Apache Revese Proxy für Exchange Webdienste

Man möchte seinen Exchange Server sicher nicht ungefiltert ins Netz stellen, um ActiveSync, den Outlook Web Client oder EWS Dienste für mobile Mitarbeiter zur Verfügung zu stellen. Eine Möglichkeit das etwas sicherer hin zu bekommen und eine anständige Crypto zu etablieren, ist einen Apache Reverse Proxy davor zu beteiben. Hier eine Beispielkonfiguration:

Zunächst sind einige Apache Module zu aktivieren und Apache neu zu laden:

sudo a2enmod proxy rewrite headers
sudo service apache reload

 

<VirtualHost *:443>
 
ServerName <your FQDN>
ServerAlias <your FQDN>
 
ServerAdmin admin@yourdomain.tld

Header set X-Frame-Options SAMEORIGIN
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set X-Content-Type-Options: nosniff 
Header set Server Apache
 
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
 
RequestHeader unset Expect early
 
SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
Header unset WWW-Authenticate
Header add WWW-Authenticate "Basic realm=<your_exchange_server_fqdn>"
 
ProxyRequests Off
ProxyPreserveHost On 
SSLProxyEngine On

# owa
ProxyPass /owa https://<your_exchange_server_fqdn>/owa
ProxyPassReverse /owa https://<your_exchange_server_fqdn>/owa
ProxyPass /OWA https://<your_exchange_server_fqdn>/OWA
ProxyPassReverse /OWA https://<your_exchange_server_fqdn>/OWA
ProxyPass /Owa https://<your_exchange_server_fqdn>/Owa
ProxyPassReverse /Owa https://<your_exchange_server_fqdn>/Owa
 
# Einstellungen um per OWA das Kennwort zu aendern
ProxyPass /iisadmpwd https://<your_exchange_server_fqdn>/iisadmpwd
ProxyPassReverse /iisadmpwd https://<your_exchange_server_fqdn>/iisadmpwd
 
# ecp
ProxyPass /ecp https://<your_exchange_server_fqdn>/ecp
ProxyPassReverse /ecp https://<your_exchange_server_fqdn>/ecp
ProxyPass /ECP https://<your_exchange_server_fqdn>/ECP
ProxyPassReverse /ECP https://<your_exchange_server_fqdn>/ECP
ProxyPass /Ecp https://<your_exchange_server_fqdn>/Ecp
ProxyPassReverse /Ecp https://<your_exchange_server_fqdn>/Ecp
 
# ews -> Exchange Web Services
ProxyPass /ews https://<your_exchange_server_fqdn>/ews
ProxyPassReverse /ews https://<your_exchange_server_fqdn>/ews
ProxyPass /EWS https://<your_exchange_server_fqdn>/EWS
ProxyPassReverse /EWS https://<your_exchange_server_fqdn>/EWS
ProxyPass /Ews https://<your_exchange_server_fqdn>/Ews
ProxyPassReverse /Ews https://<your_exchange_server_fqdn>/Ews
ProxyPass /exchange https://<your_exchange_server_fqdn>/exchange
ProxyPassReverse /exchange https://<your_exchange_server_fqdn>/exchange
ProxyPass /Exchange https://<your_exchange_server_fqdn>/Exchange
ProxyPassReverse /Exchange https://<your_exchange_server_fqdn>/Exchange
ProxyPass /exchweb https://<your_exchange_server_fqdn>/exchweb
ProxyPassReverse /exchweb https://<your_exchange_server_fqdn>/exchweb
ProxyPass /public https://<your_exchange_server_fqdn>/public
ProxyPassReverse /public https://<your_exchange_server_fqdn>/public
 
# Microsoft-Server-ActiveSync
ProxyPass /Microsoft-Server-ActiveSync https://<your_exchange_server_fqdn>/Microsoft-Server-ActiveSync connectiontimeout=600
ProxyPassReverse /Microsoft-Server-ActiveSync https://<your_exchange_server_fqdn>/Microsoft-Server-ActiveSync
 
# AutoDiscover -> Autodiscover for non-AD integrated Clients (Mac, eg.)
ProxyPass /autodiscover https://<your_exchange_server_fqdn>/autodiscover
ProxyPassReverse /autodiscover https://<your_exchange_server_fqdn>/autodiscover
ProxyPass /Autodiscover https://<your_exchange_server_fqdn>/Autodiscover
ProxyPassReverse /Autodiscover https://<your_exchange_server_fqdn>/Autodiscover
ProxyPass /AutoDiscover https://<your_exchange_server_fqdn>/AutoDiscover
ProxyPassReverse /AutoDiscover https://<your_exchange_server_fqdn>/AutoDiscover

DocumentRoot /var/www/html/
 
<Directory />
 Order deny,allow
 Allow from all
</Directory>
 
<Proxy *>
 SetEnv proxy-nokeepalive 1
 SetEnv force-proxy-request-1.0 1
 Order deny,allow
 Allow from all
</Proxy>

SSLEngine On
SSLCompression off
SSLInsecureRenegotiation off
SSLProtocol +TLSv1.2
SSLCertificateFile /etc/apache2/SSLCert.pem
SSLCACertificateFile /etc/apache2/ca.pem
SSLCertificateChainFile /etc/apache2/sub.class1.server.sha2.ca.pem
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLHonorCipherOrder on
SSLCipherSuite AES256+EECDH:AES256+EDH
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set X-Frame-Options DENY
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options SAMEORIGIN
SSLCompression off 
SSLUseStapling on 
 
BrowserMatch "MSIE [2-6]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
#MSIE 7 and newer should be able to use keepalive
 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
 
</VirtualHost>
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

Das ganze hat noch zwei sehr nette Nebeneffekte:

Erstens ist es sehr einfach kaputte Crypto Standards zu deaktivieren (innerhalb von Windows ist das ein einziger Graus IMHO).
Zweitens lassen sich so auch Webapplikationen die auf  verschiedenen Webservern laufen hinter NAT zugänglich machen. Und ein SSL Offloading hat man dann, bei Bedarf auch gleich noch mit realisiert.
Beispiel:

...
ProxyPass /Webapp http://<your_other_webserver.fqdn>/Webapp
ProxyPassReverse /WebDesk http://<your_other_webserver.fqdn>/Webapp
...

Ein Test mit Qualys SSL Test Tool fördert dann folgendes Ergebnis zu Tage.

ssllabsrevproxy