Admin page unreachable, 404 error

buhbbl

Hello, I made some small customizations to the default docker compose file. I have basically setup a reverse proxy in front of mailcow and an additional domain for SOGo. But currently, when I try to browse mailcow’s configuration page, I get a 404 error.

I have confirmed that admin.php file still exists and I have not made any changes to that url in the nginx config. I also am able to visit other pages such as queue manager and such.

Here is a snipped of nginx error log,

watchdog-mailcow | Sat Mar 30 16:11:41 CET 2024 Fail2ban health level: 100% (1/1), health trend: 0 watchdog-mailcow | Sat Mar 30 16:11:41 CET 2024 Dovecot replication health level: 100% (20/20), health trend: 0 watchdog-mailcow | Sat Mar 30 16:11:41 CET 2024 Rspamd health level: 100% (5/5), health trend: 0 nginx-mailcow | 162.158.102.70 - - [30/Mar/2024:16:11:54 +0100] "GET /admin/ HTTP/1.1" 404 146 "https://mail.DOMAIN.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0" watchdog-mailcow | Sat Mar 30 16:11:59 CET 2024 Olefy health level: 100% (5/5), health trend: 0 watchdog-mailcow | Sat Mar 30 16:12:01 CET 2024 Redis health level: 100% (5/5), health trend: 0

DocFraggle

Did you check the docs for setting up a reverse proxy?

https://docs.mailcow.email/post_installation/reverse-proxy/r_p/

buhbbl

Hey! Yes I followed the guide and have setup the reverse proxy using that. I have added the additional server name to the config and setup up the HTTP/HTTPS bind for the nginx on a different port.

I am able to access the site, the only page that i get a 404 error from the mailcow’s nginx is for the admin page.

DocFraggle

Hmm, /debug is working? Login as admin to the mailcow UI too?

buhbbl

Yes, I am logged in as admin

DocFraggle

What do you use as reverse proxy? Nginx?

buhbbl

Yea, I am using nginx proxy manager specifically.

Here is my config if that helps

# ------------------------------------------------------------
# autoconfig.mail.domain.com, autodiscover.mail.domain.com, mail.domain.com
# ------------------------------------------------------------

map $scheme $hsts_header {
    https   "max-age=63072000; preload";
}

server {
  set $forward_scheme http;
  set $server         "nginx-mailcow";
  set $port           80;

  listen 80;
  listen [::]:80;

  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name autoconfig.mail.domain.com autodiscover.mail.domain.com mail.domain.com;

  # Custom SSL
  ssl_certificate /data/custom_ssl/npm-1/fullchain.pem;
  ssl_certificate_key /data/custom_ssl/npm-1/privkey.pem;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

  # Force SSL
  include conf.d/include/force-ssl.conf;

  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $http_connection;
  proxy_http_version 1.1;


  access_log /data/logs/proxy-host-23_access.log proxy;
  error_log /data/logs/proxy-host-23_error.log warn;

  location /Microsoft-Server-ActiveSync {
    proxy_set_header Host               $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_set_header Upgrade            $http_upgrade;
    proxy_set_header Connection         $http_connection;
    proxy_set_header Host               $http_host;
    proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
    proxy_pass       http://nginx-mailcow:80;

    # Block Exploits
    include conf.d/include/block-exploits.conf;

    # Force SSL
    include conf.d/include/force-ssl.conf;
    
    proxy_http_version 1.1;
    proxy_connect_timeout 75;
    proxy_send_timeout 3650;
    proxy_read_timeout 3650;
    proxy_buffers 64 512k; # Needed since the 2022-04 Update for SOGo
    client_body_buffer_size 512k;
    client_max_body_size 0;
  }


  location / {
    proxy_set_header Host               $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_set_header Upgrade            $http_upgrade;
    proxy_set_header Connection         $http_connection;
    proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
    proxy_pass       http://nginx-mailcow:80;

    # Block Exploits
    include conf.d/include/block-exploits.conf;

    # Force SSL
    include conf.d/include/force-ssl.conf;

    proxy_http_version 1.1;
    client_max_body_size 0;
    proxy_buffer_size 128k;
    proxy_buffers 64 512k;
    proxy_busy_buffers_size 512k;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

nginx-mailcow is the mailcow’s nginx container thats in the same docker network as my reverse proxy

DocFraggle

Hmm, maybe there is something specific about /admin with Nginx proxy manager?

buhbbl

You think so? I get the 404 error from the mailcow nginx container, and not the reverse proxy

buhbbl

Ok based on what you mentioned, I did connected to mailcow’s nginx using ip over vpn. And it worked. I think you might be right that its due to the reverse proxy.

DocFraggle

What happens if you curl /admin directly from inside the nginx-mailcow container? In my case I get a 302 redirect:

docker compose exec nginx-mailcow /bin/sh
/ # curl -kv https://127.0.0.1/admin
*   Trying 127.0.0.1:443...
* Connected to 127.0.0.1 (127.0.0.1) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=mail.domain.tld
*  start date: Feb 17 13:35:26 2024 GMT
*  expire date: May 17 13:35:25 2024 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://127.0.0.1/admin
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: 127.0.0.1]
* [HTTP/2] [1] [:path: /admin]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
> GET /admin HTTP/2
> Host: 127.0.0.1
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/2 302 
< server: nginx
< date: Sat, 30 Mar 2024 22:37:58 GMT
< content-type: text/html
< set-cookie: PHPSESSID=0f4679cc11b095248b4cd7435afe21e6; path=/; secure; HttpOnly
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< location: /
< strict-transport-security: max-age=15768000;
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< x-robots-tag: none
< x-download-options: noopen
< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< referrer-policy: strict-origin
< 
* Connection #0 to host 127.0.0.1 left intact

This way you can check if the nginx-mailcow container has a problem, but if you get the 302 too the problem may be within the proxy manager.

EDIT: Ah OK, you posted while I was writing this 😃