My mailcow are behind an external host haproxy frontend which are exposed to internet so i need when a user request webmail.mydomain redirect to mailcow backend /SOGo.
i’m trying but the page lost all styles. somebody can point me some started config.
all the other amtp,imap,pop….. traffic i will solve with nat port fordwarding. to the internal mailcow.
English
mailcow behind haproxy frontend out of the box
- Edited
hi here is my haproxy config to redirect mailcow
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_https_listen
bind :443 v4v6
mode tcp
option tcplog
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------
# -------------------------------
# ACLs
# -------------------------------
acl acl_mailcowseeboxs req.ssl_sni -i mail.seeboxs.com www.mail.seeboxs.com
# -------------------------------
# Conditions
# -------------------------------
use_backend backend_mailcowseeboxs if acl_mailcowseeboxs
#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------
# APP 1 MAILCOW SEEBOXS
backend backend_mailcowseeboxs
description MAILCOW SEEBOXS
mode tcp
option ssl-hello-chk
server server_mailcowseeboxs 192.168.1.7:443 check
hi here is my haproxy config to redirect mailcow , with this config you also have the renewal of acmé certificates which are ok
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
daemon
user haproxy
group haproxy
log /dev/log local6 notice
log /dev/log local5 info
maxconn 100000
chroot /var/lib/haproxy
pidfile /run/haproxy.pid
stats socket /var/run/haproxy/admin.sock mode 777 level admin
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp
option tcplog
log global
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------
listen stats
mode http
bind :22222
stats enable
stats hide-version
stats uri /stats
stats realm HAProxy-Statistics
stats auth loguin:password
stats refresh 30s
# stats admin if TRUE
#---------------------------------------------------------------------
# Front end Acme Challenge
#---------------------------------------------------------------------
frontend seeboxs.com:80
bind :80 v4v6
mode http
option tcplog
#---------------------------------------------------------------------
# Check for Acme Challenge and validate url
#---------------------------------------------------------------------
acl acme_challenge path_beg /.well-known/acme-challenge/
acl mcseeboxs_host hdr(host) -i mail.seeboxs.com
acl mcseeboxsautoconfig_host hdr(host) -i autoconfig.seeboxs.com
acl mcseeboxsautodiscover_host hdr(host) -i autodiscover.seeboxs.com
acl mta-sts-seeboxs_host hdr(host) -i mta-sts.seeboxs.com
#---------------------------------------------------------------------
# Renew certificate mailcow server
#---------------------------------------------------------------------
backend le_mcseeboxs_backend
mode http
server letsencrypt_mcseeboxs_server 192.168.1.7:80 check
backend le_mcseeboxsautoconfig_backend
mode http
server letsencrypt_mcseeboxsautoconfig_server 192.168.1.7:80 check
backend le_mcseeboxsautodiscover_backend
mode http
server letsencrypt_mcseeboxsautodiscover_server 192.168.1.7:80 check
backend le_mta-sts-seeboxs_backend
mode http
server letsencrypt_mta-sta-seeboxs_server 192.168.1.7:80 check
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_https_listen
bind :443 v4v6
mode tcp
option tcplog
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------
# -------------------------------
# ACLs
# -------------------------------
acl acl_mailcowseeboxs req.ssl_sni -i mail.seeboxs.com www.mail.seeboxs.com
# -------------------------------
# Conditions
# -------------------------------
use_backend backend_mailcowseeboxs if acl_mailcowseeboxs
#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------
# APP 1 MAILCOW SEEBOXS
backend backend_mailcowseeboxs
description MAILCOW SEEBOXS
mode tcp
option ssl-hello-chk
server server_mailcowseeboxs 192.168.1.7:443 check
be careful I use mta-sts, if you do not use it please delete all the lines that refer to mta-sts for acmé renewal
there is an error in the previous answer but I cannot modify it
hi here is my haproxy config to redirect mailcow , with this config you also have the renewal of acmé certificates which are ok
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
daemon
user haproxy
group haproxy
log /dev/log local6 notice
log /dev/log local5 info
maxconn 100000
chroot /var/lib/haproxy
pidfile /run/haproxy.pid
stats socket /var/run/haproxy/admin.sock mode 777 level admin
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp
option tcplog
log global
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------
listen stats
mode http
bind :22222
stats enable
stats hide-version
stats uri /stats
stats realm HAProxy-Statistics
stats auth loguin:password
stats refresh 30s
# stats admin if TRUE
#---------------------------------------------------------------------
# Front end Acme Challenge
#---------------------------------------------------------------------
frontend seeboxs.com:80
bind :80 v4v6
mode http
option tcplog
#---------------------------------------------------------------------
# Check for Acme Challenge and validate url
#---------------------------------------------------------------------
acl acme_challenge path_beg /.well-known/acme-challenge/
acl mcseeboxs_host hdr(host) -i mail.seeboxs.com
acl mcseeboxsautoconfig_host hdr(host) -i autoconfig.seeboxs.com
acl mcseeboxsautodiscover_host hdr(host) -i autodiscover.seeboxs.com
acl mta-sts-seeboxs_host hdr(host) -i mta-sts.seeboxs.com
#---------------------------------------------------------------------
# If no Acme Challenge redirect HTTPS
#---------------------------------------------------------------------
redirect scheme https code 301 if !acme_challenge
#---------------------------------------------------------------------
# On Acme Challenge forward :80 to backend server
#---------------------------------------------------------------------
use_backend le_mcseeboxs_backend if acme_challenge mcseeboxs_host
use_backend le_mcseeboxsautoconfig_backend if acme_challenge mcseeboxsautoconfig_host
use_backend le_mcseeboxsautodiscover_backend if acme_challenge mcseeboxsautodiscover_host
use_backend le_mta-sts-seeboxs_backend if acme_challenge mta-sts-seeboxs_host
#---------------------------------------------------------------------
# Renew certificate mailcow server
#---------------------------------------------------------------------
backend le_mcseeboxs_backend
mode http
server letsencrypt_mcseeboxs_server 192.168.1.7:80 check
backend le_mcseeboxsautoconfig_backend
mode http
server letsencrypt_mcseeboxsautoconfig_server 192.168.1.7:80 check
backend le_mcseeboxsautodiscover_backend
mode http
server letsencrypt_mcseeboxsautodiscover_server 192.168.1.7:80 check
backend le_mta-sts-seeboxs_backend
mode http
server letsencrypt_mta-sta-seeboxs_server 192.168.1.7:80 check
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_https_listen
bind :443 v4v6
mode tcp
option tcplog
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------
# -------------------------------
# ACLs
# -------------------------------
acl acl_mailcowseeboxs req.ssl_sni -i mail.seeboxs.com www.mail.seeboxs.com
# -------------------------------
# Conditions
# -------------------------------
use_backend backend_mailcowseeboxs if acl_mailcowseeboxs
#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------
# APP 1 MAILCOW SEEBOXS
backend backend_mailcowseeboxs
description MAILCOW SEEBOXS
mode tcp
option ssl-hello-chk
server server_mailcowseeboxs 192.168.1.7:443 check
Have something to say?
Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!
- Edited
Cisco30 thanks i will translate to haproxy-gui on pfsense firewall really, but is a god starting point to me, thanks !
so in you config when request point to www.mail.seeboxs.com you use u backend rigth..?
i’m not very familiar with haaproxy acl but a requets to webmail.midomain.com shold be redirect to mybackend/sogo
- Edited
i need something like: webmail.mydomain->backend/SOGo and webmail.mydomain/admin->backend
i tried but lost page styles…
- Edited
with the previous configuration, SOGo works very well at home and from outside. I did not do any specific redirection for sogo, in TCP mode all data is transferred (whether encrypted or not).
if you try from home mail.seeboxs.com/sogo, you will see that the web page is displayed correctly
on the other hand I don’t know pfsense, I use HAProxy 2.8 on a dedicated server with Debian 12
Cisco30
Yes, I have been working on this as well. Your help was useful, thanks ,but I need the users to be able to access the SOGo webmail directly when enter webmail.mydomain, avoiding the need to see the web admin UI. Additionally, it would be great if I could add another frontend , such as adminmailcow.mydomain, to allow web admin access from specific IP addresses. this is more advanced acl rules , maybe this is a question to haproxy comunity.
thanks
@enriluis I’m trying to do the same thing with haproxy redirecting an incoming frontend such as mail.mydomain.com to go directly to the /SOGo path, and admin.mydomain.com to go to the / path.
Could you post your haproxy.conf file and your webmail.conf files as examples of how you accomplished it?
Thank you!
blacksteel1288
Sorry, I have not done yet this config, by now everyone can access webmail and admin, i would like to do that
Here’s what I did. It seems to work. I’m testing it now –
In your haproxy.conf, for the backend service that is webmail only, add these lines:
http-request redirect location /SOGo/ code 301 if { path / }
http-request set-path /SOGo%[path] unless { path_beg /SOGo }
http-request set-header X-Forwarded-URI /SOGo%[capture.req.uri]
- Edited
blacksteel1288
thanks. The main reason because i not tested before is because pfsense-haproxy it make me more easy and complex at same time:
i get sane result in the passed
redirect me but i lost styles.
yeah, understood. opnsense is what i use, and similar.
you should try to review the actual haproxy.conf file that is output from the pfsense UI and compare to my code. usually there is some way to do that. i think your ACL may not be correct.