Tuesday, August 3, 2010

Exchange 2010 CAS + Apache 2 Reverse Proxy

As I mentioned in a previous post I implemented an Apache 2 reverse proxy to proxy Exchange 2010  CAS traffic to my cluster node CAS servers to make failovers easy. It took a little bit of tweaking to make it all work properly with Activesync, OWA, and EWS but here it is!

Hopefully this will make your reverse proxy implementation a bit easier.
LoadModule  proxy_module         modules/mod_proxy.so
LoadModule  proxy_http_module    modules/mod_proxy_http.so
LoadModule  headers_module       modules/mod_headers.so
LoadModule  deflate_module       modules/mod_deflate.so
LoadFile    /usr/lib/libxml2.so
LoadModule  ssl_module           modules/mod_ssl.so
LoadModule  proxy_html_module    modules/mod_proxy_html.so




# *.DOMAIN.NET



  
        ProxyRequests Off
    SetEnv proxy-sendcl 1  
  
        ServerName *.domain.net:443
        ServerAlias *.domain.net:443

       
                Order deny,allow
                Allow from all
       

    # CAS Server
        ProxyPass / https://10.176.0.100/
        ProxyPassReverse / https://10.176.0.100/

    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early

    ErrorLog /var/log/apache2/error.log

    LogLevel info

    CustomLog /var/log/apache2/ssl_access.log combined

    Alias /doc/ "/usr/share/doc/"
    
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile    /etc/ssl/mail2.domain.net+gd_bundle.crt
    SSLCertificateKeyFile /etc/ssl/mail2.domain.net.key
    SSLCertificateChainFile /etc/ssl/mail2.domain.net+gd_bundle.crt


  
    
    RequestHeader unset Accept-Encoding
    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
    

    
        SSLOptions +StdEnvVars
    
    
        SSLOptions +StdEnvVars
    

    BrowserMatch ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
Posted by at 6 comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)