Nginx reverse proxy to Exchange 2010/2013

nginx.conf

server {
        listen 80;
        #listen [::]:80;
        server_name mail.gwtest.us autodiscover.gwtest.us;
        return 301 https://$host$request_uri;
}

server {
        listen 443;
        #listen [::]:443 ipv6only=on;
        ssl                     on;
        ssl_certificate         /etc/ssl/nginx/mail.gwtest.us.crt;
        ssl_certificate_key     /etc/ssl/nginx/mail.gwtest.us.open.key;
        ssl_session_timeout     5m;

        server_name mail.gwtest.us;

        location / {
                return 301 https://mail.gwtest.us/owa;
        }

        proxy_read_timeout      360;
        proxy_pass_header       Date;
        proxy_pass_header       Server;
        #proxy_pass_header      Authorization;

        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        location ~* ^/owa { proxy_pass https://exch1.test.local; }
        location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://exch1.test.local; }
        location ~* ^/ecp { proxy_pass https://exch1.test.local; }
        location ~* ^/rpc { proxy_pass https://exch1.test.local; }
        #location ~* ^/mailarchiver { proxy_pass https://mailarchiver.local; }

        error_log /var/log/nginx/owa-ssl-error.log;
        access_log /var/log/nginx/owa-ssl-access.log;
}
    

Hi Brian,

Business Objective
Outside users (users travelling) should be able to access their email through NGINX and it should redirect the connection to my Internal Exchange server for authentication and access:

1. OWA
2. Outlook Anyway
3. ActiveSync

My environment info:
Client email access through External Proxy server is mail.example.com, IP 223.153.119.18.
External DNS A record for mail.example.com point to IP 223.153.119.18

Internal Exchange server is EX-01.example.com with internal IP 10.10.10.11
Internal DNS A record for mail.example.com point to 10.10.10.11

So, if you noticed, all the outside user's email client will look for mail.example.com with external IP 223.153.119.18.

Problem:
From outside my office, i used my laptop to test.

1. Open browser, https://mail.example.com/owa
   Authentication is pop up and i entered my credentials but it keep failing and again repeating pop-up.

2. Outlook Anywhere got the pop up for authentication but it still keep failing too.

Let me give you more info. During my testing, when i type https://mail.example.com/owa, i saw this error "4027#0: *51 client x.x.x.x closed keepalive connection". FYI, ip x.x.x.x is my laptop ip address.

I also saw this error "[error] 4027#0: *43 upstream prematurely closed connection while reading upstream, client: x.x.x.x, server: mail.example.com, request: "RPC_OUT_DATA /rpc/rpcproxy.dll?EX-01.example.com:6004 HTTP/1.1", upstream: "https://10.10.10.11:443/rpc/rpcproxy.dll?EX-01.example.com:6004";, host: "mail.example.com"

Remark: Remember mail.example.com i entered in my browse will point to my external ip 223.153.119.18

Hope by looking at my below nginx config file, the NGINX or the Exchange expert can spot my mistake

Below is my NGINX config:
worker_processes 1;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

#access_log logs/access.log main;

sendfile       on;
#tcp_nopush   on;

#keepalive_timeout 0;
keepalive_timeout 65;

#gzip on;

server {
    listen     80;
    server_name www.example.com;

    location / {
        root html;
        index index.html index.htm;
    }

    #error_page 404             /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root html;
    }

    access_log logs/www.access.log main;
    error_log logs/www.error.log;
}


# HTTPS server
#
#server {
#   listen     443 ssl;
#   server_name localhost;

#   ssl_certificate     cert.pem;
#   ssl_certificate_key cert.key;

#   ssl_session_cache   shared:SSL:1m;
#   ssl_session_timeout 5m;

#   ssl_ciphers HIGH:!aNULL:!MD5;
#   ssl_prefer_server_ciphers on;

#   location / {
#       root html;
#       index index.html index.htm;
#   }
#}

server {
    listen 443 ssl;
    server_name   mail.example.com     autodiscover.example.com;

    ssl_certificate /etc/ssl/certs/mail.example.com.crt;
    ssl_certificate_key   /etc/ssl/private/mail.example.com.rsa;
    ssl_session_timeout   5m;

    client_max_body_size   3G;
    tcp_nodelay   on;

    proxy_request_buffering off;
    proxy_http_version     1.1;
    proxy_read_timeout     360;
    proxy_pass_header     Date;
    proxy_pass_header     Server;
    proxy_pass_header     Authorization;
    proxy_set_header       Host $host;
    proxy_set_header       X-Real-IP $remote_addr;
    proxy_set_header       X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_request_headers     on;
    proxy_set_header       Accept-Encoding "";
    proxy_buffering off;
    proxy_set_header       Connection "Keep-Alive";

    location / {
            #return 301 https://$host$request_uri;
            #return 301 https://ex-01.esuria.local/owa;
            #return 301 https://10.10.11.11/owa;
            return 301 https://mail.example.com/owa;
    }

    location ~* ^/owa {
            proxy_pass     https://EX-01.example.com;
    }

    location ~* ^/Microsoft-Server-ActiveSync {
            proxy_pass     https://EX-01.example.com;
    }

    location ~* ^/rpc {
            proxy_pass     https://EX-01.example.com;
    }

    location ~* ^/ews {
            proxy_pass     https://EX-01.example.com;
    }

    location ~* ^/autodiscover {
            proxy_pass     https://EX-01.example.com;
    }

    access_log     /usr/local/nginx/logs/mail.access.log main;
    error_log     /usr/local/nginx/logs/mail.error.log;
}

}