This is more to remind myself than anything else… but also if it helps anyone then that’s a nice bonus.

Originally I had Zimbra and Z-push on totally different domains, using 2 Public IP’s but I recently moved them and in the new Location Public IPv4’s are less readily available than they were before… That and using 2 IP’s was a bit wasteful anyway.

Obviously with IPv6 that wouldn’t be an issue… but we all know how widely supported that isn’t at the moment 🙁

Reverse Proxy config for ZCS FOSS and Zpush to run behind the same public IP

Needs Nginx 1.7x or newer if you want the proxy to validate the SSL cert of the backend server…

You will probably need to use the same certificate in your default config as it seems most activesync devices don’t support SNI.

Taken from Various forum Posts sadly I don’t recall exactly where, otherwise I’d be happy to link back to them.

In my case it’s passing the active sync traffic back to Apache/PHP, I believe it’s possible to run z-push using a php fCGI instance and then passing it directly to PHP from Nginx but I’m more comfortable passing it to Apache for now.

server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/Mycert.bundle.crt;
ssl_certificate_key /etc/nginx/ssl/Mykey.key;
server_name mail..mydomain.net;
tcp_nopush off;
keepalive_timeout 65;
tcp_nodelay on;

location / {
proxy_pass https://MyZimbraURL/;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/nginx/ssl/mycert.bundle.crt;
proxy_ssl_verify_depth 2;
proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Real-IP $remote_addr:$proxy_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for:$proxy_port;

location /Microsoft-Server-ActiveSync {
access_log /var/log/nginx/activesync.log;
proxy_set_header Accept-Encoding “”;

I think the real key here is the proxy_set_header Accept-Encoding line as after adding that things started working,  I may look into this configuration further and see if I can optimize it as I suspect it’s not the best.

One of the tweaks I may make is to revise the logging locations as I’m sure eagle eyed readers might have spotted I specify a separate access-log for the activesync traffic, but not for the general traffic to zimbra (which is still logged btw, just not to it’s own file)

I’ve also edited /etc/hosts on the Nginx machine so my zimbra domain resolves to the internal IP of the zimbra server (It’s behind some NAT sadly)