Outlook Web Access, reverse proxy and browser

Posted by M'vy on Server Fault See other posts from Server Fault or by M'vy
Published on 2011-03-18T11:58:57Z Indexed on 2011/03/18 16:12 UTC
Read the original article Hit count: 287

Hi SF'ers!

We recently moved an exchange server behind a reverse proxy due to the loss of a public IP. I've managed to configure the reverse proxy (httpd proxy_http).

But there is a problem for the SSL configuration.

When accessing the OWA interface with Firefox, all is ok and working. When accessing with MSIE or Chrome, they do not retrieve the good SSL Certificate.

I think this is due to the multiples virtual host for httpd. Is there a workaround to make sure MSIE/Chrome request the certificate for the good domain name like FF does?

Already tested with the SSL virtual host :

SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
  Header unset WWW-Authenticate
  Header add WWW-Authenticate "Basic realm=exchange.domain.com"

A:

ProxyPreserveHost On

also:

BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

Or:

SetEnvIf User-Agent ".*MSIE.*"    \
nokeepalive ssl-unclean-shutdown  \
downgrade-1.0 force-response-1.0

And lots of ProxyPassand ProxyReversePath on /exchweb /exchange /public etc...

And it still don't seem to work. Any clue?

Thanks.

Edit 1: Precision of versions

# openssl version
OpenSSL 0.9.8k-fips 25 Mar 2009

/usr/sbin/httpd -v
Server version: Apache/2.2.11 (Unix)
Server built:   Mar 17 2009 09:15:10

Browser versions :

MSIE : 8.0.6001
Opera: Version 11.01 Revision 1190
Firefox: 3.6.15
Chrome: 10.0.648.151

Operating System:

Windows Vista 32bits.

They are all SNI compliant, I've tested them this afternoon https://sni.velox.ch/

You're right Shane Madden, I have multiple sites on the same public IP (and same port as well). The server itself is just a reverse proxy, that rewrite addresses to internal servers.

The default host is a dev site, configure with the certificate that does not match the OWA (of course... would have been to easy)

<VirtualHost *:443>
    ServerName dev2.domain.com
    ServerAdmin [email protected]


    CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/access-%y%m%d.log 86400" combined
    ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/error-%y%m%d.log 86400"

    LogLevel warn

    RewriteEngine on
    SetEnvIfNoCase X-Forwarded-For .+ proxy=yes

    SSLEngine on
    SSLProtocol -all +SSLv3 +TLSv1
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL:+SSLv3
    SSLCertificateFile /etc/httpd/ssl/domain.com.crt
    SSLCertificateKeyFile /etc/httpd/ssl/domain.com.key


    RewriteCond %{HTTP_HOST} dev2\.domain\.com
    RewriteRule ^/(.*)$ http://dev2.domain.com/$1 [L,P]

</VirtualHost>

The certificate of domain is a *.domain.com

The second vHost is :

<VirtualHost *:443>
    ServerName exchange.domain2.com
    ServerAdmin [email protected]


    CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/exchange/access-%y%m%d.log 86400" combined
    ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/exchange/error-%y%m%d.log 86400"

    LogLevel warn

    SSLEngine on
    SSLProxyEngine On

    SSLProtocol -all +SSLv3 +TLSv1
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL:+SSLv3
    SSLCertificateFile /etc/httpd/ssl/exchange.pem
    SSLCertificateKeyFile /etc/httpd/ssl/exchange.key
   RewriteEngine on
    SetEnvIfNoCase X-Forwarded-For .+ proxy=yes

    RewriteCond %{HTTP_HOST} exchange\.domain2\.com
    RewriteRule ^/(.*)$ https://exchange.domain2.com/$1 [L,P]

</VirtualHost>

and it's certificate is exchange.domain2.com only.

I presume the SNI is somewhere not activated on my server. The versions of openssl and apache seams to be ok for the SNI support. The only thing I do not know is if httpd has been compile with the good options. (I assume it's a fedora packet).

© Server Fault or respective owner

Related posts about ssl

Related posts about reverse-proxy