Nginx
1 前言
一个问题,一篇文章,一出故事。
笔者最近需要代理企业邮箱Microsoft Exchange,于是整理此文。
2 最佳实践
2.1 准备软件环境
2.1.1 准备编译安装的Tengine环境
2.1.2 加载Tengine ntlm模块
2.1.3 加载Tengine session sticky模块
2.1.4 确定模块已加载
nginx -V
可见如下显示,
Tengine version: Tengine/2.4.0 nginx version: nginx/1.22.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=./modules/nginx_cookie_flag_module-1.1.0 --add-module=./modules/nginx-ntlm-module-1.19.3 --add-module=./modules/ngx_http_upstream_session_sticky_module
另外,以上使用如下编译参数编译,如有需要请参考,
cd ~/tengine-2.4.0/ ./configure \ --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --modules-path=/usr/lib64/nginx/modules \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --http-client-body-temp-path=/var/cache/nginx/client_temp \ --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --user=nginx \ --group=nginx \ --with-compat \ --with-file-aio \ --with-threads \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_mp4_module \ --with-http_random_index_module \ --with-http_realip_module \ --with-http_secure_link_module \ --with-http_slice_module \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-http_v2_module \ --with-mail \ --with-mail_ssl_module \ --with-stream \ --with-stream_realip_module \ --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' \ --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' \ --add-module=./modules/nginx_cookie_flag_module-1.1.0 \ --add-module=./modules/nginx-ntlm-module-1.19.3 \ --add-module=./modules/ngx_http_upstream_session_sticky_module
2.2 配置Exchange代理
2.2.1 创建代理Exchange的配置
cat > /etc/nginx/conf.d/mail.cmdschool.org_443_exchange.conf << EOF
upstream exchange {
zone exchange-general 64k;
ntlm;
server exchange01.cmdschool.org:443;
server exchange02.cmdschool.org:443;
}
upstream exchange-activesync {
zone exchange-activesync 64k;
ntlm;
server exchange01.cmdschool.org:443;
server exchange02.cmdschool.org:443;
}
upstream exchange-ecp {
zone exchange-ecp 64k;
ntlm;
server exchange01.cmdschool.org:443;
server exchange02.cmdschool.org:443;
}
upstream exchange-mapi {
zone exchange-mapi 64k;
ntlm;
server exchange01.cmdschool.org:443;
server exchange02.cmdschool.org:443;
}
upstream exchange-owa {
zone exchange-owa 64k;
ntlm;
server exchange01.cmdschool.org:443;
server exchange02.cmdschool.org:443;
}
upstream exchange-rpc {
zone exchange-rpc 64k;
session_sticky;
ntlm;
server exchange01.cmdschool.org:443;
server exchange02.cmdschool.org:443;
}
server {
listen 443 ssl;
server_name mail.cmdschool.org;
ssl_certificate wildcard.cmdschool.org.pem;
ssl_certificate_key wildcard.cmdschool.org.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://exchange;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location /ecp {
proxy_pass https://exchange-ecp;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location /mapi {
proxy_pass https://exchange-mapi;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location /Microsoft-Server-ActiveSync {
proxy_pass https://exchange-activesync;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location /owa {
proxy_pass https://exchange-owa;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location /rpc/rpcproxy.dll {
proxy_pass https://exchange-rpc;
proxy_buffering off;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_set_header Connection "Keep-Alive";
}
}
server {
listen 80;
server_name mail.cmdschool.org;
return 301 https://mail.cmdschool.org$request_uri;
}
EOF
2.2.2 检查配置是否有语法错误
nginx -t
如果见到如下提示则配置无问题,
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
2.2.3 重载配置使Exchange代理生效
systemctl reload nginx.service
2.2.4 测试Exchange代理
https://mail.cmdschool.org/owa/
以上连接登录后并能获取邮件则代理正常,范例显示如下,
没有评论