We recently moved an exchange server behind a reverse proxy due to the loss of a public IP.
I've managed to configure the reverse proxy (httpd proxy_http
).
But there is a problem for the SSL configuration.
When accessing the OWA interface with Firefox, all is ok and working. When accessing with MSIE or Chrome, they do not retrieve the good SSL Certificate.
I think this is due to the multiples virtual host for httpd. Is there a workaround to make sure MSIE/Chrome request the certificate for the good domain name like FF does?
Already tested with the SSL virtual host :
SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
Header unset WWW-Authenticate
Header add WWW-Authenticate "Basic realm=exchange.domain.com"
A:
ProxyPreserveHost On
also:
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Or:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
And lots of ProxyPass
and ProxyReversePath
on /exchweb /exchange /public
etc...
And it still don't seem to work. Any clue?
Thanks.
Edit 1: Precision of versions
# openssl version
OpenSSL 0.9.8k-fips 25 Mar 2009
/usr/sbin/httpd -v
Server version: Apache/2.2.11 (Unix)
Server built: Mar 17 2009 09:15:10
Browser versions :
MSIE : 8.0.6001
Opera: Version 11.01 Revision 1190
Firefox: 3.6.15
Chrome: 10.0.648.151
Operating System:
Windows Vista 32bits.
They are all SNI compliant, I've tested them this afternoon https://sni.velox.ch/
You're right Shane Madden, I have multiple sites on the same public IP (and same port as well). The server itself is just a reverse proxy, that rewrite addresses to internal servers.
The default host is a dev site, configure with the certificate that does not match the OWA (of course... would have been to easy)
<VirtualHost *:443>
ServerName dev2.domain.com
ServerAdmin tech_support@domain.com
CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/access-%y%m%d.log 86400" combined
ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/error-%y%m%d.log 86400"
LogLevel warn
RewriteEngine on
SetEnvIfNoCase X-Forwarded-For .+ proxy=yes
SSLEngine on
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL:+SSLv3
SSLCertificateFile /etc/httpd/ssl/domain.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/domain.com.key
RewriteCond %{HTTP_HOST} dev2\.domain\.com
RewriteRule ^/(.*)$ http://dev2.domain.com/$1 [L,P]
</VirtualHost>
The certificate of domain is a *.domain.com
The second vHost is :
<VirtualHost *:443>
ServerName exchange.domain2.com
ServerAdmin tech_support@domain.com
CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/exchange/access-%y%m%d.log 86400" combined
ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/exchange/error-%y%m%d.log 86400"
LogLevel warn
SSLEngine on
SSLProxyEngine On
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL:+SSLv3
SSLCertificateFile /etc/httpd/ssl/exchange.pem
SSLCertificateKeyFile /etc/httpd/ssl/exchange.key
RewriteEngine on
SetEnvIfNoCase X-Forwarded-For .+ proxy=yes
RewriteCond %{HTTP_HOST} exchange\.domain2\.com
RewriteRule ^/(.*)$ https://exchange.domain2.com/$1 [L,P]
</VirtualHost>
and it's certificate is exchange.domain2.com only.
I presume the SNI is somewhere not activated on my server. The versions of openssl and apache seams to be ok for the SNI support. The only thing I do not know is if httpd has been compile with the good options. (I assume it's a fedora packet).