Difference between revisions of "SME Server:Documentation:ProxyPass"
RayMitchell (talk | contribs) (certificate expected behaviour) |
Bunkobugsy (talk | contribs) m |
||
(12 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
− | + | {{usefulnote}} | |
+ | ==Proxy Pass== | ||
− | + | ===ProxyPass a domain=== | |
This section covers ProxyPass directives in the "domains" database | This section covers ProxyPass directives in the "domains" database | ||
Line 19: | Line 20: | ||
db domains delete proxypassdomain.com | db domains delete proxypassdomain.com | ||
signal-event domain-delete proxypassdomain.com | signal-event domain-delete proxypassdomain.com | ||
+ | |||
+ | Note that using the settings above 'TemplatePath' is set to 'ProxyPassVirtualHosts' which will read templates in: | ||
+ | |||
+ | /etc/e-smith/templates/etc/httpd/conf/httpd.conf/ProxyPassVirtualHosts | ||
+ | |||
+ | It is perfectly possible to use your own templates for more specialised settings: | ||
+ | |||
+ | cp -R /etc/e-smith/templates/etc/httpd/conf/httpd.conf/ProxyPassVirtualHosts /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/MyProxyPassHost | ||
+ | |||
+ | Now you can edit the templates in 'MyProxyPassHost' and use your own advanced settings as you require. | ||
+ | |||
+ | db domains setprop proxypassdomain.com TemplatePath MyProxyPassHost | ||
{{Note box|msg=If you have added the internal or external server's domain name as a virtual domain on the SME Server, you must remove it prior to issuing these commands. The server-manager domains panel will show the proxy pass entry but you will not be able to edit it, see [[bugzilla:1612]]}} | {{Note box|msg=If you have added the internal or external server's domain name as a virtual domain on the SME Server, you must remove it prior to issuing these commands. The server-manager domains panel will show the proxy pass entry but you will not be able to edit it, see [[bugzilla:1612]]}} | ||
Line 30: | Line 43: | ||
http://forums.contribs.org/index.php?topic=46975.0 | http://forums.contribs.org/index.php?topic=46975.0 | ||
− | From this forum post by Charlie Brady http://forums.contribs.org/index.php | + | From this forum post by Charlie Brady http://forums.contribs.org/index.php/topic,49181.msg245408.html#msg245408 is information about https access & expected behaviour re certificates |
What happens is that the browser connects to the SME server, then negotiates SSL (verifies the certificate and starts encrypting the connection), then sends the request (hostname + URL). Apache in the SME server then proxies the connection (creates the connection to the internal webserver, passes the request, passes back the response). There's no way that the internal server's certificate can be presented to the browser and used to enable encryption. | What happens is that the browser connects to the SME server, then negotiates SSL (verifies the certificate and starts encrypting the connection), then sends the request (hostname + URL). Apache in the SME server then proxies the connection (creates the connection to the internal webserver, passes the request, passes back the response). There's no way that the internal server's certificate can be presented to the browser and used to enable encryption. | ||
− | + | ===ProxyPass a alias/directory/location=== | |
This section covers the db settings in the "accounts" database that generate ProxyPass directives in httpd.conf | This section covers the db settings in the "accounts" database that generate ProxyPass directives in httpd.conf | ||
Line 65: | Line 78: | ||
http://forums.contribs.org/index.php/topic,40075.0.html | http://forums.contribs.org/index.php/topic,40075.0.html | ||
− | + | ===ProxyPass for Exchange Outlook Web Access=== | |
− | |||
Users wishing to implement this setup are strongly advised to read in full this forum thread http://forums.contribs.org/index.php/topic,40075.0.html from which the following information was obtained. | Users wishing to implement this setup are strongly advised to read in full this forum thread http://forums.contribs.org/index.php/topic,40075.0.html from which the following information was obtained. | ||
Line 140: | Line 152: | ||
http://httpd.apache.org/docs/2.0/mod/mod_headers.html | http://httpd.apache.org/docs/2.0/mod/mod_headers.html | ||
− | |||
*User feedback & additional information re above method: | *User feedback & additional information re above method: | ||
Line 173: | Line 184: | ||
To achieve this, Apache must resolve everything to iBays, except the one virtual host and it's /owa directories. | To achieve this, Apache must resolve everything to iBays, except the one virtual host and it's /owa directories. | ||
− | |||
1. Enable SSLProxy: | 1. Enable SSLProxy: | ||
Line 222: | Line 232: | ||
# End of Exchange settings | # End of Exchange settings | ||
</VirtualHost> | </VirtualHost> | ||
− | |||
where iis.private.local is the private instance of IIS. and remote.domainA.com is a publically addressable domain that resolves to the public side of the SME server. To be sure this works, you must be able to resolve iis.private.local from the sme server (add a hostname record with correct internal IP address). Ensure the Integrated Authentication is disabled for OWA (leave basic auth on). | where iis.private.local is the private instance of IIS. and remote.domainA.com is a publically addressable domain that resolves to the public side of the SME server. To be sure this works, you must be able to resolve iis.private.local from the sme server (add a hostname record with correct internal IP address). Ensure the Integrated Authentication is disabled for OWA (leave basic auth on). | ||
Line 247: | Line 256: | ||
Google | Google | ||
+ | |||
+ | ==DNS Forwarding== | ||
+ | |||
+ | The dnscache service can be configured to forward all queries for a specific domain to an alternate server, or to block DNS for a domain by configuring forwarding to 'localhost', without affecting any other services or configuration files. See [[Bugzilla:6848]] | ||
+ | |||
+ | This is done using the "domain-remote" record type in the domains db: | ||
+ | |||
+ | To forward all DNS for <domainname> to the specified remote DNS server: | ||
+ | db domains set <domainname> domain-remote Nameservers a.b.c.d | ||
+ | signal-event domain-modify | ||
+ | To block lookups for <domainname>: | ||
+ | db domains set <domainname> domain-remote Nameservers localhost | ||
+ | signal-event domain-modify | ||
+ | [[Category: Howto]] |
Latest revision as of 11:53, 22 October 2024
Is this article helpful to you?
Please consider donating or volunteering
Thank you!
Proxy Pass
ProxyPass a domain
This section covers ProxyPass directives in the "domains" database
- I want to pass some http requests to a server behind my SME Server or external to my site, how can I do this?
You can set a ProxyPass directive that will pass certain requests to an internal or external server that hosts the domain to be proxypassed:
db domains set proxypassdomain.com domain db domains setprop proxypassdomain.com Nameservers internet db domains setprop proxypassdomain.com ProxyPassTarget http://xxx.xxx.xxx.xxx/ db domains setprop proxypassdomain.com TemplatePath ProxyPassVirtualHosts signal-event domain-create proxypassdomain.com
where proxypassdomain.com is the domain name hosted on the internal or external server and http://xxx.xxx.xxx.xxx/ is the IP address of the internal or external server eg 192.168.1.20 or 122.456.12.171 (it must be the publicly accessible IP if an external server)
To delete a ProxyPass directive that you previously set up:
db domains delete proxypassdomain.com signal-event domain-delete proxypassdomain.com
Note that using the settings above 'TemplatePath' is set to 'ProxyPassVirtualHosts' which will read templates in:
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/ProxyPassVirtualHosts
It is perfectly possible to use your own templates for more specialised settings:
cp -R /etc/e-smith/templates/etc/httpd/conf/httpd.conf/ProxyPassVirtualHosts /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/MyProxyPassHost
Now you can edit the templates in 'MyProxyPassHost' and use your own advanced settings as you require.
db domains setprop proxypassdomain.com TemplatePath MyProxyPassHost
Also refer to these links for information regarding the proxypass virtual domain feature of SME server, from this thread http://forums.contribs.org/index.php/topic,47795.0.html
http://bugs.contribs.org/show_bug.cgi?id=999
http://forums.contribs.org/index.php?topic=47160.0
http://forums.contribs.org/index.php?topic=46975.0
From this forum post by Charlie Brady http://forums.contribs.org/index.php/topic,49181.msg245408.html#msg245408 is information about https access & expected behaviour re certificates
What happens is that the browser connects to the SME server, then negotiates SSL (verifies the certificate and starts encrypting the connection), then sends the request (hostname + URL). Apache in the SME server then proxies the connection (creates the connection to the internal webserver, passes the request, passes back the response). There's no way that the internal server's certificate can be presented to the browser and used to enable encryption.
ProxyPass a alias/directory/location
This section covers the db settings in the "accounts" database that generate ProxyPass directives in httpd.conf
- I have a domain http://mydomain.com and I would like http://mydomain.com/extra to forward to the internal server. How do I do this using the db account directives ?
You can do what you want by creating a custom template fragment that enables proxypass on ".../extra"; the notes from this forum discussion http://forums.contribs.org/index.php/topic,40075.0.html should help.
The following works on SME 7.5.1 and SME 8beta6 systems where the template fragment /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35ProxyPass contains the appropriate code which is automatically generated by issuing the following db commands:
db accounts set extra ProxyPass db accounts setprop extra Target http://192.168.1.35 db accounts setprop extra Description InternalServer db accounts setprop extra HTTP on db accounts setprop extra HTTPS on db accounts setprop extra ValidFrom 80.90.100.0/24,74.125.93.105 expand-template /etc/httpd/conf/httpd.conf sv t httpd-e-smith
Note: In the above commands set xxxx ProxyPass, setprop xxxx Target http://<target> and setprop xxxx Description <description> are required; all other lines are optional
Note: It doesn't look like these directives are going to work for HTTPS connections by default (they end up inside a "Listen 0.0.0.0:80" section in httpd.conf). It appears that 35ProxyPass is old (mentioned in a bug from year 2006), while ProxyPass SSL support was fixed in a later bug (in year 2007), by which time the ProxyPass code had been moved to the virtual domains templates.
Note: HTTP and HTTPS are set to yes by default, so there is no need to set it. Apart from that it is preferred to use no when you want it to be disabled, over on/off or enabled/disabled.
Refer to these forum posts:
http://forums.contribs.org/index.php/topic,47741.msg236017.html#msg236017
http://forums.contribs.org/index.php/topic,40075.0.html
ProxyPass for Exchange Outlook Web Access
Users wishing to implement this setup are strongly advised to read in full this forum thread http://forums.contribs.org/index.php/topic,40075.0.html from which the following information was obtained.
- How can I configure Outlook Web Access access to an internal Exchange 2003 server ?
Issue the following commands (replace "a.b.c.d" with the LAN IP of your exchange server):
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf echo '# ProxyPass Support for Internal Exchange Server ProxyPreserveHost On #OWA % character in email subject fix RewriteEngine On RewriteMap percentsubject int:escape RewriteCond $1 ^/exchange/.*\%.*$ RewriteRule (/exchange/.*) ${percentsubject:$1} [P] #OWA ProxyPass /exchange https://a.b.c.d/exchange ProxyPassReverse /exchange https://a.b.c.d/exchange ProxyPass /Exchange https://a.b.c.d/exchange ProxyPassReverse /Exchange https://a.b.c.d/exchange ProxyPass /exchweb https://a.b.c.d/exchweb ProxyPassReverse /exchweb https://a.b.c.d/exchweb ProxyPass /public https://a.b.c.d/public ProxyPassReverse /public https://a.b.c.d/public ProxyPass /iisadmpwd https://a.b.c.d/iisadmpwd ProxyPassReverse /iisadmpwd https://a.b.c.d/iisadmpwd #OMA ProxyPass /oma https://a.b.c.d/oma ProxyPassReverse /oma https://a.b.c.d/oma #ActiveSync (for WM5+ devices) ProxyPass /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync ProxyPassReverse /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync #Force 'RequestHeader' in order to get IE to work # End of Exchange settings ' > 91ProxyPassOWA expand-template /etc/httpd/conf/httpd.conf sv restart httpd-e-smith
It is then possible to login to OWA at https://any.sme.domainname.com/exchange from Firefox (and presumably Opera or Safari), but not login using IE7.
In order to login from Internet Explorer it is necessary to disable "Integrated Windows authentication" in IIS on the Exchange Server as follows:
- start the Internet Information Services (IIS) Manager on the Exchange 2003 server
- Expand Web Sites
- Expand Default Web Site
- right-click on Exchange and select "Properties"
- click on the Directory Security tab
- click on the Edit button for "Authentication and access control"
- remove the check from "Integrated Windows authentication"
- Click OK
- Click OK again
Note: no restarts were required on the Exchange server - as soon as the above changes are made it is possible to login successfully using Internet Explorer
- References & More information:
The above information is based mostly on this post:
http://systembash.com/content/outlook-web-access-apache-proxy/
Note: The "RequestHeader" directive discussed here was unnecessary when tested on a SME 7.2 system
Here is an expanded entry that includes info on Exchange 2007:
http://www.utahsysadmin.com/2007/12/20/apache-reverseproxy-for-owa/
Here are the apache docs for mod_proxy and mod_headers:
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypass
http://httpd.apache.org/docs/2.0/mod/mod_headers.html
- User feedback & additional information re above method:
This method works well except that it was necessary to add a line or two to support /owa which is the directory expected for owa to run. It works with every domain hosted on the SME 7.4 server used. To limit it to one publically resolvable domain, was resolved as follows:
This applies to a SME 7.4 with more than one virtual host that has publically accessible FQDN. To achieve this ISP like setup, the SME server (and all other server) was configured with a ficticious domain like private.local and everything in the network setup such that it is not routable from outside. In this scenario, only the SME server is publically accessible (and behind a WAG54GP2 router with ports 80, 443 open). Using DYNDNS.ORG an account was created and two domains purchased:
domainA.com
domainB.co.nz
Use the DynDNS administrator to setup cnames like:
www.domainA.com -> domainA.com
remote.domainA.com -> domainA.com
www.domainB -> domainB.co.nz
Also note that DynDNS does not sell co.nz domains, these were purchased from domainz.com and pointed the DNS to the DynDNS DNS servers. In the end, any hosts point to the static IP address obtained from World Exchange for an extra $20. In this situation dynamic dns is not being used, but the DynDNS account existed, and it provided redundant DNS, so was easy to retain.
SME server was setup with add-ons like Wordpress etc. in each iBay as required such that www.domainA.com and www.domainB.co.nz go to different Wordpress blogs by default (refer to the FAQ on contribs.org and the instructons on wordpress.org to setup wordpress in an iBay).
On the LAN and on a 192.168.* address (non-routable) there is an Exchange server.
The requirements were to have the OWA component available from outside the LAN and a 'home office' webpage.
Making it slightly more difficult to implement, the requirement was for www.domainA.com to go to SME iBay and homeoffice.domainA.com to go to Windows server - iis.private.local and have iis.private.local/owa work correctly.
This is so that the IIS and Exchange server can be "hidden" behind Apache, and a single certificate obtained & utilised.
To achieve this, Apache must resolve everything to iBays, except the one virtual host and it's /owa directories.
1. Enable SSLProxy:
create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSLProxyEngine containing only the words "SSLProxyEngine on" on a single line, no quotes.
2. Using this threads info as above, except, include a VirtualHosts directive for the remote domain:
create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/76ProxyPass
which looks like this:
# Forward remote.domainA.com to iis.private.local <VirtualHost 0.0.0.0:80> ServerName remote.domainA.com ProxyPass / http://iis.private.local/ ProxyPassReverse / http://iis.private.local/ </VirtualHost> <VirtualHost 0.0.0.0:443> ServerName remote.domainA.com ProxyPass / https://iis.private.local/ ProxyPassReverse / https://iis.private.local/ # Preserve meta info in the http line as a resolvable request ProxyPreserveHost On #OWA % character in email subject fix RewriteEngine On RewriteMap percentsubject int:escape RewriteCond $1 ^/exchange/.*\%.*$ RewriteRule (/exchange/.*) ${percentsubject:$1} [P] #OWA ProxyPass /exchange https://iis.private.local/exchange ProxyPassReverse /exchange https://iis.private.local/exchange ProxyPass /owa https://iis.private.local/owa ProxyPassReverse /owa https://iis.private.local/owa ProxyPass /Exchange https://iis.private.local/exchange ProxyPassReverse /Exchange https://iis.private.local/exchange ProxyPass /exchweb https://iis.private.local/exchweb ProxyPassReverse /exchweb https://iis.private.local/exchweb ProxyPass /public https://iis.private.local/public ProxyPassReverse /public https://iis.private.local/public ProxyPass /iisadmpwd https://iis.private.local/iisadmpwd ProxyPassReverse /iisadmpwd https://iis.private.local/iisadmpwd #OMA ProxyPass /oma https://iis.private.local/oma ProxyPassReverse /oma https://iis.private.local/oma #ActiveSync (for WM5+ devices) ProxyPass /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync ProxyPassReverse /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync # End of Exchange settings </VirtualHost>
where iis.private.local is the private instance of IIS. and remote.domainA.com is a publically addressable domain that resolves to the public side of the SME server. To be sure this works, you must be able to resolve iis.private.local from the sme server (add a hostname record with correct internal IP address). Ensure the Integrated Authentication is disabled for OWA (leave basic auth on).
3. Expand template & Restart the SME webserver
expand-template /etc/httpd/conf/httpd.conf sv restart httpd-e-smith
Note: You can use IPaddresses, but this is cumbersome to maintain and open to error. All FQDN's must be resolvable internally and externally respectively. If this is confusing, start small. Also, IIS will not have a default page except to say the site is under construction, it is necessary to create a basic webpage with a link to the owa page to make usage easy.
Testing:
From another external computer at another location or internet cafe, go to http://www.domainA.com, it should go to the wordpress server as has been setup.
http://www.domainB.com should go to that other wordpress server as setup. If you access any https site, it should also give a certificate and open the respective wordpress server as has been setup.
If you access http://remote.domainA.com or https://remote.domainA.com it should go to the IIS server and no other address (this for example will allow you to sell webhosting without the possibility of customers accessing the IIS server). Next step is to create a default page on IIS that has useful information for the own home office and includes links to webmail for people who cannot remember long or confusing URLs etc.
- Other useful resources:
http://bugs.contribs.org/show_bug.cgi?id=1612
The apache docs
DNS Forwarding
The dnscache service can be configured to forward all queries for a specific domain to an alternate server, or to block DNS for a domain by configuring forwarding to 'localhost', without affecting any other services or configuration files. See Bugzilla:6848
This is done using the "domain-remote" record type in the domains db:
To forward all DNS for <domainname> to the specified remote DNS server:
db domains set <domainname> domain-remote Nameservers a.b.c.d signal-event domain-modify
To block lookups for <domainname>:
db domains set <domainname> domain-remote Nameservers localhost signal-event domain-modify