| server { | |
| listen 80; | |
| #listen [::]:80; | |
| server_name mail.gwtest.us autodiscover.gwtest.us; | |
| return 301 https://$host$request_uri; | |
| } | |
| server { | |
| listen 443; | |
| #listen [::]:443 ipv6only=on; | |
| ssl on; | |
| ssl_certificate /etc/ssl/nginx/mail.gwtest.us.crt; | |
| ssl_certificate_key /etc/ssl/nginx/mail.gwtest.us.open.key; | |
| ssl_session_timeout 5m; | |
| server_name mail.gwtest.us; | |
| location / { | |
| return 301 https://mail.gwtest.us/owa; | |
| } | |
| proxy_read_timeout 360; | |
| proxy_pass_header Date; | |
| proxy_pass_header Server; | |
| #proxy_pass_header Authorization; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| location ~* ^/owa { proxy_pass https://exch1.test.local; } | |
| location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://exch1.test.local; } | |
| location ~* ^/ecp { proxy_pass https://exch1.test.local; } | |
| location ~* ^/rpc { proxy_pass https://exch1.test.local; } | |
| #location ~* ^/mailarchiver { proxy_pass https://mailarchiver.local; } | |
| error_log /var/log/nginx/owa-ssl-error.log; | |
| access_log /var/log/nginx/owa-ssl-access.log; | |
| } | |
That is a certificate/key pair that you'll need to generate yourself. They don't need to be named that, you should probably review SSL certificates in Nginx if you're asking that question.
encountered a problem while proxying RPC. In the logs as follows:
"RPC_IN_DATA /rpc/rpcproxy.dll?srv5.domain.loc:6004 HTTP/1.1" 408 0 "-" "MSRPC"
"RPC_OUT_DATA /rpc/rpcproxy.dll?srv5.domain.loc:6001 HTTP/1.1" 200 0 "-" "MSRPC"
As alluded to by @de1phi48, unfortunately this configuration and Nginx in general will not work with Exchange's RPC over HTTP (Outlook Anywhere). Consider something like Squid or HAProxy if you need this, otherwise, if you don't need Outlook Anywhere, this configuration is solid.
I have found solution for Outlook Anywhere -- it will work on nginx starting from 1.7.11
all you need -- add roxy_pass_request_headers on; to server section.
In this configuration notifications on OWA doesn't work too
final config
server {
server_name mail.contoso.com;
server_name autodiscover.contoso.com;
listen 80;
return 301 https://$host$request_uri;
}
server {
server_name mail.contoso.com;
server_name autodiscover.contoso.com;
keepalive_timeout 3h;
proxy_read_timeout 3h;
#reset_timedout_connection on;
tcp_nodelay on;
listen 443 ssl;
client_max_body_size 3G;
#proxy_pass_header Authorization;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Connection "Keep-Alive";
location / {
proxy_pass https://exchange.internal/;
proxy_next_upstream error timeout invalid_header http_500 http_503;
}
}
for sure it will be better to add restrictions to access only to the needed locations and etc, but it's nice that all functionality works fine =)
Is this configration works for outlook anywhere ?
Hello,
Thank you for your script, but ActiveSync doesn't works ...
Any solution ?
Regards,
Currently using Tigunov's config, did anyone get ActiveSync to work (I'd be happy with Basic Authentication, NTLM seems to be impossible right now)?
When using Exchange Connectivity test (Microsoft's online version), I now get up to the point where ActiveSync is tested (which is a lot further). "OPTIONS" tests fine, but "FolderSync" fails .
@jbostoen did you make sure it works without nginx in front? I spent a lot of time on this and it turned out to be an exchange issue that needed fixing.
I finally got this working and posted the detailed instructions on my blog. http://blog.adamjoshuasmith.com/deploying-exchange-2016-behind-nginx-free/
@jbostoen I believe your issue is that you are using an Admin user account which will not work with Activesync. try creating a new user who is only in the Domain User group and test active sync with that mailbox. If it works, you know where your problem is.
Just stumbling back on this. Desktop Outlook is what I need to get working...
Thanks for the great write-up!
I have tried this config from tigunov and from adamjs83 but both configs are not working with outlook anywhere and Exchange 2013 with RPC over HTTP. Nginx logging is generating 401 for RPC_IN_DATA and Outlook keeps asking for login credentials. Somebody know what i am doing wrong here?
This worked for me: https://gist.github.com/enoch85/573dac9005f0c8f1b826cc22e520e0ae
I have tried this config from tigunov and from adamjs83 but both configs are not working with outlook anywhere and Exchange 2013 with RPC over HTTP. Nginx logging is generating 401 for RPC_IN_DATA and Outlook keeps asking for login credentials. Somebody know what i am doing wrong here?
RPC doesn't work with the free version... the last time I tried to go down this hole it led me to that answer.
Just stumbling back on this. Desktop Outlook is what I need to get working...
Thanks for the great write-up!
Did you ever find out what was causing your FolderSync issues? I get a 502 bad gateway.
RPC doesn't work with the free version...
I'm running Exchange 2010 with RPC over HTTP. All is working well including RPC and no 401 is generated.
The config is similar to https://gist.github.com/enoch85/573dac9005f0c8f1b826cc22e520e0ae with the only difference that I also pass 2 more headers:
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
Thanks @Alex-JTI, it's now updated!
Hello! I want to make a reverse proxy for MS Exchange using nginx with the spnego-http-auth-nginx-module module. How to make nginx check clients using certificates, and if they passed, then authorize them on MS Exchange using Kerberos. Clients must connect to MS Exchange via Activesync. Configuration example:
server {
server_name rp.blablabla.com;
listen 443 ssl;
ssl_certificate /etc/ssl/nginx/cert.pem;
ssl_certificate_key /etc/ssl/nginx/cert.pem;
ssl_session_timeout 5m;
client_max_body_size 2G;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_verify_client on;
ssl_verify_depth 5;
ssl_client_certificate /etc/ssl/nginx/cert.pem;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#keealive is only in 1.1 supported, default is 1.
proxy_http_version 1.1;
location ~* ^/Microsoft-Server-ActiveSync {
proxy_pass https://exchange.blablabla.local;
auth_gss on;
auth_gss_realm BLABLABLA.LOCAL;
auth_gss_keytab /etc/nginx/spnego.keytab;
auth_gss_service_name HTTP/rp-mail;
auth_gss_allow_basic_fallback off;
}
Maybe there is another way to implement
the connection of remote clients via Activesync with certificate verification, as it is implemented on the Microsoft Forefront Threat Management Gateway?
@Alex-JTI Thank you! Your solution worked for me. I made some slight modifications, because I am using it for Microsoft RemoteApp instead of Exchange, but same RPC over HTTP situation.
Just a fast question, where to get mail.gwtest.us.open.key and mail.gwtest.us.crt ?