OX-Appsuite:public facing through reverse proxy | rewrite rules for caldav

Hello everybody,

this is my first forum post so I am a bit nervous :sweat_smile:

We want to have a publicly reachable OX-Appsuite instance but are unhappy about also exposing the univention management portal to the whole internet.
AFAIK there is no built in way to seperate the appsuite from the management portal (Bug 40811).

So we decided to put another reverse proxy in front of the ucs machine that would whitelist certain traffic (in essence we only allow certain paths onto the ucs apache). That should fix our concerns with the management portal. We are whitelisting the following paths:

  • /appsuite
  • /ajax
  • /documentconverterws
  • /drive
  • /infostore
  • /publications
  • /atmosphere
  • /servlet
  • /socket.io
  • /usm-json
  • /Microsoft-Server-ActiveSync
  • /services/api-facade
  • /caldav

We got these paths from looking at the following config files:

  • /etc/apache2/sites-available/ox.conf
  • /etc/apache2/conf-available/proxy_http_ox_100_appsuite.conf
  • /etc/apache2/conf-available/proxy_http_ox_130_facade.conf

Because we also want the appsuite to see the real ips of the incoming requests our own reverse proxy adds an X-Forwarded-For header. The apache on the ucs machine also adds this header (or rather appends another ip to that header). From our understanding the appsuite only looks at the last ip in the header and therefore only sees the ip of our reverse proxy.
To combat this issue we edited the apache templates to stop including the X-Forwarded-For header:

# diff -Naur apache2_template.backup /etc/univention/templates/files/etc/apache2
diff -Naur apache2_template.backup/conf-available/proxy_http_ox_100_appsuite.conf /etc/univention/templates/files/etc/apache2/conf-available/proxy_http_ox_100_appsuite.conf
--- apache2_template.backup/conf-available/proxy_http_ox_100_appsuite.conf      2021-09-28 16:58:25.000000000 +0200
+++ /etc/univention/templates/files/etc/apache2/conf-available/proxy_http_ox_100_appsuite.conf  2022-02-11 18:18:18.358935965 +0100
@@ -52,6 +52,7 @@
         ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
         SetEnv proxy-initial-not-pooled
         SetEnv proxy-sendchunked
+        ProxyAddHeaders Off

     # The standalone documentconverter(s) within your setup (if installed)
@@ -88,6 +89,7 @@
         ProxySet stickysession=JSESSIONID|jsessionid scolonpathdelim=On
         SetEnv proxy-initial-not-pooled
         SetEnv proxy-sendchunked
+        ProxyAddHeaders Off

     # When specifying additional mappings via the ProxyPass directive be aware
diff -Naur apache2_template.backup/conf-available/proxy_http_ox_130_facade.conf /etc/univention/templates/files/etc/apache2/conf-available/proxy_http_ox_130_facade.conf
--- apache2_template.backup/conf-available/proxy_http_ox_130_facade.conf        2021-07-12 23:00:48.000000000 +0200
+++ /etc/univention/templates/files/etc/apache2/conf-available/proxy_http_ox_130_facade.conf    2022-02-11 18:19:15.709369149 +0100
@@ -7,6 +7,7 @@
         ProxySet stickysession=JSESSIONID|jsessionidscolonpathdelim=On
         SetEnv proxy-initial-not-pooled
         SetEnv proxy-sendchunked
+        ProxyAddHeaders Off

     ProxyPass /services/api-facade balancer://oxcluster_facade/services/api-facade

This works flawlesly for everything except the caldav routes. The caldav routes are redirect based on the user agent and do not allow fine grade control of the proxying behaviour:

$ cat /etc/apache2/sites-available/ox.conf
RewriteCond %{HTTP_USER_AGENT} Calendar [OR]
RewriteCond %{HTTP_USER_AGENT} Reminders [OR]
RewriteCond %{HTTP_USER_AGENT} DataAccess [OR]
RewriteCond %{HTTP_USER_AGENT} DAVKit [OR]
RewriteCond %{HTTP_USER_AGENT} Lightning [OR]
RewriteCond %{HTTP_USER_AGENT} Adresboek [OR]
RewriteCond %{HTTP_USER_AGENT} dataaccessd [OR]
RewriteCond %{HTTP_USER_AGENT} Preferences [OR]
RewriteCond %{HTTP_USER_AGENT} Adressbuch [OR]
RewriteCond %{HTTP_USER_AGENT} AddressBook [OR]
RewriteCond %{HTTP_USER_AGENT} Address\ Book [OR]
RewriteCond %{HTTP_USER_AGENT} CalendarStore [OR]
RewriteCond %{HTTP_USER_AGENT} CalendarAgent [OR]
RewriteCond %{HTTP_USER_AGENT} accountsd [OR]
RewriteCond %{HTTP_USER_AGENT} eM\ Client [OR]
RewriteCond %{HTTP_USER_AGENT} CoreDAV [OR]
RewriteCond %{HTTP_USER_AGENT} DAVdroid
RewriteRule (.*) http://localhost:8009/servlet/dav$1 [P]

Correct my if I am wrong but these rules allow an caldav client to simply request https://ox-appsuite.example/caldav/CALENDAR_ID instead of https://ox-appsuite.example/servlet/davcaldav/CALENDAR_ID, right ?.

My question is: Are there any internal appsuite components that use the simple link ? If only our own clients use this link we can simply throw away these funky looking rewrites and access the caldav link directly.

Univention Version:

# univention-app info
UCS: 4.4-8 errata1158
Installed: mailserver=12.0 oxseforucs=7.10.5-ucs4

Thank you all so much in advance :slight_smile: