validate.py> # Order deny,allow # Allow from your-cas-host-addr # </Proxy> # Redirect / to /SOGo #RedirectMatch ^/$ <https://vmailsvrint.familyhome.net/SOGo> https://vmailsvrint.familyhome.net/SOGo # Enable to use Microsoft ActiveSync support # Note that you MUST have many sogod workers to use ActiveSync. # See the SOGo Installation and Configuration guide for more details. # <Location /Microsoft-Server-ActiveSync> #Require all granted ## May not be needed AllowMethods GET POST OPTIONS AuthName "SOGo" AuthType Basic Require valid-user SetEnv proxy-nokeepalive 1 Allow from all </Location> ProxyPass /Microsoft-Server-ActiveSync \ <http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync> http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \ retry=60 connectiontimeout=5 timeout=3600 Keepalive=On ProxyPass /SOGo <http://127.0.0.1:20000/SOGo> http://127.0.0.1:20000/SOGo retry=0 nocanon <Proxy <http://127.0.0.1:20000/SOGo> http://127.0.0.1:20000/SOGo> ## Adjust the following to your configuration ## and make sure to enable the headers module <IfModule headers_module> RequestHeader set "x-webobjects-server-port" "443" SetEnvIf Host (.*) HTTP_HOST=$1 RequestHeader set "x-webobjects-server-name" "%{HTTP_HOST}e" env=HTTP_HOST RequestHeader set "x-webobjects-server-url" " <https://%25%7bHTTP_HOST%7de> https://%{HTTP_HOST}e"; env=HTTP_HOST ## When using proxy-side autentication, you need to uncomment and ## adjust the following line: RequestHeader unset "x-webobjects-remote-user" # RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" env=REMOTE_USER RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0" </IfModule> AddDefaultCharset UTF-8 Order allow,deny Allow from all </Proxy> # For Apple autoconfiguration <IfModule rewrite_module> RewriteEngine On RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301] RewriteRule ^/.well-known/carddav/?$ /SOGo/dav [R=301] </IfModule> Rob Himics r...@himicsfamily.com <mailto:r...@himicsfamily.com>
