| Line 348: |
Line 348: |
| | signal-event clamav-update | | signal-event clamav-update |
| | | | |
| − | ===Proxy Pass===
| + | {{:SME Server:Documentation:ProxyPass}} |
| − | | |
| − | ====ProxyPass a domain====
| |
| − | | |
| − | This section covers ProxyPass directives in the "domains" database
| |
| − | | |
| − | *I want to pass some http requests to a server behind my SME Server or external to my site, how can I do this?
| |
| − | | |
| − | You can set a ProxyPass directive that will pass certain requests to an internal or external server that hosts the domain to be proxypassed:
| |
| − | db domains set proxypassdomain.com domain
| |
| − | db domains setprop proxypassdomain.com Nameservers internet
| |
| − | db domains setprop proxypassdomain.com ProxyPassTarget http://xxx.xxx.xxx.xxx/
| |
| − | db domains setprop proxypassdomain.com TemplatePath ProxyPassVirtualHosts
| |
| − | signal-event domain-create proxypassdomain.com
| |
| − | where proxypassdomain.com is the domain name hosted on the internal or external server
| |
| − | and http://xxx.xxx.xxx.xxx/ is the IP address of the internal or external server eg 192.168.1.20 or 122.456.12.171 (it must be the publicly accessible IP if an external server)
| |
| − | | |
| − | To delete a ProxyPass directive that you previously set up:
| |
| − | db domains delete proxypassdomain.com
| |
| − | signal-event domain-delete proxypassdomain.com
| |
| − | | |
| − | {{Note box|msg=If you have added the internal or external server's domain name as a virtual domain on the SME Server, you must remove it prior to issuing these commands. The server-manager domains panel will show the proxy pass entry but you will not be able to edit it, see [[bugzilla:1612]]}} | |
| − | | |
| − | Also refer to these links for information regarding the proxypass virtual domain feature of SME server, from this thread http://forums.contribs.org/index.php/topic,47795.0.html
| |
| − | | |
| − | http://bugs.contribs.org/show_bug.cgi?id=999
| |
| − | | |
| − | http://forums.contribs.org/index.php?topic=47160.0
| |
| − | | |
| − | http://forums.contribs.org/index.php?topic=46975.0
| |
| − | | |
| − | ====ProxyPass a alias/directory/location====
| |
| − | | |
| − | This section covers the db settings in the "accounts" database that generate ProxyPass directives in httpd.conf
| |
| − | | |
| − | *I have a domain http://mydomain.com and I would like http://mydomain.com/extra to forward to the internal server. How do I do this using the db account directives ?
| |
| − | | |
| − | You can do what you want by creating a custom template fragment that enables proxypass on ".../extra"; the notes from this forum discussion http://forums.contribs.org/index.php/topic,40075.0.html should help.
| |
| − | | |
| − | The following works on SME 7.5.1 and SME 8beta6 systems where the template fragment /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35ProxyPass contains the appropriate code which is automatically generated by issuing the following db commands:
| |
| − | | |
| − | db accounts set extra ProxyPass
| |
| − | db accounts setprop extra Target http://192.168.1.35
| |
| − | db accounts setprop extra Description InternalServer
| |
| − | db accounts setprop extra HTTP on
| |
| − | db accounts setprop extra HTTPS on
| |
| − | db accounts setprop extra ValidFrom 80.90.100.0/24,74.125.93.105
| |
| − | expand-template /etc/httpd/conf/httpd.conf
| |
| − | sv t httpd-e-smith
| |
| − | | |
| − | Note: In the above commands set xxxx ProxyPass, setprop xxxx Target http://<target> and setprop xxxx Description <description> are required; all other lines are optional
| |
| − | | |
| − | Note: It doesn't look like these directives are going to work for HTTPS connections by default (they end up inside a "Listen 0.0.0.0:80" section in httpd.conf). It appears that 35ProxyPass is old (mentioned in a bug from year 2006), while ProxyPass SSL support was fixed in a later bug (in year 2007), by which time the ProxyPass code had been moved to the virtual domains templates.
| |
| − | | |
| − | Note: HTTP and HTTPS are set to yes by default, so there is no need to set it. Apart from that it is preferred to use no when you want it to be disabled, over on/off or enabled/disabled.
| |
| − | | |
| − | Refer to these forum posts:
| |
| − | | |
| − | http://forums.contribs.org/index.php/topic,47741.msg236017.html#msg236017
| |
| − | | |
| − | http://forums.contribs.org/index.php/topic,40075.0.html
| |
| − | | |
| − | | |
| − | ====ProxyPass for Exchange Outlook Web Access====
| |
| − | | |
| − | Users wishing to implement this setup are strongly advised to read in full this forum thread http://forums.contribs.org/index.php/topic,40075.0.html from which the following information was obtained.
| |
| − | | |
| − | *How can I configure Outlook Web Access access to an internal Exchange 2003 server ?
| |
| − | | |
| − | Issue the following commands (replace "a.b.c.d" with the LAN IP of your exchange server):
| |
| − | | |
| − | mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
| |
| − | cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
| |
| − | echo '# ProxyPass Support for Internal Exchange Server
| |
| − | ProxyPreserveHost On
| |
| − | #OWA % character in email subject fix
| |
| − | RewriteEngine On
| |
| − | RewriteMap percentsubject int:escape
| |
| − | RewriteCond $1 ^/exchange/.*\%.*$
| |
| − | RewriteRule (/exchange/.*) ${percentsubject:$1} [P]
| |
| − | #OWA
| |
| − | ProxyPass /exchange https://a.b.c.d/exchange
| |
| − | ProxyPassReverse /exchange https://a.b.c.d/exchange
| |
| − | ProxyPass /Exchange https://a.b.c.d/exchange
| |
| − | ProxyPassReverse /Exchange https://a.b.c.d/exchange
| |
| − | ProxyPass /exchweb https://a.b.c.d/exchweb
| |
| − | ProxyPassReverse /exchweb https://a.b.c.d/exchweb
| |
| − | ProxyPass /public https://a.b.c.d/public
| |
| − | ProxyPassReverse /public https://a.b.c.d/public
| |
| − | ProxyPass /iisadmpwd https://a.b.c.d/iisadmpwd
| |
| − | ProxyPassReverse /iisadmpwd https://a.b.c.d/iisadmpwd
| |
| − | #OMA
| |
| − | ProxyPass /oma https://a.b.c.d/oma
| |
| − | ProxyPassReverse /oma https://a.b.c.d/oma
| |
| − | #ActiveSync (for WM5+ devices)
| |
| − | ProxyPass /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync
| |
| − | ProxyPassReverse /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync
| |
| − | #Force 'RequestHeader' in order to get IE to work
| |
| − | # End of Exchange settings
| |
| − | ' > 91ProxyPassOWA
| |
| − | expand-template /etc/httpd/conf/httpd.conf
| |
| − | sv restart httpd-e-smith
| |
| − | | |
| − | It is then possible to login to OWA at https://any.sme.domainname.com/exchange from Firefox (and presumably Opera or Safari), but not login using IE7.
| |
| − | | |
| − | In order to login from Internet Explorer it is necessary to disable "Integrated Windows authentication" in IIS on the Exchange Server as follows:
| |
| − | *start the Internet Information Services (IIS) Manager on the Exchange 2003 server
| |
| − | *Expand Web Sites
| |
| − | *Expand Default Web Site
| |
| − | *right-click on Exchange and select "Properties"
| |
| − | *click on the Directory Security tab
| |
| − | *click on the Edit button for "Authentication and access control"
| |
| − | *remove the check from "Integrated Windows authentication"
| |
| − | *Click OK
| |
| − | *Click OK again
| |
| − | | |
| − | Note: no restarts were required on the Exchange server - as soon as the above changes are made it is possible to login successfully using Internet Explorer
| |
| − | | |
| − | *References & More information:
| |
| − | | |
| − | The above information is based mostly on this post:
| |
| − | | |
| − | http://systembash.com/content/outlook-web-access-apache-proxy/
| |
| − | | |
| − | Note: The "RequestHeader" directive discussed here was unnecessary when tested on a SME 7.2 system
| |
| − | | |
| − | Here is an expanded entry that includes info on Exchange 2007:
| |
| − | | |
| − | http://www.utahsysadmin.com/2007/12/20/apache-reverseproxy-for-owa/
| |
| − | | |
| − | Here are the apache docs for mod_proxy and mod_headers:
| |
| − | | |
| − | http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
| |
| − | | |
| − | http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypass
| |
| − | | |
| − | http://httpd.apache.org/docs/2.0/mod/mod_headers.html
| |
| − | | |
| − | | |
| − | *User feedback & additional information re above method:
| |
| − | | |
| − | This method works well except that it was necessary to add a line or two to support /owa which is the directory expected for owa to run. It works with every domain hosted on the SME 7.4 server used. To limit it to one publically resolvable domain, was resolved as follows:
| |
| − | | |
| − | This applies to a SME 7.4 with more than one virtual host that has publically accessible FQDN. To achieve this ISP like setup, the SME server (and all other server) was configured with a ficticious domain like private.local and everything in the network setup such that it is not routable from outside. In this scenario, only the SME server is publically accessible (and behind a WAG54GP2 router with ports 80, 443 open). Using DYNDNS.ORG an account was created and two domains purchased:
| |
| − | | |
| − | domainA.com
| |
| − | | |
| − | domainB.co.nz
| |
| − | | |
| − | Use the DynDNS administrator to setup cnames like:
| |
| − | | |
| − | www.domainA.com -> domainA.com
| |
| − | | |
| − | remote.domainA.com -> domainA.com
| |
| − | | |
| − | www.domainB -> domainB.co.nz
| |
| − | | |
| − | Also note that DynDNS does not sell co.nz domains, these were purchased from domainz.com and pointed the DNS to the DynDNS DNS servers. In the end, any hosts point to the static IP address obtained from World Exchange for an extra $20. In this situation dynamic dns is not being used, but the DynDNS account existed, and it provided redundant DNS, so was easy to retain.
| |
| − | | |
| − | SME server was setup with add-ons like Wordpress etc. in each iBay as required such that www.domainA.com and www.domainB.co.nz go to different Wordpress blogs by default (refer to the FAQ on contribs.org and the instructons on wordpress.org to setup wordpress in an iBay).
| |
| − | | |
| − | On the LAN and on a 192.168.* address (non-routable) there is an Exchange server.
| |
| − | | |
| − | The requirements were to have the OWA component available from outside the LAN and a 'home office' webpage.
| |
| − | | |
| − | Making it slightly more difficult to implement, the requirement was for www.domainA.com to go to SME iBay and homeoffice.domainA.com to go to Windows server - iis.private.local and have iis.private.local/owa work correctly.
| |
| − | | |
| − | This is so that the IIS and Exchange server can be "hidden" behind Apache, and a single certificate obtained & utilised.
| |
| − | | |
| − | To achieve this, Apache must resolve everything to iBays, except the one virtual host and it's /owa directories.
| |
| − | | |
| − | | |
| − | 1. Enable SSLProxy:
| |
| − | | |
| − | create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSLProxyEngine containing only the words "SSLProxyEngine on" on a single line, no quotes.
| |
| − | | |
| − | 2. Using this threads info as above, except, include a VirtualHosts directive for the remote domain:
| |
| − | | |
| − | create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/76ProxyPass
| |
| − | | |
| − | which looks like this:
| |
| − | # Forward remote.domainA.com to iis.private.local
| |
| − | <VirtualHost 0.0.0.0:80>
| |
| − | ServerName remote.domainA.com
| |
| − | ProxyPass / http://iis.private.local/
| |
| − | ProxyPassReverse / http://iis.private.local/
| |
| − | </VirtualHost>
| |
| − | <VirtualHost 0.0.0.0:443>
| |
| − | ServerName remote.domainA.com
| |
| − | ProxyPass / https://iis.private.local/
| |
| − | ProxyPassReverse / https://iis.private.local/
| |
| − | # Preserve meta info in the http line as a resolvable request
| |
| − | ProxyPreserveHost On
| |
| − | #OWA % character in email subject fix
| |
| − | RewriteEngine On
| |
| − | RewriteMap percentsubject int:escape
| |
| − | RewriteCond $1 ^/exchange/.*\%.*$
| |
| − | RewriteRule (/exchange/.*) ${percentsubject:$1} [P]
| |
| − | #OWA
| |
| − | ProxyPass /exchange https://iis.private.local/exchange
| |
| − | ProxyPassReverse /exchange https://iis.private.local/exchange
| |
| − | ProxyPass /owa https://iis.private.local/owa
| |
| − | ProxyPassReverse /owa https://iis.private.local/owa
| |
| − | ProxyPass /Exchange https://iis.private.local/exchange
| |
| − | ProxyPassReverse /Exchange https://iis.private.local/exchange
| |
| − | ProxyPass /exchweb https://iis.private.local/exchweb
| |
| − | ProxyPassReverse /exchweb https://iis.private.local/exchweb
| |
| − | ProxyPass /public https://iis.private.local/public
| |
| − | ProxyPassReverse /public https://iis.private.local/public
| |
| − | ProxyPass /iisadmpwd https://iis.private.local/iisadmpwd
| |
| − | ProxyPassReverse /iisadmpwd https://iis.private.local/iisadmpwd
| |
| − | #OMA
| |
| − | ProxyPass /oma https://iis.private.local/oma
| |
| − | ProxyPassReverse /oma https://iis.private.local/oma
| |
| − | #ActiveSync (for WM5+ devices)
| |
| − | ProxyPass /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync
| |
| − | ProxyPassReverse /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync
| |
| − | # End of Exchange settings
| |
| − | </VirtualHost>
| |
| − | | |
| − | | |
| − | where iis.private.local is the private instance of IIS. and remote.domainA.com is a publically addressable domain that resolves to the public side of the SME server. To be sure this works, you must be able to resolve iis.private.local from the sme server (add a hostname record with correct internal IP address). Ensure the Integrated Authentication is disabled for OWA (leave basic auth on).
| |
| − | | |
| − | 3. Expand template & Restart the SME webserver
| |
| − | expand-template /etc/httpd/conf/httpd.conf
| |
| − | sv restart httpd-e-smith
| |
| − | | |
| − | Note: You can use IPaddresses, but this is cumbersome to maintain and open to error. All FQDN's must be resolvable internally and externally respectively. If this is confusing, start small. Also, IIS will not have a default page except to say the site is under construction, it is necessary to create a basic webpage with a link to the owa page to make usage easy.
| |
| − | | |
| − | | |
| − | Testing:
| |
| − | | |
| − | From another external computer at another location or internet cafe, go to http://www.domainA.com, it should go to the wordpress server as has been setup.
| |
| − | | |
| − | http://www.domainB.com should go to that other wordpress server as setup. If you access any https site, it should also give a certificate and open the respective wordpress server as has been setup.
| |
| − | | |
| − | If you access http://remote.domainA.com or https://remote.domainA.com it should go to the IIS server and no other address (this for example will allow you to sell webhosting without the possibility of customers accessing the IIS server). Next step is to create a default page on IIS that has useful information for the own home office and includes links to webmail for people who cannot remember long or confusing URLs etc.
| |
| − | | |
| − | *Other useful resources:
| |
| − | | |
| − | http://bugs.contribs.org/show_bug.cgi?id=1612
| |
| − | | |
| − | The apache docs
| |
| − | | |
| − | Google
| |
| | | | |
| | ===Shell Access=== | | ===Shell Access=== |
