NGINX als Reverse Proxy für Exchange 2010/2013/2016


Als Linux Distribution habe ich ein Ubuntu 16.04.02 LTS verwendet.
Als Zertifikatsanbieter habe ich hierbei Lets‘ Encrpyt verwendet.

Die externe Domäne ist: mail.external.eval
Der interne Exchange ist: exchange.mhdom.eval

Installation NGINX und notwendige komponenten

# apt install nginx nginx-extras

Installation der Let’s Encrypt Komponenten, erstellen und einbinden des Zertifikats

# add-apt-repository ppa:certbot/certbot
# apt-get update
# apt-get install certbot

Ausstellen der Zertifikats

# service nginx stop
# certbot certonly --standalone -d [mail.external.eval]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mail.external.eval
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mail.external.eval/fullchain.pem. Your cert
   will expire on ####-##-##. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Bearbeiten der NGINX Konfiguration

# vi /etc/nginx/conf.d/exchange.conf
server {
    listen 80;
    server_name mail.external.eval;
    return 301 https://$host$request_uri;
}

server {
    tcp_nodelay on;
    listen 443;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/mail.external.eval/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.external.eval/privkey.pem;

    ssl_session_timeout 5m;
    server_name mail.external.eval;

    location / {
            return 301 https://mail.external.eval/owa;
    }

    proxy_http_version      1.1;
    proxy_read_timeout      360;
    proxy_pass_header       Date;
    proxy_pass_header       Server;
    proxy_pass_header      Authorization;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_pass_request_headers on;
    more_set_input_headers 'Authorization: $http_authorization';
    proxy_set_header Accept-Encoding "";
    more_set_headers -s 401 'WWW-Authenticate: Basic realm="exchange.mhdom.eval"';
    proxy_buffering off;
    proxy_set_header Connection "Keep-Alive";

    location ~* ^/owa { proxy_pass https://exchange.mhdom.eval; }
    location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://exchange.mhdom.eval; }
    location ~* ^/ecp { proxy_pass https://exchange.mhdom.eval; }
    location ~* ^/rpc { proxy_pass https://exchange.mhdom.eval; }
    location ~* ^/mapi { proxy_pass https://exchange.mhdom.eval; }
    location ~* ^/ews { proxy_pass https://srv01.hoelzle.local; }
    location ~* ^/autodiscover { proxy_pass https://srv01.hoelzle.local; }

    error_log /var/log/nginx/owa-ssl-error.log;
    access_log /var/log/nginx/owa-ssl-access.log;
}
# vi /etc/nginx/nginx.conf
    ...
    http {
        ##
        # Basic Settings
        ##
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;
        client_max_body_size 2000M;
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;
    ....

Nun noch den NGINX starten (service nginx start) oder am besten den ganzen Server einmal neu starten (reboot).