Documentation is vague on how to access the web interface

[YosuCadilla]

It reads:
If you want to access the administration page from outside current server then either modify configuration options or serve the page through Nginx or Apache.

Some guidelines on how to "modify configuration" which file(s) need editing?
and/or
Some guidelines on how to "serve the page through Nginx or Apache." Which page exactly??

[andris9]

I usually do not expose webadmin directly, instead I use Nginx to serve HTTP and to proxy requests to webadmin. The config file for Nginx would look like this:

# /etc/nginx/sites-enabled/webadmin.conf
server {
    listen 80;
    listen [::]:80;

    server_name webadmin.example.com;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header HOST $http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:8082;
        proxy_redirect off;
    }
}

[andris9]

BTW The example configuration uses HTTP to be more simplistic, in reality I always use HTTPS, adding HTTPS is not Zmta-Webadmin specific, it is standard Nginx configuration.

[YosuCadilla]

Would enabling a NAT bridge work?
As you already have a working http server, seems redundant to add another one, specially cause this interface will be used by just a person or two and very sporadically.

[andris9]

If you want to use the built in HTTP server publicly then you would have to change this config and use "0.0.0.0" as the bind address instead of "127.0.0.1". I do not use it like this because Nginx allows me to use easy HTTPS and hostname based routing instead of using port numbers (I might have other web interfaces also running on the same server, eg. Rspamd)

[YosuCadilla]

Understood, thank you.
Can you please clarify on step 1?
1 - Copy these files to the same server where ZoneMTA runs
Where on the same server? Any directory in particular?

[andris9]

zmta-webadmin is a separate Node.js application. What I have done, is that Zone-MTA itself runs from /opt/zone-mta and the webadmin from /opt/zmta-webadmin but the actual folders do not matter.

[YosuCadilla]

I finally got it working, thank you very much.

My /opt directory is empty but once I understood what was going on I was able to work around it.
If I understood correctly, the files ARE (or include) the http server itself.
As I followed the basic installation steps provided for ZoneMTA, my APP is in the /zone-mta-template directory...
Also, as I downloaded the files as a zip with wget, my final folder was /root/zone-mta-template/web-admin/zmta-webadmin-master

I will now test the MTA itself...

[YosuCadilla]

By the way, when running:
root@email-test-success:~/zone-mta-template/web-admin/zmta-webadmin-master# npm install --production

I get:
audited 420 packages in 2.382s
found 2 vulnerabilities (1 moderate, 1 high)

[rhclayto]

Any clues for how to do this proxying with a URL reached at a subfolder? For example, https://www.example.org/subfolder . With the following backend configuration in haproxy I can get the login page & the main page, but when it gets to the main page, all requests to javascript & css files are made relative to the root URL, not relative to the subfolder URL, e.g., https://www.example.org, as are any clickable links.

backend example
  http-request add-header Host "www.example.com/subfolder/"
  http-request add-header X-Real-IP %[src]
  http-request add-header X-NginX-Proxy true
  # Strip /subfolder/ from URL before sending to backend.
  reqrep ^([^\ :]*)\ /subfolder/(.*) \1\ /\2
  balance roundrobin
  server server:00 localhost:8089 weight 1 maxconn 10000 check

It seems the app & the template files are hardcoded for being served from the root URL. If I add /subfolder/ to the beginning of all href & src elements in the HTML templates, it works properly.

Edit: Hardcoding the subdirectory to the relative URLs in the href & src elements fixes the layout & links created by the templates, but it seems URL redirections created by the Express app's routes still doesn't work with the subfolder URL; links such as logout, the redirection upon logging in, adding things to the suppression list (form submission), etc.

Edit2: I just switched to using a subdomain, & all works fine. I would still prefer to use the subfolder way if possible, so if you know how, I would be grateful for a hint.

[YosuCadilla]

@rhclayto Glad to hear you got it working on a sub-domain.
Would you please be so kind to share the required steps here? I am trying to help with documentation but I'm more of an Apache guy myself. Thank you!

[rhclayto]

@ YosuCadilla I enabled a subdomain in DNS to point to my server subdomain.example.org. Then in haproxy config:

frontend public
  mode http
  # SSL Termination: Bind to port 443 with SSL.
  bind *:443 ssl crt /etc/haproxy/haproxy.pem alpn h2,http/1.1
  # Add X-Forwarded-* headers.
  http-request add-header X-Forwarded-Host %[req.hdr(host)]
  http-request add-header X-Forwarded-Server %[req.hdr(host)]
  http-request add-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  # Add X-Forwarded-For headers.
  option forwardfor
  # Extra options.
  option http-server-close
  option http-pretend-keepalive

  # Test whether the request is for the subdomain.
  acl path:subdomain hdr_dom(host) -i subdomain.example.org
  # If it is, then send it to the designated backend.
  use_backend example if path:subdomain

# The backend for requests to subdomain.example.org.
backend example
  balance roundrobin
  # Proxy requests to the zmta-webadmin server running internally on port 8089.
  server server:00 localhost:8089 weight 1 maxconn 10000 check

So I'm binding to port 443 as an SSL termination point. I'm checking if the host header of any requests are from the subdomain subdomain.example.org. If they are, I'm directing those requests to the backend example. The option forwardfor option tells haproxy to add X-Forwarded-For headers to the requests it proxies to the backend. I'm also manually adding some X-Forwarded-* headers. In the backend, I'm not doing anything special, just proxying the requests to the zmta-webadmin server I have running on port 8089.

It's been so long since I've used Apache for proxying that I don't quite recall the configuration that would be needed. Probably something like:

<VirtualHost *:443>
    ServerName subdomain.example.org
    SSLCertificateFile    "/etc/letsencrypt/live/example.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:8089/
    ProxyPassReverse / http://127.0.0.1:8089/
</VirtualHost>

In essence, you set up DNS to send traffic requests for your subdomain to your physical or VPS server, you have Apache on that server listening for requests on port 80 or 443 (depending on if you're using SSL), in Apache you detect if the request is for the subdomain host, & then you send those requests internally to whatever port zmta-webadmin is running on. You probably want to make sure Apache adds X-Forwarded-For & maybe the other X-Forwarded-* headers.

I hope this is of some small help to you. ¡Saludos!

[YosuCadilla]

It is, thank you!
I will try your method soon, and add it to documentation...