Last active
February 20, 2025 07:39
-
-
Save taddev/7275873 to your computer and use it in GitHub Desktop.
Nginx reverse proxy to Exchange 2010/2013
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80; | |
| #listen [::]:80; | |
| server_name mail.gwtest.us autodiscover.gwtest.us; | |
| return 301 https://$host$request_uri; | |
| } | |
| server { | |
| listen 443; | |
| #listen [::]:443 ipv6only=on; | |
| ssl on; | |
| ssl_certificate /etc/ssl/nginx/mail.gwtest.us.crt; | |
| ssl_certificate_key /etc/ssl/nginx/mail.gwtest.us.open.key; | |
| ssl_session_timeout 5m; | |
| server_name mail.gwtest.us; | |
| location / { | |
| return 301 https://mail.gwtest.us/owa; | |
| } | |
| proxy_read_timeout 360; | |
| proxy_pass_header Date; | |
| proxy_pass_header Server; | |
| #proxy_pass_header Authorization; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| location ~* ^/owa { proxy_pass https://exch1.test.local; } | |
| location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://exch1.test.local; } | |
| location ~* ^/ecp { proxy_pass https://exch1.test.local; } | |
| location ~* ^/rpc { proxy_pass https://exch1.test.local; } | |
| #location ~* ^/mailarchiver { proxy_pass https://mailarchiver.local; } | |
| error_log /var/log/nginx/owa-ssl-error.log; | |
| access_log /var/log/nginx/owa-ssl-access.log; | |
| } | |
Do not use nginx for Exchange, it's not work correctly, better use haproxy
frontend ft_https bind *:443 ssl crt /etc/haproxy/emailcert.pem reqadd X-Forwarded-Proto:\ https default_backend bk_exchange acl ft_owa hdr(host) -i email.example.com use_backend bk_exchange if ft_owa backend bk_exchange acl path_root url_len 1 acl path_exchange path_beg -i /autodiscover /owa /oab /ews /public /microsoft-server-activesync /rpc /mapi /favicon.ico http-request deny unless path_exchange OR path_root server exchange 10.0.25.25:443 check ssl verify none
Thank you, this works extremely well, Outlook connects without any issues.
I've added some default values taken from the web, but the rest is basically untouched:
defaults
mode http
retries 3 # Try to connect up to 3 times in case of failure
timeout connect 5s # 5 seconds max to connect or to stay in queue
timeout http-keep-alive 1s # 1 second max for the client to post next request
timeout http-request 15s # 15 seconds max for the client to send a request
timeout queue 30s # 30 seconds max queued on load balancer
timeout client 30m
timeout server 30m
frontend ft_https
bind *:443 ssl crt /etc/haproxy/server.pem
http-request add-header X-Forwarded-Proto https
default_backend bk_exchange
acl ft_owa hdr(host) -i email.example.com
use_backend bk_exchange if ft_owa
backend bk_exchange
acl path_root url_len 1
acl path_exchange path_beg -i /autodiscover /owa /oab /ews /public /microsoft-server-activesync /rpc /mapi /favicon.ico
http-request deny unless path_exchange OR path_root
server exchange 10.1.1.1:443 check ssl verify none
I'm using docker-compose, so here's the docker-compose.yml:
version: "2"
services:
haproxy-exch-reverse-proxy:
image: haproxy:alpine
container_name: haproxy-exch-reverse-proxy
volumes:
- ./outlook-haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
- ./server.pem:/etc/haproxy/server.pem
ports:
- 443:443
restart: unless-stopped
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@MakoWish
This is my nGinx config;
this is my current config... works great with ActiveSync and OWA but NOT with RPC/MAPI over HTTPS
_add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
location / {
proxy_pass http://192.168.1.4/;
proxy_ssl_name $host;
proxy_ssl_server_name on;
proxy_pass_request_headers on;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header Host $host;
more_set_input_headers 'Authorization: $http_authorization';
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_read_timeout 3600;
}_