Overview

If you have or want to deploy Kerio Connect behind an nginx proxy, you may encounter an issue where the application does not recognize the real IP addresses of users. Instead, it displays the IP address of the nginx proxy server. 

Solution

Starting from Kerio Connect 9.2.11, you have the ability to show the real client IP in a Kerio Connect server sitting behind an nginx proxy through the use of X-Forwarded-Proto and X-Forwarded-ForHTTP headers.

1. Create an IP address group that will contain the IP address/es of the proxy server.
2. Proceed with Modifying the mailserver.cfg and set the 2 below variables
   <variable name="UseProxiedInfo">1</variable>
<variable name="TrustedProxyAddressGroup">[Name_of_Proxy_IP_Address_Group]</variable>
   1. Replace [Name_of_Proxy_IP_Address_Group] with the name of the IP Address Group you have configured for the Proxy in step 1
3. Start the Kerio Connect service

After the above is done, Kerio Connect is configured to allow and process the above HTTP headers. Below you can find a sample nginx proxy configuration for HTTP traffic, which is provided as-is, in order to give you an idea of how to configure your nginx .conf file:

server {
        listen 80;
        return 301 https://$host$request_uri;
}
server {

        listen 443 ssl;
        server_name mail.home.lc;

        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/connect.access.log;

        location / {
                proxy_set_header Connection "";
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Port $server_port;
                proxy_set_header X-Request-Start $msec;

                proxy_pass https://10.10.10.10;
                proxy_read_timeout 600;
                proxy_redirect https://10.10.10.10 https://mail.example.com;
        }
}

Once the above nginx configuration is in place, you will be able to check the real IP addresses of the end-users under Status > Active Connections > Active Web Sessions, as well as the Audit logs.

One important thing to take into account is that the above will only take care of HTTP/S traffic, the rest of the traffic will not be handled. You will need to define additional blocks if you want to proxy as well the rest of the traffic (SMTP, IMAP etc.).

Summary

By following these steps, you should be able to configure the Kerio Connect application to correctly recognize the real IP addresses of users when used behind an NGinx web proxy.

FAQ

1. What is the purpose of the 'UseProxiedInfo' variable?
   The 'UseProxiedInfo' variable is used to tell the Kerio Connect application to use the information provided by the proxy server.
2. What is the 'TrustedProxyAddressGroup' variable used for?
   The 'TrustedProxyAddressGroup' variable is used to specify the IP address group of the trusted proxy server.
3. Where can I check the real IP addresses of the end-users?
   The real IP addresses of the end-users can be checked under Status > Active Connections > Active Web Sessions and in the Audit log