/rspamd/auth location missing after migration to Jina2 in Nginx

[rskallies]

Contribution guidelines

• I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• ... I have understood that answers are voluntary and community-driven, and not commercial support.
• ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

After upgrade from 2024-11b to 2025-01 the Nginx configuration was changed from 
old style to jinja2 templates but the location of the /rspamd/auth endpoint was not migrated. 
This causes a Rspamd UI: Invalid password message for every first login to /rspamd location. 
This triggers my fail2ban rule very fast. If changing the template to include the /rspamd/auth location 
as it was before the change everything works as before. 
So I think this should be fixed as it seems to be a regression. 
In the logs of git diff below you can find my changes to fix this issue locally. 
If looking at the 2024-11b version of mailcow-dockerized/data/conf/nginx/includes/site-defaults.conf 
there was a comment: # proxy_pass is not inherited which is the important point here.

Logs:

php-fpm-mailcow-1    | [28-Jan-2025 20:29:06] WARNING: [pool web-worker] child 68 said into stderr: "NOTICE: PHP message: Rspamd UI: Invalid password by x.x.x.x"
netfilter-mailcow-1  | x.x.x.x matched rule id 2 (Rspamd UI: Invalid password by x.x.x.x)

Steps to reproduce:

Open your mallows /rspamd location and watch the php-fpm-mailcow log. The error occurs without any password being sent. The second attempt then will work.

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Rocky Linux release 9.5 (Blue Onyx)

Server/VM specifications:

8 GB / 4 cores

Is Apparmor, SELinux or similar active?

yes

Virtualization technology:

KVM

Docker version:

27.5.1

docker-compose version or docker compose version:

v2.32.4

mailcow version:

2025-01

Reverse proxy:

none

Logs of git diff:

diff --git a/data/conf/nginx/templates/sites-default.conf.j2 b/data/conf/nginx/templates/sites-default.conf.j2
index 783723bf..c32fc1a1 100644
--- a/data/conf/nginx/templates/sites-default.conf.j2
+++ b/data/conf/nginx/templates/sites-default.conf.j2
@@ -137,13 +137,20 @@ location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {

 {% if not SKIP_RSPAMD %}
 location /rspamd/ {
-    proxy_pass       http://{{ RSPAMDHOST }}:11334/;
+  location /rspamd/auth {
+    proxy_pass       http://{{ RSPAMDHOST }}:11334/auth;
     proxy_set_header Host      $http_host;
     proxy_set_header X-Forwarded-For {% if not NGINX_USE_PROXY_PROTOCOL %}$proxy_add_x_forwarded_for{% else %}$proxy_protocol_addr{%endif%};
     proxy_set_header X-Real-IP {% if not NGINX_USE_PROXY_PROTOCOL %}$remote_addr{% else %}$proxy_protocol_addr{%endif%};
     proxy_redirect off;
     proxy_intercept_errors on;
     error_page 401 /_rspamderror.php;
+  }
+  proxy_pass       http://{{ RSPAMDHOST }}:11334/;
+  proxy_set_header Host      $http_host;
+  proxy_set_header X-Forwarded-For {% if not NGINX_USE_PROXY_PROTOCOL %}$proxy_add_x_forwarded_for{% else %}$proxy_protocol_addr{%endif%};
+  proxy_set_header X-Real-IP {% if not NGINX_USE_PROXY_PROTOCOL %}$remote_addr{% else %}$proxy_protocol_addr{%endif%};
+  proxy_redirect off;
 }
 {% endif %}

Logs of iptables -L -vn:

no iptables issue

Logs of ip6tables -L -vn:

no ip5tables issue

Logs of iptables -L -vn -t nat:

no iptables issue

Logs of ip6tables -L -vn -t nat:

no ip6tables issue

DNS check:

172.64.155.249
104.18.32.7

[FreddleSpl0it]

Fix will be released next week