haproxy https://tech.feedyourhead.at/ en Reverse-Proxy for Exchange 2003 https://tech.feedyourhead.at/content/reverse-proxy-exchange-2003 <span class="field field--name-title field--type-string field--label-hidden">Reverse-Proxy for Exchange 2003</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><br /> I know that nobody should use Microsoft Exchange 2003 anymore. But there are still some 2003s out there. I wanted to create a reverse-proxy for such an exchange-server on linux to have at least a better encryption, when some problems appeared:</p> <h3>MS RPC over HTTP breaks the HTTP-Standard</h3> <p>I tried to create a reverse-proxy using apache2. Since Microsofts's RPC-OVER-HTTP breakes the HTTP-Standard(which would make a webserver more insecure), apache does not support it. Other services like Outlook-Webaccess work, even with apache2.</p> <p>&nbsp;</p> <h3>HAProxy</h3> <p>Haproxy is a nice proxy which runs perfectly under linux.</p> <p>This is my haproxy.cfg:</p> <pre> <code> global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog # option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend exchange-ssl mode tcp bind 192.168.24.4:9443 ssl crt /etc/ssl/webmail/haproxy.pem reqadd X-Forwarded-Proto:\ https option tcplog default_backend exchange_backend backend exchange_backend mode tcp server server1 192.168.0.6:443 maxconn 1024 check ssl verify none stick on src stick-table type ip size 10240k expire 240m option httpchk HEAD / HTTP/1.0 option redispatch option abortonclose option httpclose option forwardfor cookie JSESSIONID prefix frontend rpc-front bind :135,:60200,:60201 mode tcp maxconn 40000 default_backend rpc-server backend rcp-server stick-table type ip size 10240k expire 60m stick on src option redispatch option abortonclose balance leastconn server EXCH01 192.168.0.6 weight 1 check port 135 inter 2000 rise 2 fall 3 on-marked-down shutdown-sessions </code></pre> <p>&nbsp;</p> <h3><code>Exchange Registry</code></h3> <p><code>Even with haproxy, it didn't work. It was pretty difficult to find the </code>cause, but in the end I found it. I just changed the right registry key on the exchange-server:</p> <pre> <code> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] "Enabled"=dword:00000001 "ValidPorts"=mailsrv:6001-6002;mailsrv.example.local:6001-6002;mailsrv:6004;mailsrv.example.local:6004" </code></pre> <p>I just had to add my full-qualified-domain-name of the mailservers public domain here:</p> <pre> <code> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] "Enabled"=dword:00000001 "ValidPorts"=webmail.example.com:6001-6002;mailsrv:6001-6002;mailsrv.example.local:6001-6002;mailsrv:6004;mailsrv.example.local:6004;webmail.example.com:6004" </code></pre> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 26 2015</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/microsoft" hreflang="en">Microsoft</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/proxy" hreflang="en">Proxy</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/haproxy" hreflang="en">haproxy</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=90&amp;2=comment&amp;3=comment" token="Z_yHJS-A08pqolBJ8P8g1q2q0F4YAGdCAEM_42I46bU"></drupal-render-placeholder> </section> Tue, 26 May 2015 14:09:17 +0000 Hoti 90 at https://tech.feedyourhead.at