Nginx
1 前言
一个问题,一篇文章,一出故事。
笔者最近需要代理企业邮箱Microsoft Exchange,于是整理此文。
2 最佳实践
2.1 准备软件环境
2.1.1 准备编译安装的Nginx环境
2.1.2 加载nginx ntlm模块
2.1.3 加载nginx sticky模块
2.1.4 确定模块已加载
nginx -V
可见如下显示,
nginx version: nginx/1.22.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=./modules/nginx-sticky-module-ng-master --add-module=./modules/nginx_cookie_flag_module-1.1.0 --add-module=./modules/nginx-ntlm-module-1.19.3
另外,以上使用如下编译参数编译,如有需要请参考,
cd ~/nginx-1.22.1/ ./configure \ --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --modules-path=/usr/lib64/nginx/modules \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --http-client-body-temp-path=/var/cache/nginx/client_temp \ --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --user=nginx \ --group=nginx \ --with-compat \ --with-file-aio \ --with-threads \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_mp4_module \ --with-http_random_index_module \ --with-http_realip_module \ --with-http_secure_link_module \ --with-http_slice_module \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-http_v2_module \ --with-mail \ --with-mail_ssl_module \ --with-stream \ --with-stream_realip_module \ --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' \ --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' \ --add-module=./modules/nginx-sticky-module-ng-master \ --add-module=./modules/nginx_cookie_flag_module-1.1.0 \ --add-module=./modules/nginx-ntlm-module-1.19.3
2.2 配置Exchange代理
2.2.1 创建代理Exchange的配置
cat > /etc/nginx/conf.d/mail.cmdschool.org_443_exchange.conf << EOF upstream exchange { zone exchange-general 64k; ntlm; server exchange01.cmdschool.org:443; server exchange02.cmdschool.org:443; } upstream exchange-activesync { zone exchange-activesync 64k; ntlm; server exchange01.cmdschool.org:443; server exchange02.cmdschool.org:443; } upstream exchange-ecp { zone exchange-ecp 64k; ntlm; server exchange01.cmdschool.org:443; server exchange02.cmdschool.org:443; } upstream exchange-mapi { zone exchange-mapi 64k; ntlm; server exchange01.cmdschool.org:443; server exchange02.cmdschool.org:443; } upstream exchange-owa { zone exchange-owa 64k; ntlm; server exchange01.cmdschool.org:443; server exchange02.cmdschool.org:443; } upstream exchange-rpc { zone exchange-rpc 64k; sticky; ntlm; server exchange01.cmdschool.org:443; server exchange02.cmdschool.org:443; } server { listen 443 ssl; server_name mail.cmdschool.org; ssl_certificate wildcard.cmdschool.org.pem; ssl_certificate_key wildcard.cmdschool.org.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; location / { proxy_pass https://exchange; proxy_http_version 1.1; proxy_set_header Connection ""; } location /ecp { proxy_pass https://exchange-ecp; proxy_http_version 1.1; proxy_set_header Connection ""; } location /mapi { proxy_pass https://exchange-mapi; proxy_http_version 1.1; proxy_set_header Connection ""; } location /Microsoft-Server-ActiveSync { proxy_pass https://exchange-activesync; proxy_http_version 1.1; proxy_set_header Connection ""; } location /owa { proxy_pass https://exchange-owa; proxy_http_version 1.1; proxy_set_header Connection ""; } location /rpc/rpcproxy.dll { proxy_pass https://exchange-rpc; proxy_buffering off; proxy_http_version 1.1; proxy_request_buffering off; proxy_set_header Connection "Keep-Alive"; } } server { listen 80; server_name mail.cmdschool.org; return 301 https://mail.cmdschool.org$request_uri; } EOF
2.2.2 检查配置是否有语法错误
nginx -t
如果见到如下提示则配置无问题,
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
2.2.3 重载配置使Exchange代理生效
systemctl reload nginx.service
2.2.4 测试Exchange代理
https://mail.cmdschool.org/owa/
以上连接登录后并能获取邮件则代理正常,范例显示如下,
没有评论