The document discusses using a reverse proxy for a Zarafa multiserver configuration. Key points: - A reverse proxy can provide a single access point for clients, making firewalling easier. It also allows using off-the-shelf load balancing hardware. - Each Zarafa server node is configured with the address of the reverse proxy instead of direct connections. This allows clients connecting through the proxy to reach any node via the proxy address. - The proxy detects if a request came through a proxy by checking headers like X-Forwarded-For. It then returns the node's address via the proxy instead of direct, ensuring clients can reach the node through the proxy.

1. Zarafa multiserver reverse proxy
Steve Hardy

2. Cluster node proxy
• General idea
– Parts of the system
• HTTP(s) proxy
• Zarafa server
– Some details
• Session IP locking
• Internal vs external connections
• Network layouts
– SSL offload
– Loadbalancer
• Configuration
– Configuring
– Testing (stats)

3. Goal
• Single exposed ‘host’ to clients for cloud solutions
• Host may be:
– Single hostname, single IP
– Single hostname, round-robin IP
• Advantages:
– Easier firewalling
– Use off-the-shelf proxy / loadbalance hardware

4. Old situation

5. New situation

6. Why it doesn’t work
Client Server (Node 1) Server (Node 2)
What a nice day, let’s
connect to my fav server
revproxy.zarafa.com
“Hi, please give me john’s
store”
“Uh, sorry, I don’t have that,
you have to ask Node2, he’s at
http://node2.internal.local:237/
zarafa”
Dagnabbit, ok, I’ll connect
to node2.internal.local
and retry
CONNECTION
REFUSED
*snore*

7. Why it does work with reverse proxy support
Client Server (Node 1) Server (Node 2)
What a nice day, let’s
connect to my fav server
revproxy.zarafa.com
“Hi, please give me john’s
store”
“Uh, sorry, I don’t have that, you
have to ask Node2, he’s at http://
node2.internal.local, but I see
you connected through a proxy,
in that case you should use
http://revproxy.zarafa.com/node2
”
Dagnabbit, ok, I’ll connect
to
revproxy.zarafa.com/node2
and retry
Here’s john’s store for you.
Have fun.

8. Configuration of nodes
• Node1
– ipHost: node1.local
– zarafaPort: 236
– zarafaHttpsPort: 237
– zarafaProxy: http://proxy.domain.com/node1
• Node2
– ipHost: node2.local
– zarafaPort: 236
– zarafaHttpsPort: 237
– zarafaProxy: http://proxy.domain.com/node2

9. To revproxy or not to revproxy
• In some cases using the proxy is unnecessary
– Local connects between nodes
– Not very frequent
– One case:
• Spooler uses ‘copy to delegated sent-items after send’ feature
• After sending message, spooler must copy item to sent items folder, which is
possible on other host
• Spooler connects to other host
• Proxy not needed
• Strategy is:
– Only return node’s proxy address if the originating request was itself
proxied
– Detected by looking at header, uses setting ‘proxy_header’

10. Proxy headers
• X-Forwarded-For header
– Used as originating IP address
– Used for session <-> IP locking
– Used in zarafa-stats (including –top)