Hello,
we're migration from a Sophos UTM to opnsense-business and try to replace the Sophos WAF with os-OPNWAF.
No we have the problem that we get authentication Popups in Outlook when we try to connect externally.
After canceling the popups or entering the password 2-3 times Outlook shows online.
When we do the same with the caddy plugin we have no popups (but no WAF), with the Sophos UTM WAF we also have no Popups.
Any idea whats wrong? The Web Protection is disabled in os-OPNWAF, the Locations are configured as "Exchange Server", the Remote destionatios with https://IP of Exchange...Thanks!
The popups should not happen since this apache plugin is compiled in:
https://github.com/opnsense/ports/tree/master/opnsense/mod_proxy_msrpc
Outlook Anywhere should just work the same as in Sophos (fun fact that module was developed by Astaro - which later became Sophos).
When I tested this while writing the manual, it was still working. Is your setup exactly as described? If not, do it like in the manual.
https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server
Hello,
sure, I did it as described in https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server
I set up the mail and the autodiscover virtual server as described and I also played with the authentication settings in the exchange virtual directories, no change. The same exchnage server works with the Caddy Plugin and the Sophos UTM WAF, any ideas?
I dont have an idea right now. I also know of customers for who it works as it is right now when using Outlook.
Caddy works because there is an NTML plugin compiled in (I maintain the Caddy plugin too). Though as NTML is deprecated I wonder how long that will still work.
If it works for Sophos UTM please connect to it via SSH and extract the apache config and post it here, maybe we can spot a difference to our apache config.
Hello,
here's the UTM configuration, I replaced the domain with example.com
/var/chroot-reverseproxy/usr/apache/conf/httpd.conf
ServerRoot /usr/apache
DefaultRuntimeDir /var/run/apache2
PidFile /var/run/apache2.pid
Include conf/modules.conf
Include conf/mpm.conf
Include conf/modsecurity.conf
HostnameLookups Off
ExtendedStatus On
ServerTokens Prod
ServerSignature Off
Header unset Server
User nobody
Group nogroup
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 15
UseCanonicalName On
CoreDumpDirectory "/tmp"
SecDataDir /tmp
SecTmpDir /tmp
LogFormat "id=\"0299\" srcip=\"%a\" localip=\"%A\" size=\"%B\" user=\"%u\" host=\"%h\" method=\"%<m\" statuscode=\"%s\" reason=\"%<{block-reason}e\" extra=\"%<{block-reason-extra}e\" exceptions=\"%<{matched-exceptions}n\" time=\"%D\" url=\"%U\" server=\"%{Host}i\" port=\"%p\" query=\"%q\" referer=\"%{Referer}i\" cookie=\"%{Cookie}i\" set-cookie=\"%{Set-Cookie}o\" websocket_scheme=\"%{scheme}w\" websocket_protocol=\"%{protocol}w\" websocket_key=\"%{key}w\" websocket_version=\"%{version}w\" uid=\"%{UNIQUE_ID}e\"" astaro
ErrorLog syslog:local1
CustomLog "|/bin/logger -p local1.info -t httpd" astaro
LogLevel notice
## Uncomment these lines for extended debug logging
#LoadModule firehose_module /usr/apache/modules/mod_firehose.so
#FirehoseProxyConnectionInput /tmp/proxy-input.firehose
#FirehoseProxyConnectionOutput /tmp/proxy-output.firehose
#FirehoseConnectionInput /tmp/input.firehose
#FirehoseConnectionOutput /tmp/output.firehose
## Uncomment these lines for traffic dumping in pcap format
#LoadModule pcap_module /usr/apache/modules/mod_pcap.so
#PcapFileName /tmp/WAF.pcap
#PcapNetworkProtocol ip
SecRule ENV:block-reason "@streq cookie" "phase:5,id:99001,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq url hardening" "phase:5,id:99002,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq form hardening" "phase:5,id:99003,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq av" "phase:5,id:99004,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq dnsrbl" "phase:5,id:99005,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq geoip" "phase:5,id:99006,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-bzip2 .bz2
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gvfs/1" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLHonorCipherOrder On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyCheckPeerName off
# Disable transparent compression of SSL data transfers.
# This mitigates impact of SSL "CRIME" attacks (CVE-2012-4929)
SSLCompression off
SSLSessionTickets off
# Drop the (Request-)Range header if more than 5 ranges (CVE-2011-3192)
SetEnvIf Range (,.*?){5} bad-range=1
RequestHeader unset Range env=bad-range
SetEnvIf Request-Range (,.*?){5} bad-request-range=1
RequestHeader unset Request-Range env=bad-request-range
ProxyWebsocketFallbackToProxyHttp off
# ClamavTmpdir /tmp/clamav
# ClamavSocket /var/run/clamav/clamd.ctl
# ClamavMode daemon
# ClamavPermissions 0644
# <Location /clamav>
# SetHandler clamav
# </Location>
CookieLimit 1000
Include conf/status.conf
Include conf/reverseproxy.conf
/var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf
KeepAlive On
ServerName rzfw01.example.com
ServerAdmin support-hsg@example.com
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AESGCM:RSA+AES:ECDH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!DHE
RemoteIPProxyProtocol Off
Listen 93.189.156.39:443 https
Listen 93.189.156.39:80 http
<VirtualHost 93.189.156.39:443>
ServerName mail.example.com
ServerAlias autodiscover.example.com
ServerAlias ex03.example.com
SSLProxyEngine On
SSLEngine On
SSLCertificateFile /usr/apache/conf/ssl/REF_wyZfriWfxEsZ.pem
SSLCACertificatePath /usr/apache/conf/cacerts/
SSLCertificateKeyFile /usr/apache/conf/ssl/REF_wyZfriWfxEsZ.key
RequestHeader set X-Forwarded-Proto https
DocumentRoot /var/www/REF_RevFroAutodiscov
SetEnv proxy-initial-not-pooled
<Proxy balancer://0e9f56dedc1c6a43ee0c263a6d1b336b>
BalancerMember https://10.10.10.5 status=-SE timeout=300
</Proxy>
<Proxy balancer://756724cd34319588665693abb5819b66>
BalancerMember https://10.10.10.5 status=-SE timeout=300
</Proxy>
<Location "/">
SetEnv proxy-aside-c
ProxyPass "balancer://0e9f56dedc1c6a43ee0c263a6d1b336b/" lbmethod=bybusyness
ProxyPassReverse "https://10.10.10.5:443/"
ProxyPassReverse "https://10.10.10.5/"
SetOutputFilter DEFLATE
<RequireAll>
Require all granted
</RequireAll>
</Location>
<Location "/ecp">
SetEnv proxy-aside-c
ProxyPass "balancer://756724cd34319588665693abb5819b66/ecp" lbmethod=bybusyness
ProxyPassReverse "https://10.10.10.5:443/ecp"
ProxyPassReverse "https://10.10.10.5/ecp"
SetOutputFilter DEFLATE
<RequireAll>
<RequireAny>
Require ip 10.0.0.0/16
</RequireAny>
</RequireAll>
</Location>
</VirtualHost>
<VirtualHost 93.189.156.39:80>
ServerName REF_RevFroAutodiscov_redirect_ssl
ServerAlias mail.example.com
ServerAlias autodiscover.example.com
ServerAlias ex03.example.com
<Location />
Require all granted
RedirectSSL permanent / 443
</Location>
</Virtualhost>
/var/chroot-reverseproxy/usr/apache/conf/status.conf
Listen 127.0.0.1:4080
<VirtualHost 127.0.0.1:4080>
ServerName localhost
ProxyStatus On
RemoteIPProxyProtocol Off
SecAuditEngine Off
<Location /status>
SetHandler server-status
Require local
</Location>
<Location /lb-status>
SetHandler balancer-status
Require local
</Location>
<Location /session-cleanup>
SetHandler session-cleanup-handler
Require local
SessionServerStorageDir /var/lib/apache2/sessions
SessionServerStorageMaxFiles 25000
</Location>
</VirtualHost>
Hello, thanks for these.
I want to additionally know whats loaded inside this path of the UTM:
# conf/modules.conf
Afterwards, on your OPNsense, please give us the following files:
# cat /usr/local/etc/apache24/Includes/gateway_vhosts.conf (Please PM it to me)
# cat /usr/local/etc/apache24/httpd.conf (Please PM it to me)
Hello,
thats the content of ls -lla /var/chroot-reverseproxy/usr/apache/modules/
Thanks!
-rw-r--r-- 1 root root 17381 Jun 16 2023 httpd.exp
-rwxr-xr-x 1 root root 9832 Jun 16 2023 mod_access_compat.so
-rwxr-xr-x 1 root root 18080 Jun 16 2023 mod_alias.so
-rwxr-xr-x 1 root root 5704 Jun 16 2023 mod_allowmethods.so
-rwxr-xr-x 1 root root 13956 Jun 16 2023 mod_auth_basic.so
-rwxr-xr-x 1 root root 34636 Jun 16 2023 mod_auth_digest.so
-rwxr-xr-x 1 root root 26308 Jun 16 2023 mod_auth_form.so
-rwxr-xr-x 1 root root 9860 Jun 16 2023 mod_authn_core.so
-rwxr-xr-x 1 root root 9828 Jun 16 2023 mod_authn_file.so
-rwxr-xr-x 1 root root 13992 Jun 16 2023 mod_authn_socache.so
-rw-r--r-- 1 root root 30436 Jun 16 2023 mod_authnz_aua.so
-rwxr-xr-x 1 root root 18092 Jun 16 2023 mod_authz_blacklist.so
-rwxr-xr-x 1 root root 22212 Jun 16 2023 mod_authz_core.so
-rwxr-xr-x 1 root root 13956 Jun 16 2023 mod_authz_dbd.so
-rwxr-xr-x 1 root root 9868 Jun 16 2023 mod_authz_groupfile.so
-rwxr-xr-x 1 root root 9860 Jun 16 2023 mod_authz_host.so
-rwxr-xr-x 1 root root 5700 Jun 16 2023 mod_authz_user.so
-rwxr-xr-x 1 root root 79776 Jun 16 2023 mod_avscan.so
-rw-r--r-- 1 root root 18120 Jun 16 2023 mod_backtrace.so
-rwxr-xr-x 1 root root 13920 Jun 16 2023 mod_buffer.so
-rwxr-xr-x 1 root root 34532 Jun 16 2023 mod_cache_disk.so
-rwxr-xr-x 1 root root 71696 Jun 16 2023 mod_cache.so
-rwxr-xr-x 1 root root 34572 Jun 16 2023 mod_cache_socache.so
-rwxr-xr-x 1 root root 18112 Jun 16 2023 mod_cookie.so
-rw-r--r-- 1 root root 9804 Jun 16 2023 mod_custom_blockpage.so
-rwxr-xr-x 1 root root 34532 Jun 16 2023 mod_deflate.so
-rw-r--r-- 1 root root 7460 Jun 24 2010 mod_envbyip.so
-rwxr-xr-x 1 root root 9824 Jun 16 2023 mod_env.so
-rwxr-xr-x 1 root root 13960 Jun 16 2023 mod_expires.so
-rwxr-xr-x 1 root root 22308 Jun 16 2023 mod_ext_filter.so
-rwxr-xr-x 1 root root 9892 Jun 16 2023 mod_file_cache.so
-rwxr-xr-x 1 root root 18080 Jun 16 2023 mod_filter.so
-rw-r--r-- 1 root root 13988 Jun 16 2023 mod_firehose.so
-rwxr-xr-x 1 root root 59280 Oct 27 2023 mod_form_hardening.so
-rwxr-xr-x 1 root root 18180 Jun 16 2023 mod_headers.so
-rwxr-xr-x 1 root root 51044 Jun 16 2023 mod_include.so
-rwxr-xr-x 1 root root 26276 Jun 16 2023 mod_info.so
-rwxr-xr-x 1 root root 5712 Jun 16 2023 mod_lbmethod_bybusyness.so
-rwxr-xr-x 1 root root 5712 Jun 16 2023 mod_lbmethod_byrequests.so
-rwxr-xr-x 1 root root 5712 Jun 16 2023 mod_lbmethod_bytraffic.so
-rwxr-xr-x 1 root root 14032 Jun 16 2023 mod_lbmethod_heartbeat.so
-rwxr-xr-x 1 root root 30544 Jun 16 2023 mod_log_config.so
-rwxr-xr-x 1 root root 9860 Jun 16 2023 mod_log_debug.so
-rwxr-xr-x 1 root root 18080 Jun 16 2023 mod_macro.so
-rwxr-xr-x 1 root root 18112 Jun 16 2023 mod_mime.so
-rwxr-xr-x 1 root root 30632 Jun 16 2023 mod_mpm_prefork.so
-rwxr-xr-x 1 root root 43012 Jun 16 2023 mod_mpm_worker.so
-rwxr-xr-x 1 root root 30536 Jun 16 2023 mod_negotiation.so
-rw-r--r-- 1 root root 22148 Jun 16 2023 mod_pcap.so
-rwxr-xr-x 1 root root 59340 Jun 16 2023 mod_proxy_balancer.so
-rwxr-xr-x 1 root root 13992 Jun 16 2023 mod_proxy_connect.so
-rwxr-xr-x 1 root root 9832 Jun 16 2023 mod_proxy_express.so
-rwxr-xr-x 1 root root 30564 Jun 16 2023 mod_proxy_fcgi.so
-rwxr-xr-x 1 root root 9832 Jun 16 2023 mod_proxy_fdpass.so
-rwxr-xr-x 1 root root 30568 Jun 16 2023 mod_proxy_hcheck.so
-rwxr-xr-x 1 root root 38732 Jun 16 2023 mod_proxy_html.so
-rwxr-xr-x 1 root root 38820 Jun 16 2023 mod_proxy_http.so
-rwxr-xr-x 1 root root 67496 Jun 16 2023 mod_proxy_msrpc.so
-rwxr-xr-x 1 root root 18180 Jun 16 2023 mod_proxy_scgi.so
-rwxr-xr-x 1 root root 154504 Jun 16 2023 mod_proxy.so
-rwxr-xr-x 1 root root 14036 Jun 16 2023 mod_proxy_uwsgi.so
-rwxr-xr-x 1 root root 22216 Jun 16 2023 mod_proxy_wstunnel.so
-rwxr-xr-x 1 root root 9828 Jun 16 2023 mod_ratelimit.so
-rwxr-xr-x 1 root root 26340 Jun 16 2023 mod_remoteip.so
-rwxr-xr-x 1 root root 13992 Jun 16 2023 mod_reqtimeout.so
-rwxr-xr-x 1 root root 9860 Jun 16 2023 mod_request.so
-rw-r--r-- 1 root root 13928 Jun 16 2023 mod_reverse_auth.so
-rwxr-xr-x 1 root root 71748 Jun 16 2023 mod_rewrite.so
-rw-r--r-- 1 root root 617532 Jun 16 2023 mod_security2_beta.so
-rw-r--r-- 1 root root 650424 Jun 16 2023 mod_security2.so
-rwxr-xr-x 1 root root 34496 Jun 16 2023 mod_sed.so
-rwxr-xr-x 1 root root 9832 Jun 16 2023 mod_session_cookie.so
-rwxr-xr-x 1 root root 22248 Jun 16 2023 mod_session_crypto.so
-rwxr-xr-x 1 root root 13992 Jun 16 2023 mod_session_dbd.so
-rw-r--r-- 1 root root 51084 Jun 16 2023 mod_session_server.so
-rwxr-xr-x 1 root root 18116 Jun 16 2023 mod_session.so
-rwxr-xr-x 1 root root 13956 Jun 16 2023 mod_setenvif.so
-rwxr-xr-x 1 root root 18088 Jun 16 2023 mod_slotmem_shm.so
-rwxr-xr-x 1 root root 13992 Jun 16 2023 mod_socache_dbm.so
-rwxr-xr-x 1 root root 13968 Jun 16 2023 mod_socache_memcache.so
-rwxr-xr-x 1 root root 13964 Jun 16 2023 mod_socache_redis.so
-rwxr-xr-x 1 root root 22156 Jun 16 2023 mod_socache_shmcb.so
-rwxr-xr-x 1 root root 237392 Jun 16 2023 mod_ssl.so
-rwxr-xr-x 1 root root 22212 Jun 16 2023 mod_status.so
-rwxr-xr-x 1 root root 18084 Jun 16 2023 mod_substitute.so
-rwxr-xr-x 1 root root 9748 Jun 16 2023 mod_unique_id.so
-rwxr-xr-x 1 root root 13952 Jun 16 2023 mod_unixd.so
-rwxr-xr-x 1 root root 30472 Jun 16 2023 mod_url_hardening.so
-rwxr-xr-x 1 root root 9828 Jun 16 2023 mod_version.so
-rw-r--r-- 1 root root 14088 Jun 16 2023 mod_waf_exceptions.so
-rwxr-xr-x 1 root root 18152 Jun 16 2023 mod_watchdog.so
-rw-r--r-- 1 root root 18204 Jun 16 2023 mod_whatkilledus.so
-rwxr-xr-x 1 root root 26340 Jun 16 2023 mod_xml2enc.so
Okay thank, this one is the interesting one
-rwxr-xr-x 1 root root 67496 Jun 16 2023 mod_proxy_msrpc.so
We use exactly the same (as stated in my first response)
So it must be something else, maybe we find something obvious when comparing configurations.
I have a hunch.
Could you go to:
/usr/local/etc/apache24/Includes/gateway_vhosts.conf
In there find the lines that say:
Redirect / /owa/
Delete these lines or comment them out.
Then afterwards do
service apache24 restart
This restarts apache without regenerating the configuration file. Don't press Apply in the GUI now, otherwise the configuration file will revert.
Then test if the authentication popup got better or no change.
If the above did the trick, I wonder if RedirectMatch solves it:
RedirectMatch ^/$ /owa/
We have the same problem with several customers.
Your suggestion didn't help me.
The login window still appeared intermittently.
Do you have any other ideas?
@humnab, did Monviech's (Cedrik) suggestion help you?
Thanks
Question, is it new that it happens?
Or did it work and stopped working at some point?
The last time I checked it was when I created the template for this feature, I created a full Exchange (2019) + AD (server 2022) test environment and used Outlook (Office 2019) to verify it.
If somebody could help to debug a few assumptions that would help, because a test setup will always be a test setup and not reality.
Hello,
commenting the both lines out + service apache24 restart also didn't help in our environment:
cat /usr/local/etc/apache24/Includes/gateway_vhosts.conf | grep "Redirect / /owa/"
# Redirect / /owa/
# Redirect / /owa/
The popups still appear.
For our environment the problem was from the beginning with OPNWAF, but the opnsense runs onyl sinde 2 weeks...
We can debug or give you access to the firewall, for now the opnsense runs parallel to the UTM and is not really in use from internal or external (default GW is still the UTM, the DNS Records point to the UTM public IPs, when I test the OPNWAF I edit my hosts file)
I already have the UTM files, we just have to go through the differences one by one.
How about as next step we only create a single location:
Remove all of the "Location /..." blocks until "#End ExchangeHttps" (so in autodiscover. and in mail. ...)
Just create a single one with /.
So e.g.
<Location />
ProxyPass https://10.10.10.5/ connectiontimeout=900
ProxyPassReverse https://10.10.10.5/
</Location>
Hello,
I changed it to:
ServerName mail.example.com
Listen 443
<VirtualHost *:443>
ServerName mail.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols h2 http/1.1
SSLCertificateFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
# Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
<Location />
ProxyPass https://10.10.10.5/ connectiontimeout=900
ProxyPassReverse https://10.10.10.5/
</Location>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<VirtualHost *:443>
ServerName autodiscover.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols h2 http/1.1
SSLCertificateFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
# Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
Unfortunately no difference, popups are still appearing.
And the log for the actual test:
<166>1 2025-12-11T10:51:22+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="1"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/nspi/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 3798 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="2"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/nspi/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="3"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/nspi/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1480 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="4"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="5"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1752 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="6"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="7"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1627 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="8"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="9"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1565 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="10"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="11"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1471 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="12"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="13"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1482 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="14"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="15"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1682 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="16"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="17"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1453 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="18"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="19"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 844 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="20"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1481 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="21"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="22"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 2149 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="23"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="24"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1472 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="25"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/nspi/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="26"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/nspi/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1479 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="27"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="28"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1484 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="29"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="30"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1482 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="31"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="32"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1488 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="33"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="34"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 2737 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="35"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="36"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1484 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="37"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="38"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1599 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="39"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="40"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1491 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="41"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="42"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1596 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="43"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="44"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1484 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="45"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="46"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1473 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="47"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="48"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1475 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="49"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="50"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1455 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
Thanks for testing.
The Sophos config has these two settings, can you add them to the location?
SetEnv proxy-initial-not-pooled
SetEnv proxy-aside-c
If that didn't change anything remove http/2 and force http/1.1
Replace:
Protocols h2 http/1.1With:
Protocols http/1.1
Please try these one by one so we can figure out which one did the trick. I imagine the http/1.1 might do something, since Caddy does the same when enabling the NTML module in it.
Hello,
no difference, I have to enter the Password 3 time after starting Outlook before I can read the body of a Mail:
ServerName mail.example.com
Listen 443
<VirtualHost *:443>
ServerName mail.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols http/1.1
SSLCertificateFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
# Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
<LocatioN />
SetEnv proxy-initial-not-pooled
SetEnv proxy-aside-c
ProxyPass https://10.10.10.5/ connectiontimeout=900
ProxyPassReverse https://10.10.10.5/
</Location>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<VirtualHost *:443>
ServerName autodiscover.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols http/1.1
SSLCertificateFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
# Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
Sorry to be really specific but in the first virtual host you have
"LocatioN"
and in the second virtual host you dont have any location. Can you put the same location in there?
Could you fix that and retry just to be 100% sure?
------
A tangent, I dont think the password input is relevant, I think it also work if you click the popup away without entering anything (I assume).
------
EDIT: I will test this again with my own exchange server so I can iterate faster over possible solutions and come back here if I find something.
Hello,
sorry, I'm not good with vi...
ServerName mail.example.com
Listen 443
<VirtualHost *:443>
ServerName mail.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols http/1.1
SSLCertificateFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
# Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
<Location />
SetEnv proxy-initial-not-pooled
SetEnv proxy-aside-c
ProxyPass https://10.10.10.5/ connectiontimeout=900
ProxyPassReverse https://10.10.10.5/
</Location>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<VirtualHost *:443>
ServerName autodiscover.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols http/1.1
SSLCertificateFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
# Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
<Location />
SetEnv proxy-initial-not-pooled
SetEnv proxy-aside-c
ProxyPass https://10.10.10.5/ connectiontimeout=900
ProxyPassReverse https://10.10.10.5/
</Location>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
Now Outlook asks permanently for the password, no Email Body will we displayed even after entering the password.
Thank you so far I am in the process of creating a new AD/Exchange VM and test it myself. I'll post here when I found out what it is.
EDIT:
I used Exchange 2019 CU 15 for testing.
- There seem to be new features that make using a proxy harder: https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-extended-protection#ssl-bridging-scenarios
- NTLM was hardened too: https://www.heise.de/en/news/Microsoft-takes-measures-against-NTLM-relay-attacks-10194340.html
- NTML is also deprecated, and Kerberos cannot work through a reverse proxy: https://learn.microsoft.com/de-de/windows/whats-new/deprecated-features (check for NTLM)
- The mod_proxy_msrpc only tries to fix "Outlook Anywhere" which is the RPC/http endpoint, not the MAPI/http endpoint. But even that does not seem to work reliably anymore.
- Outlook Classic shows that Microsoft aims to use the web app more prominently
I couldn't even get Outlook Classic it to work with Caddy anymore, also authentication popups.
I have a strong feeling there is no magic solution, and the way Exchange is still sometimes able to be reverse proxied is not actively pursued by any developer anymore since everyone uses the cloud anyway.
If somebody has an idea please let me know.
Hello,
Caddy works in my Environment with Exchange 2016 CU22 (Windows Server 2016), in the same Environment the UTM also works but the OPNWAF does not.
Extended Security requires the same certificate on the Exchange IIS and the reverse Proxy, we have that in those three configurations.
I will try OPNWAF wit a Exchange 2019 and report the results.
Hello everyone,
we have the same problem and the same entries in the log file. We use Exchange 2019 CU 14.
We haven't found a solution yet.
In addition, uploading file attachments in OWA takes forever since we started using OPNsense. We also used Sophos UTM before.
Best regards,
Thomas
Hello,
I configured a Apache Reverse Proxy on Ubuntu 24 LTS:
# Tipp von Bernd Krumböck wegen Sicherheitsproblemen mit dem MPM Modul und NTLM Authentifizierung
# Clients welche EWS verwenden (z.B. AquaMail) bekommen E-Mails anderer Sitzungen synchronisiert
# ServerLimit und MaxRequestWorkers ggf. an die Anzahl der vorhandenen Clients anpassen
#ServerLimit 300
#MaxRequestWorkers 300
MaxConnectionsPerChild 1
<VirtualHost 192.168.80.221:80>
ServerName mail.example.com
ServerAlias autodiscover.example.com
ServerAdmin webmaster@znil.org
ErrorLog /var/log/apache2/error.log
# Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
CustomLog /var/log/apache2/access.log combined
#CustomLog /dev/null common
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
RequestHeader unset Expect early
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
ProxyRequests Off
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/owa(.*) https://mail.example.com/owa$1 [R,L]
RewriteRule ^/ecp(.*) https://mail.example.com/ecp$1 [R,L]
RewriteRule ^/Microsoft-Server-ActiveSync(.*) https://mail.example.com/Microsoft-Server-ActiveSync$1 [R,L]
DocumentRoot /var/www/mail.example.com/web
<Directory />
Order deny,allow
Deny from all
</Directory>
<Directory /var/www/mail.example.com/web>
DirectoryIndex index.php index.html
Options -Indexes +FollowSymLinks
Order allow,deny
Allow from all
</Directory>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
<VirtualHost 192.168.80.221:443>
DocumentRoot /var/www/mail.example.com/web
ServerName mail.example.com
ServerAlias autodiscover.example.com
ServerAdmin webmaster@znil.org
ErrorLog /var/log/apache2/error.log
# Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
CustomLog /var/log/apache2/access.log combined
#CustomLog /dev/null common
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
# 10.12.2020: Nachfolgende Zeilen würden eine Standardauthentifizierung erzwingen, ist nun nicht mehr Notwendig
# Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
# Header unset WWW-Authenticate
# Header add WWW-Authenticate "Basic realm=mail.example.com"
ProxyRequests Off
ProxyPreserveHost On
#abgeschaut von https://github.com/phr0gz/Apache-reverse-proxy-for-Exchange-2010-2013-2016/blob/master/webmail.conf
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Ende abgeschaut
SSLProxyEngine On
# Problemen mit Kommunikation zwischen Apache-Proxy und Exchange-Server aus dem Wege gehen
# Alle SSL Prüfungen werden damit ausgeschaltet. So kann z.B. auch intern ein Selbstsigniertes Zertifikat verwendet werden
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
#Nachfolgende Zeile bewirkt das ein Aufruf von nur https://sub.name.suffix auf https://sub.name.suffix/owa weiter geleitet wird.
Redirect / /owa/
# owa
ProxyPass /owa https://192.168.80.112/owa
ProxyPassReverse /owa https://192.168.80.112/owa
ProxyPass /OWA https://192.168.80.112/OWA
ProxyPassReverse /OWA https://192.168.80.112/OWA
ProxyPass /Owa https://192.168.80.112/Owa
ProxyPassReverse /Owa https://192.168.80.112/Owa
# ecp = Adminoberfläche - falls Zugriff nicht gewünscht einfach auskommentieren!
ProxyPass /ecp https://192.168.80.112/ecp
ProxyPassReverse /ecp https://192.168.80.112/ecp
ProxyPass /ECP https://192.168.80.112/ECP
ProxyPassReverse /ECP https://192.168.80.112/ECP
ProxyPass /Ecp https://192.168.80.112/Ecp
ProxyPassReverse /Ecp https://192.168.80.112/Ecp
# mapi
ProxyPass /mapi https://192.168.80.112/mapi
ProxyPassReverse /mapi https://192.168.80.112/mapi
# ews -> Exchange Web Services
ProxyPass /ews https://192.168.80.112/ews
ProxyPassReverse /ews https://192.168.80.112/ews
ProxyPass /EWS https://192.168.80.112/EWS
ProxyPassReverse /EWS https://192.168.80.112/EWS
ProxyPass /Ews https://192.168.80.112/Ews
ProxyPassReverse /Ews https://192.168.80.112/Ews
ProxyPass /exchange https://192.168.80.112/exchange
ProxyPassReverse /exchange https://192.168.80.112/exchange
ProxyPass /Exchange https://192.168.80.112/Exchange
ProxyPassReverse /Exchange https://192.168.80.112/Exchange
ProxyPass /exchweb https://192.168.80.112/exchweb
ProxyPassReverse /exchweb https://192.168.80.112/exchweb
ProxyPass /public https://192.168.80.112/public
ProxyPassReverse /public https://192.168.80.112/public
# oab (Offline Address Book)
ProxyPass /oab https://192.168.80.112/oab
ProxyPassReverse /oab https://192.168.80.112/oab
ProxyPass /OAB https://192.168.80.112/OAB
ProxyPassReverse /OAB https://192.168.80.112/OAB
# RPC over http(s) / Outlook Anywhere
#OutlookAnywherePassthrough On
ProxyPass /rpc https://192.168.80.112/rpc
ProxyPassReverse /rpc https://192.168.80.112/rpc
ProxyPass /Rpc https://192.168.80.112/Rpc
ProxyPassReverse /Rpc https://192.168.80.112/Rpc
# Microsoft-Server-ActiveSync
ProxyPass /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
ProxyPassReverse /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync
# Problem mit dem Versenden von Dateianhängen > 128KByte per ActiceSync umgehen (neuer Wert 30MByte)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
# AutoDiscover -> Autodiscover for non-AD integrated Clients (Mac, eg.)
ProxyPass /autodiscover https://192.168.80.112/autodiscover
ProxyPassReverse /autodiscover https://192.168.80.112/autodiscover
ProxyPass /Autodiscover https://192.168.80.112/Autodiscover
ProxyPassReverse /Autodiscover https://192.168.80.112/Autodiscover
ProxyPass /AutoDiscover https://192.168.80.112/AutoDiscover
ProxyPassReverse /AutoDiscover https://192.168.80.112/AutoDiscover
# Zeichensatz spezifieren fuer Umlaute
AddDefaultCharset ISO-8859-1
<Directory />
Order deny,allow
Deny from all
</Directory>
<Directory /var/www/mail.example.com/web>
DirectoryIndex index.php index.html
Options -Indexes +FollowSymLinks
Order allow,deny
Allow from all
</Directory>
<Proxy *>
# 10.12.2020: Nachfolgende 2 Zeilen sind nicht mehr Notwendig
# Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
# SetEnv proxy-nokeepalive 1
# SetEnv force-proxy-request-1.0 1
Order deny,allow
Allow from all
</Proxy>
# Nach extern ein Lets Encrypt Zertifikat nutzen:
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/wsmail03.pem
SSLCertificateKeyFile /etc/ssl/private/wsmail03.key
SSLCertificateChainFile /etc/ssl/certs/r13.pem
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
No Popups, Outlook and ActiveSync works.
Environment:
Exchange 2019 CU15 on Windows Server 2022
I enabled Extended Protection with: ExchangeExtendedProtectionManagement.ps1
The certificate on Exchange IIS and the Apache2 is the same.
Installation:
apt-get install apache2
a2enmod headers
a2enmod rewrite
a2enmod proxy_http
a2enmod ssl
a2dismod mpm_event
a2enmod mpm_prefork
I followed this Guide:
https://znil.net/index.php?title=Apache2_als_Reverse_Proxy_f%C3%BCr_Exchange_2010_2013_2016_2019_inklusive_Outlook_Anywhere_RPC_over_http
We use almost the exact same template.
Only major difference is that mpm-event is used, and not mpm-prefork.
Yet in early tests it did not make a difference, it really did work like a year ago.
Since in my tests now, caddy has also issues, it paints an interesting picture.
Maybe the issue is found outside of apache. Since it always works on linux (ubuntu, sophos UTM), yet not on freebsd (opnsense) anymore, it could be an interaction with pf, or the TCP network stack.
Hello,
perhaps mpm-prefork / mpm-event is the point to look on:
Quotehttps://znil.net/index.php?title=Apache2_als_Reverse_Proxy_f%C3%BCr_Exchange_2010_2013_2016_2019_inklusive_Outlook_Anywhere_RPC_over_http
a2dismod mpm_event
a2enmod mpm_prefork
systemctl apache2.service restart
Dieser Hinweis stammt von Marco Maus und ist wichtig damit die Authentifizierung per NTLM funktioniert.
This information comes from Marco Maus and is important for NTLM authentication to work.
Hello,
we have disabled the mpm_event module in OPNsense on a trial basis and loaded the mpm_prefork module instead by adjusting the httpd.conf:
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
We then restarted the service (service apache24 restart).
Unfortunately, the behaviour is the same.
Merry Christmas and best regards
Thomas
Hello,
I tried it with FreeBSD 14.3, works the same way as with Linux (no Popups):
/usr/local/etc/apache24/httpd.conf
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/usr/local"
#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:/var/run
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
Listen 443
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
#LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
#LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
#LoadModule http2_module libexec/apache24/mod_http2.so
#LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
#LoadModule md_module libexec/apache24/mod_md.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
<IfModule !mpm_prefork_module>
#LoadModule cgid_module libexec/apache24/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
#LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User www
Group www
</IfModule>
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin you@example.com
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "/var/log/httpd-error.log"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
CustomLog "/var/log/httpd-access.log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog "/var/log/httpd-access.log" combined
</IfModule>
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"
</IfModule>
<IfModule cgid_module>
#
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#
#Scriptsock cgisock
</IfModule>
#
# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache24/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
#
# Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
# backend servers which have lingering "httpoxy" defects.
# 'Proxy' request header is undefined by the IETF, not listed by IANA
#
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig etc/apache24/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
</IfModule>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile etc/apache24/magic
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
#EnableSendfile on
# Supplemental configuration
#
# The configuration files in the etc/apache24/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
# Server-pool management (MPM specific)
#Include etc/apache24/extra/httpd-mpm.conf
# Multi-language error messages
#Include etc/apache24/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
#Include etc/apache24/extra/httpd-autoindex.conf
# Language settings
#Include etc/apache24/extra/httpd-languages.conf
# User home directories
#Include etc/apache24/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf
# Virtual hosts
#Include etc/apache24/extra/httpd-vhosts.conf
Include etc/apache24/extra/wsmail03.conf
# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf
# Various default settings
#Include etc/apache24/extra/httpd-default.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
#Include etc/apache24/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include etc/apache24/Includes/*.conf
/usr/local/etc/apache24/extra/wsmail03.conf
# Tipp von Bernd Krumböck wegen Sicherheitsproblemen mit dem MPM Modul und NTLM Authentifizierung
# Clients welche EWS verwenden (z.B. AquaMail) bekommen E-Mails anderer Sitzungen synchronisiert
# ServerLimit und MaxRequestWorkers ggf. an die Anzahl der vorhandenen Clients anpassen
#ServerLimit 300
#MaxRequestWorkers 300
MaxConnectionsPerChild 1
<VirtualHost 192.168.80.43:80>
ServerName mail.example.com
ServerAlias autodiscover.example.com
ServerAdmin webmaster@znil.org
ErrorLog /var/log/apache2/error.log
# Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
CustomLog /var/log/apache2/access.log combined
#CustomLog /dev/null common
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
RequestHeader unset Expect early
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
ProxyRequests Off
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/owa(.*) https://mail.example.com/owa$1 [R,L]
RewriteRule ^/ecp(.*) https://mail.example.com/ecp$1 [R,L]
RewriteRule ^/Microsoft-Server-ActiveSync(.*) https://mail.example.com/Microsoft-Server-ActiveSync$1 [R,L]
DocumentRoot /var/www/mail.example.com/web
<Directory />
Order deny,allow
Deny from all
</Directory>
<Directory /var/www/mail.example.com/web>
DirectoryIndex index.php index.html
Options -Indexes +FollowSymLinks
Order allow,deny
Allow from all
</Directory>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
<VirtualHost 192.168.80.43:443>
DocumentRoot /var/www/mail.example.com/web
ServerName mail.example.com
ServerAlias autodiscover.example.com
ServerAdmin webmaster@znil.org
ErrorLog /var/log/apache2/error.log
# Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
CustomLog /var/log/apache2/access.log combined
#CustomLog /dev/null common
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
# 10.12.2020: Nachfolgende Zeilen würden eine Standardauthentifizierung erzwingen, ist nun nicht mehr Notwendig
# Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
# Header unset WWW-Authenticate
# Header add WWW-Authenticate "Basic realm=mail.example.com"
ProxyRequests Off
ProxyPreserveHost On
#abgeschaut von https://github.com/phr0gz/Apache-reverse-proxy-for-Exchange-2010-2013-2016/blob/master/webmail.conf
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Ende abgeschaut
SSLProxyEngine On
# Problemen mit Kommunikation zwischen Apache-Proxy und Exchange-Server aus dem Wege gehen
# Alle SSL Prüfungen werden damit ausgeschaltet. So kann z.B. auch intern ein Selbstsigniertes Zertifikat verwendet werden
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
#Nachfolgende Zeile bewirkt das ein Aufruf von nur https://sub.name.suffix auf https://sub.name.suffix/owa weiter geleitet wird.
Redirect / /owa/
# owa
ProxyPass /owa https://192.168.80.112/owa
ProxyPassReverse /owa https://192.168.80.112/owa
ProxyPass /OWA https://192.168.80.112/OWA
ProxyPassReverse /OWA https://192.168.80.112/OWA
ProxyPass /Owa https://192.168.80.112/Owa
ProxyPassReverse /Owa https://192.168.80.112/Owa
# ecp = Adminoberfläche - falls Zugriff nicht gewünscht einfach auskommentieren!
ProxyPass /ecp https://192.168.80.112/ecp
ProxyPassReverse /ecp https://192.168.80.112/ecp
ProxyPass /ECP https://192.168.80.112/ECP
ProxyPassReverse /ECP https://192.168.80.112/ECP
ProxyPass /Ecp https://192.168.80.112/Ecp
ProxyPassReverse /Ecp https://192.168.80.112/Ecp
# mapi
ProxyPass /mapi https://192.168.80.112/mapi
ProxyPassReverse /mapi https://192.168.80.112/mapi
# ews -> Exchange Web Services
ProxyPass /ews https://192.168.80.112/ews
ProxyPassReverse /ews https://192.168.80.112/ews
ProxyPass /EWS https://192.168.80.112/EWS
ProxyPassReverse /EWS https://192.168.80.112/EWS
ProxyPass /Ews https://192.168.80.112/Ews
ProxyPassReverse /Ews https://192.168.80.112/Ews
ProxyPass /exchange https://192.168.80.112/exchange
ProxyPassReverse /exchange https://192.168.80.112/exchange
ProxyPass /Exchange https://192.168.80.112/Exchange
ProxyPassReverse /Exchange https://192.168.80.112/Exchange
ProxyPass /exchweb https://192.168.80.112/exchweb
ProxyPassReverse /exchweb https://192.168.80.112/exchweb
ProxyPass /public https://192.168.80.112/public
ProxyPassReverse /public https://192.168.80.112/public
# oab (Offline Address Book)
ProxyPass /oab https://192.168.80.112/oab
ProxyPassReverse /oab https://192.168.80.112/oab
ProxyPass /OAB https://192.168.80.112/OAB
ProxyPassReverse /OAB https://192.168.80.112/OAB
# RPC over http(s) / Outlook Anywhere
#OutlookAnywherePassthrough On
ProxyPass /rpc https://192.168.80.112/rpc
ProxyPassReverse /rpc https://192.168.80.112/rpc
ProxyPass /Rpc https://192.168.80.112/Rpc
ProxyPassReverse /Rpc https://192.168.80.112/Rpc
# Microsoft-Server-ActiveSync
ProxyPass /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
ProxyPassReverse /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync
# Problem mit dem Versenden von Dateianhängen > 128KByte per ActiceSync umgehen (neuer Wert 30MByte)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
# AutoDiscover -> Autodiscover for non-AD integrated Clients (Mac, eg.)
ProxyPass /autodiscover https://192.168.80.112/autodiscover
ProxyPassReverse /autodiscover https://192.168.80.112/autodiscover
ProxyPass /Autodiscover https://192.168.80.112/Autodiscover
ProxyPassReverse /Autodiscover https://192.168.80.112/Autodiscover
ProxyPass /AutoDiscover https://192.168.80.112/AutoDiscover
ProxyPassReverse /AutoDiscover https://192.168.80.112/AutoDiscover
# Zeichensatz spezifieren fuer Umlaute
AddDefaultCharset ISO-8859-1
<Directory />
Order deny,allow
Deny from all
</Directory>
<Directory /var/www/mail.example.com/web>
DirectoryIndex index.php index.html
Options -Indexes +FollowSymLinks
Order allow,deny
Allow from all
</Directory>
<Proxy *>
# 10.12.2020: Nachfolgende 2 Zeilen sind nicht mehr Notwendig
# Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
# SetEnv proxy-nokeepalive 1
# SetEnv force-proxy-request-1.0 1
Order deny,allow
Allow from all
</Proxy>
# Nach extern ein Lets Encrypt Zertifikat nutzen:
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/wsmail03.pem
SSLCertificateKeyFile /etc/ssl/private/wsmail03.key
SSLCertificateChainFile /etc/ssl/certs/r13.pem
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
Hello,
with this combination I have no popups:
Client Outlook 2021 LTSC:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeExplicitO365Endpoint"=dword:00000001
I had to set this Value also with the Sophos UTM!
Opnsense:
/usr/local/etc/apache24/httpd.conf (enable prefork)
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
/usr/local/etc/apache24/Includes/gateway_vhosts.conf (no manual modifications):
ServerName mail.example.com
Listen 443
<VirtualHost *:443>
ServerName mail.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols h2 http/1.1
SSLCertificateFile /var/etc/apache_eac36b99-b701-45a0-a828-384d46ad7114.pem
SSLCertificateKeyFile /var/etc/apache_eac36b99-b701-45a0-a828-384d46ad7114.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
<Location /owa>
ProxyPass https://192.168.80.112/owa
ProxyPassReverse https://192.168.80.112/owa
</Location>
<Location /OWA>
ProxyPass https://192.168.80.112/OWA
ProxyPassReverse https://192.168.80.112/OWA
</Location>
<Location /Owa>
ProxyPass https://192.168.80.112/Owa
ProxyPassReverse https://192.168.80.112/Owa
</Location>
<Location /ecp>
ProxyPass https://192.168.80.112/ecp
ProxyPassReverse https://192.168.80.112/ecp
</Location>
<Location /ECP>
ProxyPass https://192.168.80.112/ECP
ProxyPassReverse https://192.168.80.112/ECP
</Location>
<Location /Ecp>
ProxyPass https://192.168.80.112/Ecp
ProxyPassReverse https://192.168.80.112/Ecp
</Location>
<Location /mapi>
ProxyPass https://192.168.80.112/mapi
ProxyPassReverse https://192.168.80.112/mapi
</Location>
<Location /ews>
ProxyPass https://192.168.80.112/ews
ProxyPassReverse https://192.168.80.112/ews
</Location>
<Location /EWS>
ProxyPass https://192.168.80.112/EWS
ProxyPassReverse https://192.168.80.112/EWS
</Location>
<Location /Ews>
ProxyPass https://192.168.80.112/Ews
ProxyPassReverse https://192.168.80.112/Ews
</Location>
<Location /exchange>
ProxyPass https://192.168.80.112/exchange
ProxyPassReverse https://192.168.80.112/exchange
</Location>
<Location /Exchange>
ProxyPass https://192.168.80.112/Exchange
ProxyPassReverse https://192.168.80.112/Exchange
</Location>
<Location /exchweb>
ProxyPass https://192.168.80.112/exchweb
ProxyPassReverse https://192.168.80.112/exchweb
</Location>
<Location /public>
ProxyPass https://192.168.80.112/public
ProxyPassReverse https://192.168.80.112/public
</Location>
<Location /oab>
ProxyPass https://192.168.80.112/oab
ProxyPassReverse https://192.168.80.112/oab
</Location>
<Location /OAB>
ProxyPass https://192.168.80.112/OAB
ProxyPassReverse https://192.168.80.112/OAB
</Location>
<Location /rpc>
ProxyPass https://192.168.80.112/rpc
ProxyPassReverse https://192.168.80.112/rpc
</Location>
<Location /Rpc>
ProxyPass https://192.168.80.112/Rpc
ProxyPassReverse https://192.168.80.112/Rpc
</Location>
<Location /Microsoft-Server-ActiveSync>
ProxyPass https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
ProxyPassReverse https://192.168.80.112/Microsoft-Server-ActiveSync
</Location>
<Location /autodiscover>
ProxyPass https://192.168.80.112/autodiscover
ProxyPassReverse https://192.168.80.112/autodiscover
</Location>
<Location /Autodiscover>
ProxyPass https://192.168.80.112/Autodiscover
ProxyPassReverse https://192.168.80.112/Autodiscover
</Location>
<Location /AutoDiscover>
ProxyPass https://192.168.80.112/AutoDiscover
ProxyPassReverse https://192.168.80.112/AutoDiscover
</Location>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<VirtualHost *:443>
ServerName autodiscover.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols h2 http/1.1
SSLCertificateFile /var/etc/apache_3a95ed6e-9594-4345-872e-f5a7570a6c03.pem
SSLCertificateKeyFile /var/etc/apache_3a95ed6e-9594-4345-872e-f5a7570a6c03.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
<Location /owa>
ProxyPass https://192.168.80.112/owa
ProxyPassReverse https://192.168.80.112/owa
</Location>
<Location /OWA>
ProxyPass https://192.168.80.112/OWA
ProxyPassReverse https://192.168.80.112/OWA
</Location>
<Location /Owa>
ProxyPass https://192.168.80.112/Owa
ProxyPassReverse https://192.168.80.112/Owa
</Location>
<Location /ecp>
ProxyPass https://192.168.80.112/ecp
ProxyPassReverse https://192.168.80.112/ecp
</Location>
<Location /ECP>
ProxyPass https://192.168.80.112/ECP
ProxyPassReverse https://192.168.80.112/ECP
</Location>
<Location /Ecp>
ProxyPass https://192.168.80.112/Ecp
ProxyPassReverse https://192.168.80.112/Ecp
</Location>
<Location /mapi>
ProxyPass https://192.168.80.112/mapi
ProxyPassReverse https://192.168.80.112/mapi
</Location>
<Location /ews>
ProxyPass https://192.168.80.112/ews
ProxyPassReverse https://192.168.80.112/ews
</Location>
<Location /EWS>
ProxyPass https://192.168.80.112/EWS
ProxyPassReverse https://192.168.80.112/EWS
</Location>
<Location /Ews>
ProxyPass https://192.168.80.112/Ews
ProxyPassReverse https://192.168.80.112/Ews
</Location>
<Location /exchange>
ProxyPass https://192.168.80.112/exchange
ProxyPassReverse https://192.168.80.112/exchange
</Location>
<Location /Exchange>
ProxyPass https://192.168.80.112/Exchange
ProxyPassReverse https://192.168.80.112/Exchange
</Location>
<Location /exchweb>
ProxyPass https://192.168.80.112/exchweb
ProxyPassReverse https://192.168.80.112/exchweb
</Location>
<Location /public>
ProxyPass https://192.168.80.112/public
ProxyPassReverse https://192.168.80.112/public
</Location>
<Location /oab>
ProxyPass https://192.168.80.112/oab
ProxyPassReverse https://192.168.80.112/oab
</Location>
<Location /OAB>
ProxyPass https://192.168.80.112/OAB
ProxyPassReverse https://192.168.80.112/OAB
</Location>
<Location /rpc>
ProxyPass https://192.168.80.112/rpc
ProxyPassReverse https://192.168.80.112/rpc
</Location>
<Location /Rpc>
ProxyPass https://192.168.80.112/Rpc
ProxyPassReverse https://192.168.80.112/Rpc
</Location>
<Location /Microsoft-Server-ActiveSync>
ProxyPass https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
ProxyPassReverse https://192.168.80.112/Microsoft-Server-ActiveSync
</Location>
<Location /autodiscover>
ProxyPass https://192.168.80.112/autodiscover
ProxyPassReverse https://192.168.80.112/autodiscover
</Location>
<Location /Autodiscover>
ProxyPass https://192.168.80.112/Autodiscover
ProxyPassReverse https://192.168.80.112/Autodiscover
</Location>
<Location /AutoDiscover>
ProxyPass https://192.168.80.112/AutoDiscover
ProxyPassReverse https://192.168.80.112/AutoDiscover
</Location>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<Proxy balancer://43438267-8453-4c41-86c5-6f4b41d3dcac>
BalancerMember https://web02.example.com
</Proxy>
<VirtualHost *:443>
ServerName stage.kuguar.ch
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols h2 http/1.1
SSLCertificateFile /var/etc/apache_29a381c7-cd21-4964-aeb7-e2ac011c6500.pem
SSLCertificateKeyFile /var/etc/apache_29a381c7-cd21-4964-aeb7-e2ac011c6500.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
<Location "/">
ProxyPreserveHost Off
ProxyPass "balancer://43438267-8453-4c41-86c5-6f4b41d3dcac/"
ProxyPassReverse "balancer://43438267-8453-4c41-86c5-6f4b41d3dcac/"
</Location>
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<Proxy balancer://35e073ae-4c24-45ec-b1e4-3a88e02b3f91>
BalancerMember https://web01.example.com
</Proxy>
<VirtualHost *:443>
ServerName stage.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols h2 http/1.1
SSLCertificateFile /var/etc/apache_769da8bf-3d71-4cf0-ac1e-bc331edbfb1d.pem
SSLCertificateKeyFile /var/etc/apache_769da8bf-3d71-4cf0-ac1e-bc331edbfb1d.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
<Location "/">
ProxyPreserveHost Off
ProxyPass "balancer://35e073ae-4c24-45ec-b1e4-3a88e02b3f91/"
ProxyPassReverse "balancer://35e073ae-4c24-45ec-b1e4-3a88e02b3f91/"
</Location>
# Add HSTS header
Header always merge Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# Add security and privacy related headers
Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;"
Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin"
Header set X-Frame-Options "deny"
SetEnv modHeadersAvailable true
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<Proxy balancer://fbc2840d-4c18-414f-8992-fd55b1aa214e>
BalancerMember https://web01.example.com
</Proxy>
<VirtualHost *:443>
ServerName www.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols h2 http/1.1
SSLCertificateFile /var/etc/apache_51189fe3-1283-4171-a589-96e73f7d5666.pem
SSLCertificateKeyFile /var/etc/apache_51189fe3-1283-4171-a589-96e73f7d5666.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
<Location "/">
ProxyPreserveHost Off
ProxyPass "balancer://fbc2840d-4c18-414f-8992-fd55b1aa214e/"
ProxyPassReverse "balancer://fbc2840d-4c18-414f-8992-fd55b1aa214e/"
</Location>
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<Proxy balancer://ff902e1b-b680-4227-827c-f60408e17474>
BalancerMember https://web01.example.com
</Proxy>
<VirtualHost *:443>
ServerName example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols h2 http/1.1
SSLCertificateFile /var/etc/apache_aeb2e6dd-c10e-4cd5-b4aa-bbf5cde41d88.pem
SSLCertificateKeyFile /var/etc/apache_aeb2e6dd-c10e-4cd5-b4aa-bbf5cde41d88.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
<Location "/">
ProxyPreserveHost Off
ProxyPass "balancer://ff902e1b-b680-4227-827c-f60408e17474/"
ProxyPassReverse "balancer://ff902e1b-b680-4227-827c-f60408e17474/"
</Location>
# Add HSTS header
Header always merge Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# Add security and privacy related headers
Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;"
Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin"
Header set X-Frame-Options "deny"
SetEnv modHeadersAvailable true
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
Do you really have no popups at all? Try closing Outlook and reopen it multiple times (without rebooting the Windows host)
I have tried all modifications recently (also prefork etc) and altered a few more settings to ensure Apache reuses the least connections as possible. Even with that, it was a ~75% chance that it worked.
Most of the time, when Outlook tried to establish a OAB connection popups appeared, these happen sometimes. When only the MAPI endpoint was queried, no popups happened most of the time.
The best was doing a Windows reboot, where on the first Outlook boot was connecting without popup around 80% of the time. But closing and opening it a few times revealed popups again.
I could not get any "100% works all the time without popups" setup running. And only 80% is also not good enough, since it will not quiet the expecations that there should never be popups.
If anything is wrong during the NTML authentication, the Exchange server sends a header that invalidates cached credentials, and downgrades the NTML to require manual input.