如何Nginx代理Microsoft Exchange?

Nginx

1 前言

一个问题,一篇文章,一出故事。
笔者最近需要代理企业邮箱Microsoft Exchange,于是整理此文。

2 最佳实践

2.1 准备软件环境

2.1.1 准备编译安装的Nginx环境

如何编译安装nginx?

2.1.2 加载nginx ntlm模块

如何编译加载nginx ntlm模块?

2.1.3 加载nginx sticky模块

如何编译加载nginx sticky模块?

2.1.4 确定模块已加载

nginx -V

可见如下显示,

nginx version: nginx/1.22.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=./modules/nginx-sticky-module-ng-master --add-module=./modules/nginx_cookie_flag_module-1.1.0 --add-module=./modules/nginx-ntlm-module-1.19.3

另外,以上使用如下编译参数编译,如有需要请参考,

cd ~/nginx-1.22.1/
./configure \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=nginx \
--group=nginx \
--with-compat \
--with-file-aio \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' \
--add-module=./modules/nginx-sticky-module-ng-master \
--add-module=./modules/nginx_cookie_flag_module-1.1.0 \
--add-module=./modules/nginx-ntlm-module-1.19.3

2.2 配置Exchange代理

2.2.1 创建代理Exchange的配置

cat > /etc/nginx/conf.d/mail.cmdschool.org_443_exchange.conf << EOF
upstream exchange {
    zone exchange-general 64k;
    ntlm;       
    server exchange01.cmdschool.org:443;
    server exchange02.cmdschool.org:443;
}
upstream exchange-activesync {
    zone exchange-activesync 64k;
    ntlm;       
    server exchange01.cmdschool.org:443;
    server exchange02.cmdschool.org:443;
}
upstream exchange-ecp {
    zone exchange-ecp 64k;
    ntlm;       
    server exchange01.cmdschool.org:443;
    server exchange02.cmdschool.org:443;
}
upstream exchange-mapi {
    zone exchange-mapi 64k;
    ntlm;       
    server exchange01.cmdschool.org:443;
    server exchange02.cmdschool.org:443;
}
upstream exchange-owa {
    zone exchange-owa 64k;
    ntlm;       
    server exchange01.cmdschool.org:443;
    server exchange02.cmdschool.org:443;
}
upstream exchange-rpc {
    zone exchange-rpc 64k;
    sticky;
    ntlm;       
    server exchange01.cmdschool.org:443;
    server exchange02.cmdschool.org:443;
}

server {
    listen 443 ssl;
    server_name mail.cmdschool.org;
    ssl_certificate wildcard.cmdschool.org.pem;
    ssl_certificate_key wildcard.cmdschool.org.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass https://exchange;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }

    location /ecp {
        proxy_pass https://exchange-ecp;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
    location /mapi {
        proxy_pass https://exchange-mapi;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
    location /Microsoft-Server-ActiveSync {
        proxy_pass https://exchange-activesync;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
    location /owa {
        proxy_pass https://exchange-owa;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
    location /rpc/rpcproxy.dll {
        proxy_pass https://exchange-rpc;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_request_buffering off;
        proxy_set_header Connection "Keep-Alive";
    }

}

server {
    listen 80;
    server_name mail.cmdschool.org;

    return 301 https://mail.cmdschool.org$request_uri;
}
EOF

2.2.2 检查配置是否有语法错误

nginx -t

如果见到如下提示则配置无问题,

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

2.2.3 重载配置使Exchange代理生效

systemctl reload nginx.service

2.2.4 测试Exchange代理

https://mail.cmdschool.org/owa/
以上连接登录后并能获取邮件则代理正常,范例显示如下,

没有评论

发表回复

Nginx
如何使用Nginx发布维护公告?

1 前言 一个问题,一篇文章,一出故事。 最近由于需要发布维护公告,想着这种东西以后用得着,于是总结 …

Nginx
如何实现Nginx第一次访问跳转?

1 前言 一个问题,一篇文章,一出故事。 笔者在NextCloud生产环境中需要实现首次登录显示公告 …

Nginx
如何实现Nginx首次访问跳转?

1 前言 一个问题,一篇文章,一出故事。 笔者在NextCloud生产环境中需要实现首次登录显示公告 …