Rspamd web ui behind Apache Reverse Proxy #4269
-
Hi,
and my docker compose config: services:
mailserver:
image: ghcr.io/docker-mailserver/docker-mailserver:latest
container_name: mailserver
# Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
hostname: <mail-domain>
env_file: mailserver.env
# More information about the mail-server ports:
# https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
# To avoid conflicts with yaml base-60 float, DO NOT remove the quotation marks.
ports:
- "25:25" # SMTP (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
- "143:143" # IMAP4 (explicit TLS => STARTTLS)
- "465:465" # ESMTP (implicit TLS)
- "587:587" # ESMTP (explicit TLS => STARTTLS)
- "993:993" # IMAP4 (implicit TLS)
- "4190:4190" # Managesieve
- "127.0.0.1:9989:11334" # Rspamd web ui
volumes:
- ./docker-data/dms/mail-data/:/var/mail/
- ./docker-data/dms/mail-state/:/var/mail-state/
- ./docker-data/dms/mail-logs/:/var/log/mail/
- ./docker-data/dms/config/:/tmp/docker-mailserver/
- /etc/localtime:/etc/localtime:ro
restart: always
stop_grace_period: 1m
# Uncomment if using `ENABLE_FAIL2BAN=1`:
cap_add:
- NET_ADMIN
healthcheck:
test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
timeout: 3s
retries: 0 I couldn't find anything in the PS: I know Apache isn't the best reverse proxy but I haven't come around to migrating to a different reverse proxy. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 6 replies
-
Independent from apache, does access from the host work? |
Beta Was this translation helpful? Give feedback.
-
This was intended as a working example of proxying the web UI, but it seems you've already tracked down the actual cause 👍 References:
I'm not sure where one can set what IP to bind to for the rspamd web-ui, but I can see it's already $ ss -tlpn | grep rspamd
LISTEN 0 4096 127.0.0.1:11332 0.0.0.0:* users:(("rspamd",pid=597,fd=8))
LISTEN 0 4096 0.0.0.0:11334 0.0.0.0:* users:(("rspamd",pid=597,fd=12)) Here is a working example you can copy/paste and services:
reverse-proxy:
image: lucaslorentz/caddy-docker-proxy:2.9
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
dms:
image: mailserver/docker-mailserver:14
hostname: mail.example.localhost
# Caddy-Docker-Proxy container will read these labels to proxy the service:
# - Provide the FQDN to use with HTTPS and a certificate will be provisioned and managed for you.
# - The `reverse_proxy` line configures the port in the container to proxy requests for that FQDN to.
labels:
caddy: rspamd.example.localhost
caddy.reverse_proxy: "{{ upstreams 11334 }}"
# Enable rspamd:
environment:
ENABLE_RSPAMD: 1
# Enabling rspamd replaces these services, disable them:
ENABLE_AMAVIS: 0
ENABLE_OPENDKIM: 0
ENABLE_OPENDMARC: 0
ENABLE_POLICYD_SPF: 0
# These files would normally be provided via `volumes`,
# The `configs` feature allows to embed these configs in `compose.yaml` for this example.
configs:
- source: dms-accounts
target: /tmp/docker-mailserver/postfix-accounts.cf
- source: rspamd-custom-commands
target: /tmp/docker-mailserver/rspamd/custom-commands.conf
# This uses the Docker Compose `configs` feature to simplify running this quick example with copy/paste
# - The feature is compatible with any Compose release since 2024.
# - The character `$` below is changed to `$$` to opt-out of accidental variable interpolation (Compose feature).
# Both passwords hashed below are `secret`.
configs:
# Account provisioned already:
dms-accounts:
content: |
john.doe@example.test|{SHA512-CRYPT}$$6$$sbgFRCmQ.KWS5ryb$$EsWrlYosiadgdUOxCBHY0DQ3qFbeudDhNMqHs6jZt.8gmxUwiLVy738knqkHD4zj4amkb296HFqQ3yDq4UXt8.
# Get the bcrypt password hash from `docker compose run --rm -it dms rspamadm pw`:
rspamd-custom-commands:
content: |
set-option-for-controller password "$$2$$bp33ciwq5g5x7gw6sxfngrjuqfrqo3hc$$dwjz8osmrj3m8q34e93myugg3x8s95kui76mk6trqkf5mozz9sxy" Caddy recognizes This example uses Caddy Docker Proxy with the Docker socket to monitor containers running on the same container network that caddy service has, then check the labels and manage the config and certs for you. You could use a separate Likewise you can use Caddy directly and manually manage it's config. Caddy is nicer to work with than nginx and apache in my experience 😅 |
Beta Was this translation helpful? Give feedback.
Turns out fail2ban banned the docker container gateway...