Issue 502 Bad Gateway on webmail.domain.com

[sahinler]

Hi to all,

After Plesk upgrade from 12.5 to Plesk Onyx, all webmail sub domains don't work.

When try to connect to webmail.domain.com (Roundcube), I have following error page:

502 Bad Gateway
nginx

I tried plesk repair but with no result for webmail subdomains.

Could say me please how to correct this error ?

Latest server informations:
‪CentOS 6.8 (Final)‬ - Plesk Onyx - Version 17.0.17 - Update n° 10

 

[Bitpalast]

Tools & Settings > E-Mail > Webmail: Do you see two webmail packages (Horde and Roundcube) there?

If no, install the webmail feature by component installation through GUI or autoinstaller.

If webmail is present, please check the content of
"/etc/httpd/conf.d/zz010_psa_httpd.conf"
Does this file include this line?
"IncludeOptional '/etc/httpd/conf/plesk.conf.d/webmails/*.conf'"

If the line is missing, reconfigure all configuration files:
# /usr/local/psa/admin/sbin/httpdmng --reconfigure-all

If this does not help or if the "IncludeOptiona..." line is present, try an auto-repair:
# plesk repair web -y

 

[sahinler]

/etc/httpd/conf.d$ /usr/local/psa/admin/sbin/httpdmng --reconfigure-all
/etc/httpd/conf.d$ plesk repair web -y

Checking Plesk version .............................................. [OK]

Checking for custom configuration templates ......................... [OK]

Checking for the JkWorkersFile directive in the Apache configuration  [OK]

Checking associations between domains and IP addresses .............. [OK]

Checking for corrupted reference between IP collections and IP      
addresses ........................................................... [OK]

Checking for links between APS applications and subscriptions ....... [OK]

Checking for the Zend extension declaraion in php.ini ............... [OK]

Check symbolic links for latest virtual host config files ........... [OK]

Checking for system users home directories consistency .............. [OK]

Checking for records with empty name field in the Configurations table[OK]

Checking for nginx ULIMIT value ..................................... [OK]

Checking for extra configurations in database not owned by any object

  There are some unnecessary configurations in the database. Please  
  check http://kb.plesk.com/116412 for solution ..................... [WARNING]

Repairing web server configuration
    Reinstalling SSL/TLS certificates ............................... [OK]
    Applying the default SSL/TLS certificate to all IP addresses .... [OK]
    Repairing server-wide configuration parameters for web servers .. [OK]
    Updating the file of sharing passwords and permissions of users  
    according to actual information ................................. [OK]
    Repairing web server configuration for all domains. This aspect  
    can be used with individual domains ("plesk repair web          
    example.com"), and on the server level ("plesk repair web") ..... [OK]

Checking the usage of PHP handlers .................................. [OK]

Error messages: 0; Warnings: 1; Errors resolved: 0

Any change

 

[Bitpalast]

Does "/etc/httpd/conf.d/zz010_psa_httpd.conf" include this line?
"IncludeOptional '/etc/httpd/conf/plesk.conf.d/webmails/*.conf'"

Are the webmail configuration files present in "/etc/httpd/conf/plesk.conf.d/webmails"?

The moment (timecode) you open webmail.domain.tld, what is logged in
/var/log/httpd/error_log
/var/log/nginx/error.log
/var/log/messages
?

 

[sahinler]

Peter, I thank you for your help but in these log files no information to solve this problem:

zz010_psa_httpd.conf has following lines:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
Include '/etc/httpd/conf/plesk.conf.d/server.conf'
Include '/etc/httpd/conf/plesk.conf.d/webmails/*.conf'
Include '/etc/httpd/conf/plesk.conf.d/vhosts/*.conf'
Include '/etc/httpd/conf/plesk.conf.d/forwarding/*.conf'
Include '/etc/httpd/conf/plesk.conf.d/wildcards/*.conf'

Which is correct commande: Include or IncludeOptional ?

httpd/error_log has any information about "webmail" :

[Mon Dec 12 19:00:06 2016]
....
[Mon Dec 12 19:00:06 2016] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?
[Mon Dec 12 19:00:06 2016] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?
[Mon Dec 12 19:00:06 2016] [warn] RSA server certificate CommonName (CN) `Parallels Panel' does NOT match server name!?
[Mon Dec 12 19:00:06 2016] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Dec 12 19:00:06 2016] [notice] Apache/2.2.15 (Unix) DAV/2 mod_fcgid/2.3.9 mod_python/3.3.1 Python/2.6.6 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations

nginx/error.log

2016/12/12 16:35:25 [error] 22957#0: *176 connect() failed (111: Connection refused) while connecting to upstream, client: 88.MypersonalIP.IP.IP, server: webmail.domain.com, request: "GET / HTTP/1.1", upstream: "http://62.MyserverIP.IP.IP:7080/", host: "webmail.domain.com"
2016/12/12 16:35:26 [error] 22957#0: *176 connect() failed (111: Connection refused) while connecting to upstream, client: 88.MypersonalIP.IP.IP, server: webmail.domain.com, request: "GET / HTTP/1.1", upstream: "http://62.MyserverIP.IP.IP:7080/", host: "webmail.domain.com"
2016/12/12 16:37:30 [error] 22957#0: *537 connect() failed (111: Connection refused) while connecting to upstream, client: 88.MypersonalIP.IP.IP, server: webmail.domain.com, request: "GET / HTTP/1.1", upstream: "http://62.MyserverIP.IP.IP:7080/", host: "webmail.domain.com"
2016/12/12 19:27:40 [error] 35339#0: *2640 connect() failed (111: Connection refused) while connecting to upstream, client: 88.MypersonalIP.IP.IP, server: webmail.domain.com, request: "GET / HTTP/1.1", upstream: "http://62.MyserverIP.IP.IP:7080/", host: "webmail.domain.com"
2016/12/12 19:27:40 [error] 35339#0: *2640 connect() failed (111: Connection refused) while connecting to upstream, client: 88.MypersonalIP.IP.IP, server: webmail.domain.com, request: "GET /favicon.ico HTTP/1.1", upstream: "http://62.MyserverIP.IP.IP:7080/favicon.ico", host: "webmail.domain.com"

messages

Dec 12 19:29:40 sd-68682 xinetd[4458]: START: smtp pid=37326 from=::ffff:155.133.82.152
Dec 12 19:29:41 sd-68682 xinetd[4458]: EXIT: smtp status=0 pid=37326 duration=1(sec)
Dec 12 19:30:01 sd-68682 xinetd[4458]: START: smtp pid=37345 from=::ffff:185.52.148.155
Dec 12 19:30:01 sd-68682 xinetd[4458]: EXIT: smtp status=0 pid=37345 duration=0(sec)
Dec 12 19:30:33 sd-68682 xinetd[4458]: START: smtp pid=37374 from=::ffff:89.33.161.12
Dec 12 19:30:33 sd-68682 xinetd[4458]: EXIT: smtp status=0 pid=37374 duration=0(sec)
Dec 12 19:31:10 sd-68682 xinetd[4458]: START: submission pid=37415 from=::ffff:94.102.49.190
Dec 12 19:31:16 sd-68682 xinetd[4458]: EXIT: submission status=1 pid=37415 duration=6(sec)
Dec 12 19:32:37 sd-68682 xinetd[4458]: START: smtp pid=37479 from=::ffff:181.228.15.164
Dec 12 19:33:09 sd-68682 xinetd[4458]: EXIT: smtp status=0 pid=37479 duration=32(sec)

 

[Bitpalast]

Include vs. IncludeOptional: In my reference system, it ought to be IncludeOptional for webmails, vhosts, forwarding, wildcards. As long as all paths exist that are mentioned in these commands I think it can also be Include, because in that case it does not make a difference. IncludeOptional silently ignores the directive if the path defined in it does not exists or is inaccessible. Include does not ignore the directive, but throws and error if a referenced path is missing. I assume that you made sure that the /webmails path exists and that it does contain webmail configuration files.

I have a really dumb question: Are you sure that the issue only affects webmail? If the above entries are all present and the log error messages are what they are, you should not only have this problem with the webmail subdomain, but with all websites served by Apache as a backend to Nginx. I cannot think of a reason why specifically the webmail-subdomains cannot be served for a "connection refused" error while other domains can be served through Nginx.

Just to make sure, could you please verify that in your Fail2Ban whitelist you have included
a) the public IPv4 of your host
b) 127.0.0.1
and that neither one is blocked by Fail2Ban? I am confused that there are no significant errors but the "connection refused".

If nothing works, as a last resort, you can temporarily disable Nginx until a real solution is found and see if things work for your system when Apache serves the webmail subdomains directly instead of going through Nginx as a reverse proxy.
To disable Nginx:
/usr/local/psa/admin/sbin/nginxmng -d
To enable it again:
/usr/local/psa/admin/sbin/nginxmng -e

 

[sahinler]

I had this problem with upgrade to NGINX, because recently I was on mod_php served by Apache use, but with correcting all Domains ".htaccess" directives these are fixed. But problem not resolve only on webmail subdomains.

 

[Bitpalast]

For some reason Nginx does not receive a response from the backend Apache server. There are a few reasons why that can be the case, for example:
- Apache is not running
- Configuration files are missing or inaccessible
- A 3rd-pty software like SELinux is blocking something or keeping Apache from reading the webmails-config files
- A firewall or security software is blocking something, e.g. port 7080
- Everything else is fine, but PHP is disabled on the host's Apache configuration

Can you please verify that Apache is running?
# service httpd status

Are you using AppArmor?
# apparmor_status
If so, could you disable it temporarily and test webmail again?

Can you please check, if you have SELinux enabled?
# sestatus
If so, could you disable it temporarily and test webmail again?

Did you make any changes to the host's php.ini file, e.g. disable functions?

When you place an index.php-file into your /var/www/vhosts/default/htdocs directory and then enter the URL of your host into a browser: Do you see what the php-file ought to display? This test shall verify that vendor PHP is activated on the host and the Apache php module is active.

If I was you I'd probably disable Nginx, then open a webmail subdomain and then look at the httpd-log (Apache log) to get more information on what's going on.

 

[sahinler]

Apache runinng

/var/www/vhosts/groupeimmobilis.fr/httpdocs$ service httpd status
httpd (pid 25730) is running...

There is no apparmor

/var/www/vhosts/groupeimmobilis.fr/httpdocs$ apparmor_status
-bash: line 12: apparmor_status: command not found

SELinux disabled

/var/www/vhosts/groupeimmobilis.fr/httpdocs$ sestatus
SELinux status: disabled

I Check with disabling NGINX

/var/www/vhosts/groupeimmobilis.fr/httpdocs$ service nginx stop
Stopping nginx: [ OK ]

PHP is active but PHP apache module has error if I activate php_mod served by Apache domain don't respond.
Actually no result

 

[Bitpalast]

Webmail is using the PHP version provided by your OS vendor. Obviously that package has been damaged or the integration with Apache has been damaged, else mod_php would work with Apache. As PHP is unavailable for Apache, Apache cannot serve webmail contents, resulting in empty or no content delivered to Nginx, resulting in the 502 error for all your webmail subdomains.

I suggest that you reinstall PHP that comes with your operating system. The process of doing that depends on your operating system and version. On Redhat or CentOS you could try
# yum remove php
followed by
# yum install php

What I am unsure about due to lack of experience is whether after that procedure the Plesk Apache module must be reinstalled, too. I do not know whether PHP installation will automatically integrate with Apache in this case or whether Apache will look for PHP when installing. This might need additional input from other forum users.

 

[sahinler]

Peter, I had removed and reinstalled php with SSH like as your codes. I had removed also Rouncube, Horde and reinstalled after a reboot.

Unfortunately any change is made. I have always same bugs.

 

[Bitpalast]

The issue cannot be fixed by "reinstalling" OS vendor PHP through the Plesk GUI installer, because that is actually not really "installing" it. Did you reinstall PHP on the OS level?

Really sorry for your situation, but before you look at anything inside Plesk, first you need to make sure that your OS vendor PHP is fully operational. From your description above it is clear that something is misconfigured there. The webmail issue is most likely caused by that. You can normally test OS vendor PHP by placing a file into /var/www/vhosts/default/htdocs, e.g. "phpinfo.php" with a simple content like "<?php phpinfo(); ?>". Then try to open that file from the host's domain, e.g. http://my-host-domain.com/phpinfo.php. "my-host-domain.com" is the domain that you normally use to login to Plesk, e.g. https://my-host-domain.com:8443, it is not any subscription domain.