It’s possible to proxy Zimbra for both the traditional Web client and the newer Zimbra Desktop client. There are some mostly working configurations outlined on the Zimbra wiki, with some mistakes. (I had the same experience with the DAViCal wiki, but Zimbra is a far larger effort.)
Before you attempt to reverse proxy anything, please read the definitive guide on reverse proxying at Apache Tutor. Thereafter, the following configuration ought to work correctly.
Ensure you hack your zcs installation to enable ajp support before continuing, which involves adding ajp support back into Jetty and modifying the jetty.xml.in configuration file.
<VirtualHost *:443> # Your SSL stuff here # Disallow forward proxying ProxyRequests Off ProxyVia On # Prevents larger requests from failing with 503 ProxyIOBufferSize 65536 <Proxy *> Order allow,deny Allow from all </Proxy> ProxyPass /home http://zimbra.mboxmaninsurance.com/home nocanon ProxyPass /service ajp://zimbra.mboxmaninsurance.com:8009/service ProxyPass /zimbra ajp://zimbra.mboxmaninsurance.com:8009/zimbra <Location /home> Order allow,deny Allow from all # or your domain or subnet(s) ProxyPassReverse / </Location> <Location /service> Order allow,deny Allow from all ProxyPassReverse / </Location> <Location /zimbra> Order allow,deny Allow from all ProxyPassReverse / </Location> </VirtualHost>
First, we disable ProxyRequests. On Debian GNU/Linux, it’s off by default anyway.
The ProxyIOBufferSize is important. The default of 8K is not large enough, causing some POSTs to the Zimbra server by zdesktop to fail with a 503 error. (While the mod_proxy docs aren’t clear, you can actually set a max size of 64k when dealing with ajp requests.)
The Proxy block is necessary to allow reverse proxying to function.
Finally, we configure each proxy directive. Please note the use of nocanon, which was not introduced until at least Apache 2.2.4 (possibly) later. It prevents mod_proxy from mangling the occurance of ~ in the URL Zimbra Desktop uses to GET tar.gz files of email when syncing. Without nocanon, Zimbra Desktop will not work properly. (The Web client is uneffected.)
For each Location directive, you may wish to restrict access to your domain or subnet. If you have roaming Internet users, that may not be possible. (You could always setup a VPN, but then why bother with the above at all?)
The above configuration works with Apache 2.2.9 proxying to zcs v5.0.16. Zimbra Desktop 1.0 works, too.