通过Apache反向代理访问Exchange 2013

  • 内容
  • 评论
  • 相关

因IP资源紧张,且应公司内部测试需要,打算搭建一台反向代理服务器用于外部访问公司内部的相关站点,因此顺便集成Exchange的外部访问,在集成Exchange时遇到了很多坑,在此留下记录。

一、Apache安装

请访问CentOS下apache 2.4.23 编译安装

二、编译安装apache的mod_proxy_msrpc

1、首先访问mod_proxy_msrpc,下载最新的包mod_proxy_msrpc-0.6,上传到服务器;(这个模块的作用就是用于Outlook Anywhere支持)

2、安装必要的依赖

yum install apr.x86_64 apr-devel.x86_64 apr-util.x86_64 apr-util-devel.x86_64 check.x86_64 check-devel.x86_64 libuuid-devel.x86_64

注:如果已使用编译安装apr、apr-util,上面四个apr包可以不安装,但需要执行以下命令,不然找不到

export PKG_CONFIG_PATH=/usr/share/pkgconfig:/usr/lib/pkgconfig:/usr/local/apr/lib/pkgconfig:/usr/local/apr-util/lib/pkgconfig

3、开始编译

tar -zxvf mod_proxy_msrpc-mod_proxy_msrpc-0.6.tar.gz
cd mod_proxy_msrpc-mod_proxy_msrpc-0.6/
./configure
make

4、安装到Apache

cp /root/soft/mod_proxy_msrpc-mod_proxy_msrpc-0.6/src/.libs/mod_proxy_msrpc.so /usr/local/apache/modules/
vim /etc/apache/http.conf  //在该文件中添加一行如下
LoadModule proxy_msrpc_module modules/mod_proxy_msrpc.so

三、编辑Apache配置文件

1、打开Apache的代理组件

LoadModule proxy_module modules/mod_proxy.so  //去掉前面的#
LoadModule proxy_http_module modules/mod_proxy_http.so  //去掉前面的#

2、编辑站点配置文件(也可新建一个站点配置文件用于区分)

# mail.xxxx.cn
<VirtualHost _default_:443>
    ServerName mail.xxxx.cn:443
    ServerAlias mail1.xxxx.cn:443 mail2.xxxx.cn:443
    ServerAdmin test@xxxx.cn
    ErrorLog "/data/http/logs/mail.xxxx.cn-error_log"
    TransferLog "/data/http/logs/mail.xxxx.cn-access_log"

    # 设置代理模式
    ProxyPreserveHost On
    ProxyRequests Off
    # 设置代理转发泛目录
    ProxyPassMatch "^/(.*)$" "https://192.168.1.1/$1"
    ProxyPassMatch "^/(.*)/$" "https://192.168.1.1/$1"
    # 设置代理转发到主机
    ProxyPass "/" "https://192.168.1.1/"
    ProxyPassReverse "/" "https://192.168.1.1/"
    # 设置缓冲区大小
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 52428800
    </Directory>
    # 开启mod_proxy_msrpc模块
    OutlookAnywherePassthrough On

    # 设置代理SSL证书认证处理机制(与后端服务器通讯)
    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    # 设置代理SSL证书
    SSLEngine on
    # Server Certificate:
    SSLCertificateFile "/etc/apache/ssl/star.xxxx.cn.crt"
    # Server Private Key:
    SSLCertificateKeyFile "/etc/apache/ssl/star.xxxx.cn.key"
    # Server Certificate Chain:
    SSLCertificateChainFile "/etc/apache/ssl/star.xxxx.cn-CA.crt"
    # Certificate Authority (CA):
    #SSLCACertificateFile "/etc/apache/ssl/ca-bundle.crt"

    BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

    CustomLog "/data/http/logs/mail.xxxx.cn-ssl_request_log" \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

# autodiscover.xxxx.cn
<VirtualHost _default_:443>
    ServerName autodiscover.xxxx.cn:443
    ServerAdmin test@xxxx.cn
    ErrorLog "/data/http/logs/autodiscover.xxxx.cn-error_log"
    TransferLog "/data/http/logs/autodiscover.xxxx.cn-access_log"

    # 设置代理模式
    ProxyPreserveHost On
    ProxyRequests Off
    # 设置代理转发到主机
    ProxyPass "/autodiscover" "https://192.168.1.1/autodiscover"
    ProxyPassReverse "/autodiscover" "https://192.168.1.1/autodiscover"

    # 设置代理SSL证书认证处理机制(与后端服务器通讯)
    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    # 设置代理SSL证书
    SSLEngine on
    # Server Certificate:
    SSLCertificateFile "/etc/apache/ssl/star.xxxx.cn.crt"
    # Server Private Key:
    SSLCertificateKeyFile "/etc/apache/ssl/star.xxxx.cn.key"
    # Server Certificate Chain:
    SSLCertificateChainFile "/etc/apache/ssl/star.xxxx.cn-CA.crt"
    # Certificate Authority (CA):
    #SSLCACertificateFile "/etc/apache/ssl/ca-bundle.crt"

    BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

    CustomLog "/data/http/logs/autodiscover.xxxx.cn-ssl_request_log" \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

3、开放防火墙https访问

firewall-cmd --permanent --zone=public --add-service=https  //防火墙永久开放HTTP规则
firewall-cmd --reload  //防火墙重新加载配置文件
service apached start  //启动apache

4、重启Apache

service apache restart

5、把这台机器的443端口映射到外网即可

四、相关文件下载

下载 “mod_proxy_msrpc-0.6.tar.gz” mod_proxy_msrpc-0.6.tar.gz – 已下载78次 – 63 KB

下载 “httpd-proxy配置案例.zip” httpd-proxy.zip – 已下载110次 – 1 KB

 

最后,在以上的配置中稍微改改,可以达到Exchange负载均衡的功能。

评论

0条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注