You are here
Using nginx with OpenGroupware Coils
OpenGrouwpare Coils running as an unprivileged user doesn't have the ability to open privileged ports (ports below 1024, such as 25 [smtp], 80 [http], and 443 [https]). At this time the OpenGroupware Coils HTTP component also does not support TLS/SSL. The result of this is that OpenGroupware is almost always run behind some kind of the HTTP reverse proxy which will handle those more mechanical parts of the HTTP protocol. And today's premier reverse proxy is nginx.
But WebDAV has a few peculiarities over general web-browsing that make running a proxy a bit more challenging. In order to compose correct PROPFIND and REPORT responses the server needs to know some details about the client's connection. The WebDAV "href" elements in those responses must correspond, for some clients, exactly to the URL scheme which the client requested. Fortunately this can be accomplished with just a bit of extra dressing in the nginx configuration. As of 0.1.49 OpenGroupware Coils will look for the headers X-Is-HTTPS, X-Real-IP, and X-Real-Port in requests and, if available, use them when composing the WebDAV "href" elements that will be sent back to the client.
Here is an example nginx.conf that proxies port 80 [http] and 443 [https] to the OpenGroupware Coils 0.1.49 (or later) HTTP component.
user nginx;
worker_processes 1;
#error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
events {
worker_connections 1024;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-Port 80;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
# HTTPS server
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate coils.example.net.cert;
ssl_certificate_key coils.example.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-Port 443;
proxy_set_header X-Is-HTTPS YES;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
}
If the user is using a client that requires absolute href values then OpenGroupware Coils will use the value of the Host header as the host name, the value of X-Real-Port as the host name, and X-Is-HTTPS to determine if the URL should have an http:// or https:// protocol.
FYI: For CentOS and RHEL distributions the nginx proxy server is packaged in the EPEL reposistory.