Reverse Proxying MailCow 403 errors

1. My Caddy version (caddy -version):

Caddy 0.11.2

2. How I run Caddy:

Docker

Please provide all of the relevant information and DO NOT REDACT anything except passwords/keys. Thank you!

I have docker on 192.168.10.41.
MailCow on 192.168.10.47

I am trying to set up external access on mail.mydomain.com to redirect to my mailcow instance. For information, I already have home.mydomain.com going to another machine. From what i can tell the two domains are working as they should, with caddy redirecting to the correct machine depending on the url the user enters.

But I don’t want to expose the mail mailcow admin page to the internet. Preferrring to only allow the SOGo web mail instance.

Here is my caddy entry:

#take portforwarded router:443 to caddy instance:8443
https://mail.mydomain.com:8443 {
    tls letsencrypt@mydomain.com {
        dns cloudflare
    }

    log stdout
    errors stdout
    #Port 443 from USG to 443 to 8443 on 192.168.10.7
        proxy / http://192.168.10.47:80/SOGo/ {
        without SOGo/
        transparent
        #websocket
        #insecure_skip_verify
    }
}

But what I get from this is a bunch of 403 errors:

198.41.238.79 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/vendor/lodash.min.js HTTP/1.1" 403 251
198.41.238.117 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/vendor/angular-messages.min.js HTTP/1.1" 403 251
198.41.238.117 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/vendor/angular-sanitize.min.js HTTP/1.1" 403 251
198.41.238.97 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/img/sogo-full.svg HTTP/1.1" 403 251
198.41.238.115 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/vendor/angular-animate.min.js HTTP/1.1" 403 251
198.41.238.113 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/vendor/angular.min.js HTTP/1.1" 403 251
198.41.238.113 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/Main.js?lm=1579862807 HTTP/1.1" 403 251
198.41.238.79 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/vendor/angular-aria.min.js HTTP/1.1" 403 251
198.41.238.85 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/css/theme-default.css HTTP/1.1" 403 251
198.41.238.91 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/css/styles.css HTTP/1.1" 403 251
198.41.238.111 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/vendor/angular-cookies.min.js HTTP/1.1" 403 251
198.41.238.129 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/Common.js?lm=1579862807 HTTP/1.1" 403 251
198.41.238.121 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/custom-sogo.js?lm=1580426093 HTTP/1.1" 403 251
198.41.238.97 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/vendor/angular-ui-router.min.js HTTP/1.1" 403 251
198.41.238.111 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/vendor/angular-material.min.js HTTP/1.1" 403 251
198.41.238.97 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/img/sogo-full.svg HTTP/1.1" 403 251
198.41.238.79 - - [03/Feb/2020:05:35:30 +0000] "GET /SOGo.woa/WebServerResources/js/vendor/lodash.min.js HTTP/1.1" 403 251

If I remove the SOGo part of the proxy address, then I successfully get the main mailcow admin page…and then I can manually redirect to https://mail.mydomain.com/SOGo

https://mail.mydomain.com/SOGo/SOGo/so/user@mydomain.com/Mail/view
I can see it’s trying to use SOGo/SOGo - which the without SOGo/ should be removing.

Any tips?

I’d rather not butcher their nginx config, as that will break upgrades etc.

Try without /SOGo (move slash to front) and see what happens?

I thought I’d tried that. I’ve got around it now, and deny all access to those sites from external.

And just implemented a subdomain reverse proxy to the whole site (which is only accessible via a vpn). So the problem is “solved”

1 Like