Skip to end of metadata
Go to start of metadata

Introduction

This page describes the roll-out procedure for a BlueMind Edge server as a postfix and proxy relay.

Postulate

  • BlueMind is installed on the main server
  • the role bm-edge-role is installed on the so-called "Edge" server 
  • the Edge server's nginx web server is set up as a proxy relay that serves as a main server

On this page:

Related:

bm-edge-role-principe

Roll-out procedure

  1. Install BlueMind on the main server following the usual procedure


    The storage space for BlueMind backups must be accessible on this new server at /var/backups/bluemind

  2. Install the subscription on the secondary server as a file

    Reminder: the text file for the subscription can be installed manually on a server

    • for Ubuntu / Debian as /etc/apt/sources.list.d/bm.list
    • for RedHat / CentOS as /etc/yum.repos.d/bm.repo
  3. Installer the package bm-edge-role on the edge server:

    Debian/Ubuntu RedHat/CentOS
  4. Add the smtp relay role to the edge server in the main server's admin panel:
    • log into BlueMind on the main server as admin0@global.virt
    • browse to System management > Application servers
    • click New > Host
    • fill in the information for the new server:

    • click "Create & edit" or "Create" then click the corresponding row to edit it
    • in the Server roles tab, check the Mail relay box then click Save:
    • back in the servers list, the server is shown with the mail relay tag mail/smtp-edge:
  5. Set up the domain so that the edge server is used as a mail relay:
    • still signed in as admin0@global.virt, browse to System management > Manage domains
    • click the row for the domain you want to configure
    • in the Mail system tab, select the edge server you have created as mail server and click Save:
  6. Set up the server to send outgoing messages through the relay:
    • still signed in as admin0@global.virt, browse to System Management > System Configuration
    • in the Mail tab, fill in the Relay host field with the IP address or the edge server's host name and click Save:


Nginx

Setting up web access

  1. Log in as root in the edge server
  2. Browse to the folder /etc/nginx/sites-available:

    bm35-edge.bluemind.loc:~# cd /etc/nginx/sites-available
  3. Create a configuration file bm-proxy and edit it, e.g. using vim:

    bm35-edge.bluemind.loc:/etc/nginx/sites-available# vim bm-proxy
  4. Add the following command lines:

    server {
      listen 80;
      # <url_externe_bluemind> is the external url users use connect to
      server_name <url_externe_bluemind>;
    
      location / {
    	return 301 https://<url_externe_bluemind>$request_uri;
      }
    }
    
    server {
      listen 443;
      server_name <url_externe_bluemind>;
    
      ssl on;
      ssl_certificate /etc/ssl/certs/bm_cert.pem;
      ssl_certificate_key /etc/ssl/certs/bm_cert.pem;
      ssl_session_timeout 5m;
      ssl_prefer_server_ciphers on;
    
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
      add_header Strict-Transport-Security max-age=15768000; # six months
    
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
     location / {
    	# <srv_interne> is the main BlueMind server
        proxy_pass https://<srv_interne>;
      }
    
      location /webmail/ {
        client_max_body_size 0m;
        proxy_pass https://<srv_interne>/webmail/;
      }
    
      location /Microsoft-Server-ActiveSync {
        proxy_pass https://<srv_interne>/Microsoft-Server-ActiveSync;
        proxy_read_timeout 1200s;
        proxy_headers_hash_bucket_size 128;
        proxy_headers_hash_max_size 2048;
        client_max_body_size 10m;
        proxy_pass_header Server;
      } 
    
      location /eventbus {
        proxy_pass https://<srv_interne>;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
      }
    
      location /api/filehosting/ {
        client_max_body_size 0m;
        proxy_pass https://<srv_interne>$request_uri;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_buffering off;
      }
    
      location /api/attachment/ {
        client_max_body_size 0m;
        proxy_pass https://<srv_interne>$request_uri;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_buffering off;
      }
    
      location /fh/ {
        proxy_pass https://<srv_interne>/fh/;
        proxy_http_version 1.1;
        proxy_buffering off;
      }
    }
    
  5. Save file and exit the editor
  6. Run the following commands to set up the configuration:

    bm35-edge.bluemind.loc:/etc/nginx/sites-available# ln -s /etc/nginx/sites-available/bm-proxy /etc/nginx/sites-enabled/
    bm35-edge.bluemind.loc:/etc/nginx/sites-available# rm /etc/nginx/sites-enabled/default
  7. Reload the nginx server configuration:

    BlueMind 3.5.x BlueMind 3.0.x

Setting up the mail service

  1. On the edge server, copy the main server's configuration file located at /etc/nginx/global.d/bm-proxy-mail.conf. You can use scp to do this:

    bm35-edge.bluemind.loc:~# scp root@srv1.bluemind.loc:/etc/nginx/global.d/bm-mail-proxy.conf /etc/nginx/global.d/
  2. Edit the file /etc/nginx/global.d/bm-mail-proxy.conf on the relay server and replace the IP address in the line auth_http by the main server's IP address

  3. Reload the nginx configuration:

    BlueMind 3.5.x BlueMind 3.0.x

Setting up XMPP

For the server to manage the XMPP flow:

  1. create a file /etc/nginx/global.d/bm-xmpp-proxy.conf with the following contents:

    stream {
        upstream backend_xmpp {
            least_conn;
    
                    server 1.2.3.4:5222;
                    server 1.2.3.5:5222 backup;
        }
    
        server {
            listen 5222;
            proxy_pass backend_xmpp ;
        }
    }

    and replacing 1.2.3.4 by the main server's IP address or the server with the XMPP role if appropriate

  2. Reload the nginx configuration:

    BlueMind 3.5.x BlueMind 3.0.x

Apache

You can also use Apache as a proxy instead of Nginx. To do this, you need a version of Apache equal to or above 2.4 and enable the following modules:

  • mod_ssl
  • mod_proxy and mod_proxy_wstunnel
  • mod_rewrite

VirtualHost example for Apache:

<VirtualHost *:80>
        Redirect / https://<url_externe_bluemind>/
</VirtualHost>

<VirtualHost *:443>
        SSLEngine On

        SSLCertificateFile     "/etc/ssl/certs/bm_cert.pem"
        SSLCertificateKeyFile  "/etc/ssl/certs/bm_cert.pem"

        SSLProxyEngine On
        SSLProxyCheckPeerCN Off
        SSLProxyCheckPeerName Off
        SSLProxyVerify none

        # Websocket proxy
        RewriteEngine on
        RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
        RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
        RewriteRule .* wss://<srv_interne>%{REQUEST_URI} [P]

        ProxyPreserveHost On
        <Location />
                ProxyPass https://<srv_interne>/
                ProxyPassReverse https://<srv_interne>/
        </Location>
</VirtualHost>
  • No labels

3 Comments

  1. pour le proxy XMPP avec nginx, ne faut-il pas également "proxifier"  le port 5269 ?

    1. Ce port est utilisé uniquement pour les connexions entre serveurs mais nous supportons pas officiellement ce fonctionnement.

  2. Depuis 3.5.13-2: BM-15324 Fix: Nginx : ssl directive depréciée

    => il faut corriger manuellement sur le noeud edge car les configs nginx ne sont pas mises à jour par le setup