My mailcow are behind an external host haproxy frontend which are exposed to internet so i need when a user request webmail.mydomain redirect to mailcow backend /SOGo.
i’m trying but the page lost all styles. somebody can point me some started config.
all the other amtp,imap,pop….. traffic i will solve with nat port fordwarding. to the internal mailcow.

hi here is my haproxy config to redirect mailcow

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------

frontend main_https_listen
    bind :443 v4v6
    mode                tcp
    option              tcplog
    log                 global
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------

# -------------------------------
# ACLs
# -------------------------------

acl acl_mailcowseeboxs          req.ssl_sni -i mail.seeboxs.com			www.mail.seeboxs.com

# -------------------------------
# Conditions
# -------------------------------

use_backend backend_mailcowseeboxs 		if acl_mailcowseeboxs

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

# APP 1 MAILCOW SEEBOXS
backend backend_mailcowseeboxs
    description MAILCOW SEEBOXS
    mode tcp
    option ssl-hello-chk
    server server_mailcowseeboxs 192.168.1.7:443 check

hi here is my haproxy config to redirect mailcow , with this config you also have the renewal of acmé certificates which are ok

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------

global
    daemon
    user                haproxy
    group               haproxy
    log                 /dev/log local6 notice
    log                 /dev/log local5 info
    maxconn             100000
    chroot              /var/lib/haproxy
    pidfile             /run/haproxy.pid
    stats socket        /var/run/haproxy/admin.sock mode 777 level admin

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------

defaults
    mode                 tcp
    option               tcplog
    log                  global
    option               dontlognull
    timeout connect      5000
    timeout client       50000
    timeout server       50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------

listen stats
    mode http
    bind :22222
    stats enable
    stats hide-version
    stats uri            /stats
    stats realm          HAProxy-Statistics
    stats auth           loguin:password
    stats refresh        30s
#    stats admin if TRUE

#---------------------------------------------------------------------
# Front end Acme Challenge
#---------------------------------------------------------------------

frontend seeboxs.com:80
    bind :80 v4v6
    mode http
    option tcplog

#---------------------------------------------------------------------
# Check for Acme Challenge and validate url
#---------------------------------------------------------------------

    acl acme_challenge                                 path_beg /.well-known/acme-challenge/
    acl mcseeboxs_host hdr(host)                       -i mail.seeboxs.com
    acl mcseeboxsautoconfig_host hdr(host)             -i autoconfig.seeboxs.com
    acl mcseeboxsautodiscover_host hdr(host)           -i autodiscover.seeboxs.com
    acl mta-sts-seeboxs_host hdr(host)                 -i mta-sts.seeboxs.com

#---------------------------------------------------------------------
# Renew certificate mailcow server
#---------------------------------------------------------------------
backend le_mcseeboxs_backend
    mode http
    server letsencrypt_mcseeboxs_server 192.168.1.7:80 check

backend le_mcseeboxsautoconfig_backend
    mode http
    server letsencrypt_mcseeboxsautoconfig_server 192.168.1.7:80 check

backend le_mcseeboxsautodiscover_backend
    mode http
    server letsencrypt_mcseeboxsautodiscover_server 192.168.1.7:80 check

backend le_mta-sts-seeboxs_backend
    mode http
    server letsencrypt_mta-sta-seeboxs_server 192.168.1.7:80 check

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------

frontend main_https_listen
    bind :443 v4v6
    mode                tcp
    option              tcplog
    log                 global
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------

# -------------------------------
# ACLs
# -------------------------------

acl acl_mailcowseeboxs          req.ssl_sni -i mail.seeboxs.com			www.mail.seeboxs.com

# -------------------------------
# Conditions
# -------------------------------

use_backend backend_mailcowseeboxs 		if acl_mailcowseeboxs

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

# APP 1 MAILCOW SEEBOXS
backend backend_mailcowseeboxs
    description MAILCOW SEEBOXS
    mode tcp
    option ssl-hello-chk
    server server_mailcowseeboxs 192.168.1.7:443 check

be careful I use mta-sts, if you do not use it please delete all the lines that refer to mta-sts for acmé renewal

there is an error in the previous answer but I cannot modify it
hi here is my haproxy config to redirect mailcow , with this config you also have the renewal of acmé certificates which are ok

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------

global
    daemon
    user                haproxy
    group               haproxy
    log                 /dev/log local6 notice
    log                 /dev/log local5 info
    maxconn             100000
    chroot              /var/lib/haproxy
    pidfile             /run/haproxy.pid
    stats socket        /var/run/haproxy/admin.sock mode 777 level admin

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------

defaults
    mode                 tcp
    option               tcplog
    log                  global
    option               dontlognull
    timeout connect      5000
    timeout client       50000
    timeout server       50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------

listen stats
    mode http
    bind :22222
    stats enable
    stats hide-version
    stats uri            /stats
    stats realm          HAProxy-Statistics
    stats auth           loguin:password
    stats refresh        30s
#    stats admin if TRUE

#---------------------------------------------------------------------
# Front end Acme Challenge
#---------------------------------------------------------------------

frontend seeboxs.com:80
    bind :80 v4v6
    mode http
    option tcplog

#---------------------------------------------------------------------
# Check for Acme Challenge and validate url
#---------------------------------------------------------------------

    acl acme_challenge                                 path_beg /.well-known/acme-challenge/
    acl mcseeboxs_host hdr(host)                       -i mail.seeboxs.com
    acl mcseeboxsautoconfig_host hdr(host)             -i autoconfig.seeboxs.com
    acl mcseeboxsautodiscover_host hdr(host)           -i autodiscover.seeboxs.com
    acl mta-sts-seeboxs_host hdr(host)                 -i mta-sts.seeboxs.com

#---------------------------------------------------------------------
# If no Acme Challenge redirect HTTPS 
#---------------------------------------------------------------------

    redirect scheme https code 301 if !acme_challenge

#---------------------------------------------------------------------
# On Acme Challenge forward :80 to backend server
#---------------------------------------------------------------------
use_backend le_mcseeboxs_backend                   if acme_challenge mcseeboxs_host
use_backend le_mcseeboxsautoconfig_backend         if acme_challenge mcseeboxsautoconfig_host
use_backend le_mcseeboxsautodiscover_backend       if acme_challenge mcseeboxsautodiscover_host
use_backend le_mta-sts-seeboxs_backend             if acme_challenge mta-sts-seeboxs_host

#---------------------------------------------------------------------
# Renew certificate mailcow server
#---------------------------------------------------------------------
backend le_mcseeboxs_backend
    mode http
    server letsencrypt_mcseeboxs_server 192.168.1.7:80 check

backend le_mcseeboxsautoconfig_backend
    mode http
    server letsencrypt_mcseeboxsautoconfig_server 192.168.1.7:80 check

backend le_mcseeboxsautodiscover_backend
    mode http
    server letsencrypt_mcseeboxsautodiscover_server 192.168.1.7:80 check

backend le_mta-sts-seeboxs_backend
    mode http
    server letsencrypt_mta-sta-seeboxs_server 192.168.1.7:80 check

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------

frontend main_https_listen
    bind :443 v4v6
    mode                tcp
    option              tcplog
    log                 global
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------

# -------------------------------
# ACLs
# -------------------------------

acl acl_mailcowseeboxs          req.ssl_sni -i mail.seeboxs.com			www.mail.seeboxs.com

# -------------------------------
# Conditions
# -------------------------------

use_backend backend_mailcowseeboxs 		if acl_mailcowseeboxs

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

# APP 1 MAILCOW SEEBOXS
backend backend_mailcowseeboxs
    description MAILCOW SEEBOXS
    mode tcp
    option ssl-hello-chk
    server server_mailcowseeboxs 192.168.1.7:443 check

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    Cisco30 thanks i will translate to haproxy-gui on pfsense firewall really, but is a god starting point to me, thanks !
    so in you config when request point to www.mail.seeboxs.com you use u backend rigth..?
    i’m not very familiar with haaproxy acl but a requets to webmail.midomain.com shold be redirect to mybackend/sogo

    i need something like: webmail.mydomain->backend/SOGo and webmail.mydomain/admin->backend
    i tried but lost page styles…

    with the previous configuration, SOGo works very well at home and from outside. I did not do any specific redirection for sogo, in TCP mode all data is transferred (whether encrypted or not).
    if you try from home mail.seeboxs.com/sogo, you will see that the web page is displayed correctly

    on the other hand I don’t know pfsense, I use HAProxy 2.8 on a dedicated server with Debian 12

      Cisco30
      Yes, I have been working on this as well. Your help was useful, thanks ,but I need the users to be able to access the SOGo webmail directly when enter webmail.mydomain, avoiding the need to see the web admin UI. Additionally, it would be great if I could add another frontend , such as adminmailcow.mydomain, to allow web admin access from specific IP addresses. this is more advanced acl rules , maybe this is a question to haproxy comunity.
      thanks

      6 months later

      @enriluis I’m trying to do the same thing with haproxy redirecting an incoming frontend such as mail.mydomain.com to go directly to the /SOGo path, and admin.mydomain.com to go to the / path.

      Could you post your haproxy.conf file and your webmail.conf files as examples of how you accomplished it?

      Thank you!

        blacksteel1288
        Sorry, I have not done yet this config, by now everyone can access webmail and admin, i would like to do that

        Here’s what I did. It seems to work. I’m testing it now –

        In your haproxy.conf, for the backend service that is webmail only, add these lines:

        http-request redirect location /SOGo/ code 301 if { path / }
        http-request set-path /SOGo%[path] unless { path_beg /SOGo }
        http-request set-header X-Forwarded-URI /SOGo%[capture.req.uri]

          blacksteel1288
          thanks. The main reason because i not tested before is because pfsense-haproxy it make me more easy and complex at same time:

          i get sane result in the passed

          redirect me but i lost styles.

          yeah, understood. opnsense is what i use, and similar.

          you should try to review the actual haproxy.conf file that is output from the pfsense UI and compare to my code. usually there is some way to do that. i think your ACL may not be correct.

            16 days later

            blacksteel1288

            yes, it worked, i added you code on advanced

            thanks!

            No one is typing