troubleshooting Question

Help with reverse-proxy Apache OWA setup

Avatar of verance
verance asked on
LinuxApache Web ServerExchange
7 Comments2 Solutions6056 ViewsLast Modified:
All,

I am working on hiding an Exchange server within the internal network and using a Linux system within the DMZ to process incoming webmail requests in a reverse-proxy setup.

Currently the Exchange server (2003) is setup with a Verisign certificate to provide https:// access to OWA.  The firewall only allows 443 (https) and 25 (smtp) access to this system.

I have been looking over the following two links as a guide to this process.
http://3cx.org/nucleus/plugins/print/print.php?itemid=46
http://blog.scottlowe.org/2005/12/03/protecting-owa-with-apache/

My reverse-proxy setup is a Linux server / Apache 2, with the webserver's configuration handled within a Virtual Hosts file (instead of in the main body of the conf file).

As I am going through this  I am faced with the following questions.
1.)  Currently to access OWA one would type in https:// followed by the external address of the OWA server.  In the case of the ProxyPass and ReverseProxyPass statements in the articles - why http:// instead of https://   Is it the RequestHeader directive to set Front-End-Https "On" that takes care of this?

2.)  Currently the Exchange server has it's Verisign certificate running on the IIS server to provide secure web traffic.  It appears in these articles that the proxy server now controls the Verisign certificate and the internal OWA server is returned to http://  - no certificate -   Is this correct?  Am I having the current web certificate regenerated to work under an Apache server instead of IIS?

3.)  Could you please check my Virtual Hosts config vs. ones you've seen work and let me know if any changes need to be made?


This is a very important project that I need to have up soon!!!


Below is the current configuration of my Virtual Hosts file on the Exchange server (with actual names disguised):

#
# Virtual Hosts
#
# Using name-based virtual hosting.
#
#######################################################################
#
NameVirtualHost *:80
NameVirtualHost *:443
#
# Using mod_rewrite to fix a problem when percent symbols are in
# the subject line of the OWA email (the email subject is used
# in the web query). The entire URI is passed to a small
# bash script that replaces all occurrences of the % symbol
# with the URI escape sequence (%25). That seems to make everything
# happy.
#
SSLProxyEngine on
ProxyPreserveHost on
RewriteEngine On
RewriteMap damnpercent prg:/usr/local/bin/percent_rewrite
RewriteCond $1 ^/exchange/.*\%.*$
RewriteRule (/exchange/.*) ${damnpercent:$1} [P]
ProxyRequests Off
#
<VirtualHost *:443>
      DocumentRoot /usr/local/apache2/htdocs/webmail_proxy/
      RequestHeader set Front-End-Https "On"
          ProxyRequests Off  
          ProxyPreserveHost On
          ErrorLog logs/interceptor.mydomain.com-error_log
          CustomLog logs/interceptor.mydomain.com-access_log common

         SSLEngine On
      SSLCertificateFile /usr/local/apache2/webmail-proxy/proxy-cert.pem

          <Location /exchange>
          ProxyPass http://mail.mydomain.com/exchange
          ProxyPassReverse http://mail.mydomain.com/exchange
         SSLRequireSSL
          </Location>

          <Location /exchweb>
          ProxyPass http://mail.mydomain.com/exchweb
          ProxyPassReverse http://mail.mydomain.com/exchweb
          SSLRequireSSL
          </Location>

          <Location /public>
          ProxyPass http://mail.mydomain.com/public
         ProxyPassReverse http://mail.mydomain.com/public
          SSLRequireSSL
          </Location>
          
          <Location /iisadmpwd>
           ProxyPass http://mail.mydomain.com/iisadmpwd
       ProxyPassReverse http://mail.mydomain.com/iisadmpwd
       SSLRequireSSL
          </Location>
          
          CacheDisable *
          
</VirtualHost>

###############################################################################
ASKER CERTIFIED SOLUTION
msklizmantas

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 2 Answers and 7 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros