1

I cannot make a connection from my dockerized Apache2.4 to the mailcow-dockerized web front-end. The particular Apache error is:

Connection refused: AH00957: HTTPS: attempt to connect to 127.0.0.1:8443 (127.0.0.1) failed

We have: 2 docker-compose files. 1. Mailcow (mailcow-dockerized), 2. apache-letsencrypt (enoniccloud/apache2-letsencrypt image)

We want: Utilization of the Apache2.4 as reverse-proxy for the mailcow-dockerized web front-end + Apache2.4 usage as web-server for a website.

Additional Info: Mailcow front-end can be reached when the Apache2.4 is not up and the bindings in its config are set to default.

Docker-Compose apache-letsencrypt container:

version: '2.1'
services:
  apache2:
    build: apache2
    hostname: root.yyy.com
    restart: always
    volumes_from:
      - letsencryptstore
    volumes:
      - /var/www/html:/var/www/html
    ports:
      - "80:80"
      - "443:443"
    expose:
      - "8080"
      - "8443"
    environment:
      LETS_ENCRYPT_EMAIL: "xyz@yahoo.de"
      LETS_ENCRYPT_DOMAINS: "root.yyy.com,mail2.yyy.com"
    labels:
      io.enonic.backup.data: "/etc/letsencrypt,/var/lib/letsencrypt"
    networks:
      - mailcowdockerized_mailcow-network
  letsencryptstore:
    image: busybox
    volumes:
      - "/etc/letsencrypt"
      - "/var/lib/letsencrypt"

networks:
  mailcowdockerized_mailcow-network:
    external: true

Apache config:

<VirtualHost *:80>
    ServerName root.yyy.com
    DocumentRoot /var/www/html/

    RewriteEngine on
    RewriteRule ^/(.*) https://root.yyy.com/$1 [L,R=301]

</VirtualHost>

<VirtualHost *:80>
    ServerName mail2.yyy.com
    RewriteEngine on
    RewriteRule ^/(.*) https://mail2.yyy.com/$1 [L,R=301]
</VirtualHost>

<VirtualHost *:443>
    ServerName mail2.yyy.com
    ServerAlias autodiscover.mail2.yyy.com
    ServerAlias autoconfig.mail2.yyy.com

    # You should proxy to a plain HTTP session to offload SSL processing
    ProxyPass / https://127.0.0.1:8443/
    ProxyPassReverse / https://127.0.0.1:8443/

    ProxyPreserveHost On
    ProxyAddHeaders On

    # This header does not need to be set when using http
    RequestHeader set X-Forwarded-Proto "https"

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/certs/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem

    RequestHeader set X-Forwarded-Proto "https"
    Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

<VirtualHost *:443>
    ServerName root.yyy.com
    DocumentRoot /var/www/html/
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/certs/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem

    RequestHeader set X-Forwarded-Proto "https"
    Header always set Strict-Transport-Security "max-age=15768000"

</VirtualHost>

SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Mailcow-Config:

# ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is "admin"
# Default password is "moohoo"
MAILCOW_HOSTNAME=mail2.yyy.com

# ------------------------------
# SQL database configuration
# ------------------------------
DBNAME=mailcow
DBUSER=mailcow

# Please use long, random alphanumeric strings (A-Za-z0-9)
DBPASS=RdnvlN1CXSAHA98CVz4sYUgfrMuF
DBROOT=Ve91gtedyLa8xGJf6sXNmMcNzFUp

# ------------------------------
# HTTP/S Bindings
# ------------------------------

# You should use HTTPS, but in case of SSL offloaded reverse proxies:
HTTP_PORT=8080
HTTP_BIND=127.0.0.1

HTTPS_PORT=8443
HTTPS_BIND=127.0.0.1

Rest of the config is default.

Apache mods proxy, proxy_balancer, proxy_http are enabled.

Help would be much appreciated :)

Eiden Eiden
  • 87
  • 1
  • 7

1 Answers1

1

I have Mailcow Nginx dockerized installed on my ubuntu 16 web server

The only difference I have from your setup are the HTTP_BIND IPs: Mine looks like:

HTTP_PORT=8080
HTTP_BIND=0.0.0.0

HTTPS_PORT=8443
HTTPS_BIND=0.0.0.0

I have only set the binds to 0.0.0.0 so I can access my mail server trough port 8080 or 8443 from any IP in case my apache web server is down.

mail.domain.com-le-ssl.conf [generated by let's encrypt]

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName mail.example.com

    ProxyPass / http://example.com:8080/

    ProxyPreserveHost On

SSLCertificateFile /etc/letsencrypt/live/mail.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

My apache2 virtual host config for reverse proxy: mail.example.com.conf

<VirtualHost *:80>
    ServerName mail.example.com

    ProxyPass / http://example.com:8080/

    ProxyPreserveHost On

RewriteEngine on
RewriteCond %{SERVER_NAME} =mail.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Please note that my original apache2 config file is:

<VirtualHost *:80>
    ServerName mail.example.com

    ProxyPass / http://example.com:8080/

    ProxyPreserveHost On

</VirtualHost>

Because I don't really need ssl encryption between apache and nginx, the rewrite rule was added when I installed let's encrypt certificate on apache mail server for mail.example.com.

I like and only use SOGo web client so I don't need mail ssl certificate, if you are going to use an external mail client, then you may want to consider pointing your Mailcow ssl certificate file to the files created by let's encrypt-apache2

In other words: [me]---ssl:443--->[mail.example.com]--local-->http://example.com:8080/

Maybe I could achieve the same result if I set my BIND address like yours, and it should be more secure.

Maybe http://localhost.com:8080/ will also work.

I'm sure my setup is venerable, this is my 1st try.

Please let me know if you need any info about my setup.

These are the tutorials and documentations I followed to get this running.

https://www.digitalocean.com/community/tutorials/how-to-use-apache-as-a-reverse-proxy-with-mod_proxy-on-ubuntu-16-04

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04

https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/

https://www.youtube.com/watch?v=VsiYowuiT6A&t=389s

https://www.youtube.com/watch?v=A3Prx_2YEm8&t=62s

Sef Eiba
  • 11
  • 2
  • Hey, I am trying something very similar.. My box is running Debian 9 with apache2 (also using letsencrypt which does auto-redirect from http to https) serving couple services like: owncloud `mydomain.com/owncloud` then some static content `mydomain.com/files`.. What I want to achieve is, I want to reverse proxy mailcow (including ssl) from `mydomain.com:8080` -> `mydomain.com/mail`.. can you please advice? Other thing which comes to my mind is I would need to diable letsencrypt for mailcow.. then it should work.. – Michal Aron Jul 15 '18 at 22:09
  • If you already set Mailcow to use port 8080, and can access it thought that port, then the rest should be straight forward. You create a new virtual host, and since you need mydomain.com/mail to redirect you to your webmail, then you should use an Alias, as listed here: https://stackoverflow.com/questions/5552081/using-a-directory-in-virtualhost-servername Combine this with: / ProxyPass / http://example.com:8080/ ProxyPreserveHost On / On you virtual host, and make sure you enable reverse proxy. I know this explanation is mature, so just let me know if you have any question. – Sef Eiba Jul 17 '18 at 09:44
  • Thanks, you pointed me to the right direction.. all works.. I created subdomains for my domain and added ProxyPass with ProxyPassReverse for that subdomain.. When I was just rewriting on the same domain I had issues with loading js and css - would have to map everything and would work just for single context.. only possible way for reverse proxying multiple apps is subdomain.. Note here - newest certbot from letsencrypt automates also other domains for you - so it got all covered :) – Michal Aron Jul 17 '18 at 22:57