OWA, [outlook web access] is a webmail interface of Exchange server. Run on IIS server and for this and other reasons (you can find several worms and exploits warnings) is not a good idea to expose webmail and consequently the mail server, to Internet. Microsoft sell ISA [Internet Security Access] a firewall and proxy software.
But there is a cheap solution using Apache 2.0 and mod_ssl plus mod_proxy, this article explain step by step how to make a protection of OWA. Also we need a self-signed or valid certificate in PEM format for SSL encryption. In OWA there is no need https.
We stick some information, 192.168.0.100 is the Exchange Server called exchange.lan
192.168.0.50 is the proxy Apache accessible from internet at ip a.b.c.d. with external DNS resolved as webmail.mydomain.com
Let’s start configure mod_ssl and mod_proxy on Apache web server, first we check if you have already installed this modules.
From command line put this command: a2enmod -l
The result will be similar to
actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 proxy headers proxy_http proxy_ftp proxy_connect
The goal is to obtain in list the following loaded modules: ssl, proxy, proxy_http, proxy_connect and headers
with command a2enmod -q ssl a2enmod -q proxy etc you add automatically the modules (usually this modules are provided with Apache package) as a load module when Apache webserver starts.
In SuSE Enterprise we have also changed the directive APACHE_SERVER_FLAGS with the parameters “SSL !NOSSL”. The directive can be changed within Yast -> System ->Config Editor, Network/WWW or directly to \etc\sysconfig\apache2 file.
Now second step is made appropriate changes in Apache configuration, with virtual host.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | <pre lang="apache" line="1"> <IfDefine SSL> <IfDefine !NOSSL> <VirtualHost *:443> DocumentRoot "/srv/www/htdocs" ServerName webmail.mydomain.com RequestHeader set Front-End-Https "On" ProxyRequests Off ProxyPreserveHost On ServerAdmin support@mydomain.com ErrorLog /var/log/apache2/webmailssl_error_log TransferLog /var/log/apache2/webmailssl_access_log CustomLog /var/log/apache2/ssl_request_log ssl_combined SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/owaserver.crt SSLCertificateKeyFile /etc/apache2/ssl.key/owaserver.key SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 <Location /exchange> ProxyPass http://webmail.mydomain.com/exchange ProxyPassReverse http://webmail.mydomain.com/exchange SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 SSLRequireSSL </Location> <Location /exchweb> ProxyPass http://webmail.mydomain.com/exchweb ProxyPassReverse http://webmail.mydomain.com/exchweb SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 SSLRequireSSL </Location> <Location /public> ProxyPass http://webmail.mydomain.com/public ProxyPassReverse http://webmail.mydomain.com/public SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 SSLRequireSSL </Location> </VirtualHost> </IfDefine> </IfDefine> |
ProxyPreserveHost pass the original host header supplied by client to the server (exchange)
RequestHeader force to use the https:// instead of http:// is required for terminated the request SSL tunnel at reverse proxy and using clear HTTP text between the proxy and OWA
SSLcertificate files (.crt and .key PEM format) require a certificate self-signed or buy from organizations because client authentication is passed in clear to OWA, and this is a best practice for encrypt authentication between client and proxy.
Now the directive most interesting:
<Location /exchange> ProxyPass http://webmail.mydomain.com/exchange ProxyPassReverse http://webmail.mydomain.com/exchange SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 SSLRequireSSL </Location>
for OWA we need to proxy /exchange /exchweb and /public.
With SetEnv force-proxy-request-1.0 and SetEnv proxy-nokeepalive you can bypass some troubles as reported on Apache documentation
[Protocol Adjustments]
http://httpd.apache.org/docs/2.2/mod/mod_proxy.htmlFor circumstances where you have a application server which doesn't
implement keepalives or HTTP/1.1 properly, there are 2 environment
variables which when set send a HTTP/1.0 with no keepalive. These are set
via the SetEnv directive.
Now we have only tell on proxy server where is webmail.mydomain.com. Open your /etc/hosts files and append at the end of file
192.168.0.100 webmail.mydomain.com
All is done, start your Apache webserver and connect (from outside) to your https://webmail.mydomain.com/exchange if all are ok you must see a popup requesting credentials.
Finally a little tricky, if you want redirect your users from http://mydomain.com to https://mydomain.com/exchange you can use into your virtual host directive this configuration. Simply change the RedirectMatch directive as your needs.
1 2 3 4 5 6 7 8 9 10 11 12 | <VirtualHost *:80> ServerAdmin support@mydomain.com ServerName webmail.mydomain.com ErrorLog /var/log/apache2/webmail.error_log CustomLog /var/log/apache2/webmail.access_log combined ServerSignature On RedirectMatch permanent /$ https://webmail.mydomain.com/exchange RedirectMatch permanent (/.*) https://webmail.mydomain.com$1 </VirtualHost> |
