[RCU] RC 1.4 direct login+2FA works; RC behind nginx reverse-proxy loops @ login ?

PGNet Dev pgnet.dev at gmail.com
Fri Sep 18 20:03:57 CEST 2020


i've installed

	cd roundcubemail
	git log -n1
		1 commit e00cd99d65863da5f4e953e1cfbdc49dbbe7c5df (HEAD -> release-1.4, origin/release-1.4)
		2 Author: Aleksander Machniak <alec at alec.pl>
		3 Date:   Wed Aug 26 19:38:35 2020 +0200
		4
		5     Update changelog

on

	nginx -v
		nginx version: nginx/1.19.2 (PGNd Custom Build)

	php -v
		PHP 7.4.10 (cli) (built: Sep  1 2020 13:58:08) ( NTS )
		Copyright (c) The PHP Group
		Zend Engine v3.4.0, Copyright (c) Zend Technologies
			with Zend OPcache v7.4.10, Copyright (c), by Zend Technologies

i've also installed/enabled 2FA support,

	https://github.com/alexandregz/twofactor_gauthenticator

on direct login to a standalone instance of RC

	https://roundcube.example.com

all works as expected.

RC logs, through initial & 2FA login, return

	==> /var/log/nginx/roundcubemail/sql.log <==
	[18-Sep-2020 10:16:21]: <2375b1ce> [1] SELECT "vars", "ip", "changed", datetime('now') AS ts FROM "session" WHERE "sess_id" = 'aaa...111';
	[18-Sep-2020 10:16:21]: <2375b1ce> [2] SELECT * FROM "users" WHERE "user_id" = '2';
	[18-Sep-2020 10:16:21]: <2375b1ce> [3] PRAGMA FOREIGN_KEYS=ON;
	[18-Sep-2020 10:16:21]: <2375b1ce> [4] SELECT * FROM carddav_addressbooks WHERE "user_id" = '2';
	[18-Sep-2020 10:16:21]: <2375b1ce> [5] UPDATE "session" SET "changed" = datetime('now'), "vars" = 'abc...de1' WHERE "sess_id" = 'aaa...111';
	[18-Sep-2020 10:16:21]: <2375b1ce> [1] SELECT "vars", "ip", "changed", datetime('now') AS ts FROM "session" WHERE "sess_id" = 'aaa...111';
	[18-Sep-2020 10:16:21]: <2375b1ce> [2] SELECT * FROM "users" WHERE "user_id" = '2';
	[18-Sep-2020 10:16:21]: <2375b1ce> [3] DELETE FROM "session" WHERE "sess_id" = 'aaa...111';
	[18-Sep-2020 10:16:21]: <2375b1ce> [4] INSERT INTO "session" ("sess_id", "vars", "ip", "changed") VALUES ('aaa...111', 'bGF...CI7', 'fd80:10:10::10', datetime('now'));
	[18-Sep-2020 10:16:40]: <2375b1ce> [1] SELECT "vars", "ip", "changed", datetime('now') AS ts FROM "session" WHERE "sess_id" = 'aaa...111';
	[18-Sep-2020 10:16:40]: <2375b1ce> [2] DELETE FROM "session" WHERE "sess_id" = 'aaa...111';
	[18-Sep-2020 10:16:40]: <2375b1ce> [3] SELECT * FROM "users" WHERE "mail_host" = 'back.example.com' AND "username" = 'user at example.com';
	[18-Sep-2020 10:16:41]: <2375b1ce> [4] UPDATE "users" SET "last_login" = datetime('now') WHERE "user_id" = '2';
	[18-Sep-2020 10:16:41]: <eb5b5c61> [5] SELECT "vars", "ip", "changed", datetime('now') AS ts FROM "session" WHERE "sess_id" = 'aaa...222';

	==> /var/log/nginx/roundcubemail/userlogins.log <==
	[18-Sep-2020 10:16:41]: <eb5b5c61> Successful login for user at example.com (ID: 2) from fd80:10:10::10 in session eb5b5c61d11447e8

	==> /var/log/nginx/roundcubemail/sql.log <==
	[18-Sep-2020 10:16:41]: <eb5b5c61> [6] INSERT INTO "session" ("sess_id", "vars", "ip", "changed") VALUES ('aaa...222', 'abc...de2==', 'fd80:10:10::10', datetime('now'));
	[18-Sep-2020 10:16:53]: <eb5b5c61> [1] SELECT "vars", "ip", "changed", datetime('now') AS ts FROM "session" WHERE "sess_id" = 'aaa...222';
	[18-Sep-2020 10:16:53]: <eb5b5c61> [2] SELECT * FROM "users" WHERE "user_id" = '2';
	[18-Sep-2020 10:16:53]: <eb5b5c61> [3] PRAGMA FOREIGN_KEYS=ON;
	[18-Sep-2020 10:16:53]: <eb5b5c61> [4] SELECT * FROM carddav_addressbooks WHERE "user_id" = '2';
	[18-Sep-2020 10:16:53]: <eb5b5c61> [5] UPDATE "session" SET "changed" = datetime('now'), "vars" = 'abc...de3' WHERE "sess_id" = 'aaa...222';
	[18-Sep-2020 10:16:53]: <eb5b5c61> [1] SELECT "vars", "ip", "changed", datetime('now') AS ts FROM "session" WHERE "sess_id" = 'aaa...222';
	[18-Sep-2020 10:16:53]: <eb5b5c61> [2] SELECT * FROM "users" WHERE "user_id" = '2';
	[18-Sep-2020 10:16:53]: <eb5b5c61> [3] PRAGMA FOREIGN_KEYS=ON;
	[18-Sep-2020 10:16:53]: <eb5b5c61> [4] SELECT * FROM carddav_addressbooks WHERE "user_id" = '2';
	[18-Sep-2020 10:16:54]: <eb5b5c61> [1] SELECT "vars", "ip", "changed", datetime('now') AS ts FROM "session" WHERE "sess_id" = 'aaa...222';
	[18-Sep-2020 10:16:54]: <eb5b5c61> [2] SELECT * FROM "users" WHERE "user_id" = '2';
	[18-Sep-2020 10:16:54]: <eb5b5c61> [1] SELECT "vars", "ip", "changed", datetime('now') AS ts FROM "session" WHERE "sess_id" = 'aaa...222';
	[18-Sep-2020 10:16:54]: <eb5b5c61> [3] PRAGMA FOREIGN_KEYS=ON;
	[18-Sep-2020 10:16:54]: <eb5b5c61> [4] SELECT * FROM carddav_addressbooks WHERE "user_id" = '2';
	[18-Sep-2020 10:16:54]: <eb5b5c61> [2] SELECT * FROM "users" WHERE "user_id" = '2';
	[18-Sep-2020 10:16:54]: <eb5b5c61> [3] PRAGMA FOREIGN_KEYS=ON;
	[18-Sep-2020 10:16:54]: <eb5b5c61> [4] SELECT * FROM carddav_addressbooks WHERE "user_id" = '2';
	[18-Sep-2020 10:16:54]: <eb5b5c61> [5] UPDATE "session" SET "changed" = datetime('now'), "vars" = 'abc...de4==' WHERE "sess_id" = 'aaa...222';
	[18-Sep-2020 10:16:54]: <eb5b5c61> [5] UPDATE "session" SET "changed" = datetime('now'), "vars" = 'abc...de3';

after which I'm 'in' RC ui; fully functional.

if, however, I access RC through nginx setup as a reverse proxy, with front-end nginx config,

	server {
		listen [fd80:10:10::10]:443    ssl http2;

		server_tokens off;
		server_name frontend.example.com;
		root /dev/null;
		autoindex off;

		rewrite_log on;
		access_log  /var/log/nginx/frontend.access.log main;
		error_log   /var/log/nginx/frontend.error.log notice;

		ssl_verify_client optional;
		ssl_verify_depth 2;
		ssl_client_certificate "/srv/ssl/ca_chain.crt.pem";
		ssl_certificate        "/srv/ssl/frontend.server.crt";
		ssl_certificate_key    "/srv/ssl/frontend.server.key";

		location / {
			root /srv/nulldir;
			try_files $uri $uri/ =404;
		}

		location /rcmail/ {

			proxy_pass https://roundcube.example.com:443/;
			proxy_ssl_name roundcube.example.com;
			proxy_set_header  X-Script-Name /rcmail;

			proxy_ssl_verify off;
			proxy_ssl_certificate         "/srv/ssl/roundcube.client.crt";
			proxy_ssl_certificate_key     "/srv/ssl/roundcube.client.key";
			proxy_ssl_trusted_certificate "/srv/ssl/ca_chain.crt.pem";

			access_log  /var/log/nginx/frontend.rc.access.log upstreamlog;
			error_log   /var/log/nginx/frontend.rc.error.log notice;

			include includes/proxy.inc;
		}

}


on nav to

	https://frontend.example.com/rcmail

I _do_ see the RC login, as before, at the frontend URI ...

but, when I enter 1st-factor credentials & submit, i simply loop back to the same RC login; no accepted login, and no pass to the 2FA

RC logs for this ONLY show

	==> /var/log/nginx/roundcubemail/sql.log <==
	[18-Sep-2020 10:34:58]: <68003b3d> [1] SELECT "vars", "ip", "changed", datetime('now') AS ts FROM "session" WHERE "sess_id" = '680...fc5';
	[18-Sep-2020 10:35:06]: <68003b3d> [1] SELECT "vars", "ip", "changed", datetime('now') AS ts FROM "session" WHERE "sess_id" = '680...fc5';

i've not figured out which logs are more useful/informative logs out of this. yet.

any hints as to either a correct/functional proxy setup/config, &/or which specific logging to dig around in?


More information about the users mailing list