Hello everybody,
this is my first forum post so I am a bit nervous
We want to have a publicly reachable OX-Appsuite instance but are unhappy about also exposing the univention management portal to the whole internet.
AFAIK there is no built in way to seperate the appsuite from the management portal (Bug 40811).
So we decided to put another reverse proxy in front of the ucs machine that would whitelist certain traffic (in essence we only allow certain paths onto the ucs apache). That should fix our concerns with the management portal. We are whitelisting the following paths:
/appsuite
/ajax
/documentconverterws
/drive
/infostore
/publications
/atmosphere
/servlet
/socket.io
/usm-json
/Microsoft-Server-ActiveSync
/services/api-facade
/caldav
We got these paths from looking at the following config files:
/etc/apache2/sites-available/ox.conf
/etc/apache2/conf-available/proxy_http_ox_100_appsuite.conf
/etc/apache2/conf-available/proxy_http_ox_130_facade.conf
Because we also want the appsuite to see the real ips of the incoming requests our own reverse proxy adds an X-Forwarded-For
header. The apache on the ucs machine also adds this header (or rather appends another ip to that header). From our understanding the appsuite only looks at the last ip in the header and therefore only sees the ip of our reverse proxy.
To combat this issue we edited the apache templates to stop including the X-Forwarded-For
header:
# diff -Naur apache2_template.backup /etc/univention/templates/files/etc/apache2
diff -Naur apache2_template.backup/conf-available/proxy_http_ox_100_appsuite.conf /etc/univention/templates/files/etc/apache2/conf-available/proxy_http_ox_100_appsuite.conf
--- apache2_template.backup/conf-available/proxy_http_ox_100_appsuite.conf 2021-09-28 16:58:25.000000000 +0200
+++ /etc/univention/templates/files/etc/apache2/conf-available/proxy_http_ox_100_appsuite.conf 2022-02-11 18:18:18.358935965 +0100
@@ -52,6 +52,7 @@
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
SetEnv proxy-initial-not-pooled
SetEnv proxy-sendchunked
+ ProxyAddHeaders Off
</Proxy>
# The standalone documentconverter(s) within your setup (if installed)
@@ -88,6 +89,7 @@
ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
SetEnv proxy-initial-not-pooled
SetEnv proxy-sendchunked
+ ProxyAddHeaders Off
</Proxy>
# When specifying additional mappings via the ProxyPass directive be aware
diff -Naur apache2_template.backup/conf-available/proxy_http_ox_130_facade.conf /etc/univention/templates/files/etc/apache2/conf-available/proxy_http_ox_130_facade.conf
--- apache2_template.backup/conf-available/proxy_http_ox_130_facade.conf 2021-07-12 23:00:48.000000000 +0200
+++ /etc/univention/templates/files/etc/apache2/conf-available/proxy_http_ox_130_facade.conf 2022-02-11 18:19:15.709369149 +0100
@@ -7,6 +7,7 @@
ProxySet stickysession=JSESSIONID|jsessionidscolonpathdelim=On
SetEnv proxy-initial-not-pooled
SetEnv proxy-sendchunked
+ ProxyAddHeaders Off
</Proxy>
ProxyPass /services/api-facade balancer://oxcluster_facade/services/api-facade
This works flawlesly for everything except the caldav routes. The caldav routes are redirect based on the user agent and do not allow fine grade control of the proxying behaviour:
$ cat /etc/apache2/sites-available/ox.conf
[...]
RewriteCond %{HTTP_USER_AGENT} Calendar [OR]
RewriteCond %{HTTP_USER_AGENT} Reminders [OR]
RewriteCond %{HTTP_USER_AGENT} DataAccess [OR]
RewriteCond %{HTTP_USER_AGENT} DAVKit [OR]
RewriteCond %{HTTP_USER_AGENT} Lightning [OR]
RewriteCond %{HTTP_USER_AGENT} Adresboek [OR]
RewriteCond %{HTTP_USER_AGENT} dataaccessd [OR]
RewriteCond %{HTTP_USER_AGENT} Preferences [OR]
RewriteCond %{HTTP_USER_AGENT} Adressbuch [OR]
RewriteCond %{HTTP_USER_AGENT} AddressBook [OR]
RewriteCond %{HTTP_USER_AGENT} Address\ Book [OR]
RewriteCond %{HTTP_USER_AGENT} CalendarStore [OR]
RewriteCond %{HTTP_USER_AGENT} CalendarAgent [OR]
RewriteCond %{HTTP_USER_AGENT} accountsd [OR]
RewriteCond %{HTTP_USER_AGENT} eM\ Client [OR]
RewriteCond %{HTTP_USER_AGENT} CoreDAV [OR]
RewriteCond %{HTTP_USER_AGENT} DAVdroid
RewriteRule (.*) http://localhost:8009/servlet/dav$1 [P]
[...]
Correct my if I am wrong but these rules allow an caldav client to simply request https://ox-appsuite.example/caldav/CALENDAR_ID
instead of https://ox-appsuite.example/servlet/davcaldav/CALENDAR_ID
, right ?.
My question is: Are there any internal appsuite components that use the simple link ? If only our own clients use this link we can simply throw away these funky looking rewrites and access the caldav link directly.
Univention Version:
# univention-app info
UCS: 4.4-8 errata1158
Installed: mailserver=12.0 oxseforucs=7.10.5-ucs4
Upgradable:
Thank you all so much in advance