Messages

Hello,

with this combination I have no popups:

Client Outlook 2021 LTSC:

Code Select Expand

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover]
"ExcludeExplicitO365Endpoint"=dword:00000001
I had to set this Value also with the Sophos UTM!

Opnsense:

/usr/local/etc/apache24/httpd.conf (enable prefork)

Code Select Expand

#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so

/usr/local/etc/apache24/Includes/gateway_vhosts.conf (no manual modifications):

Code Select Expand

ServerName mail.example.com
Listen 443




<VirtualHost *:443>
    ServerName mail.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols h2 http/1.1
    SSLCertificateFile    /var/etc/apache_eac36b99-b701-45a0-a828-384d46ad7114.pem
    SSLCertificateKeyFile /var/etc/apache_eac36b99-b701-45a0-a828-384d46ad7114.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>



    <Location /owa>

        ProxyPass https://192.168.80.112/owa
        ProxyPassReverse https://192.168.80.112/owa
    </Location>
    <Location /OWA>

        ProxyPass https://192.168.80.112/OWA
        ProxyPassReverse https://192.168.80.112/OWA
    </Location>
    <Location /Owa>

        ProxyPass https://192.168.80.112/Owa
        ProxyPassReverse https://192.168.80.112/Owa
    </Location>
    <Location /ecp>

        ProxyPass https://192.168.80.112/ecp
        ProxyPassReverse https://192.168.80.112/ecp
    </Location>
    <Location /ECP>

        ProxyPass https://192.168.80.112/ECP
        ProxyPassReverse https://192.168.80.112/ECP
    </Location>
    <Location /Ecp>

        ProxyPass https://192.168.80.112/Ecp
        ProxyPassReverse https://192.168.80.112/Ecp
    </Location>
    <Location /mapi>

        ProxyPass https://192.168.80.112/mapi
        ProxyPassReverse https://192.168.80.112/mapi
    </Location>
    <Location /ews>

        ProxyPass https://192.168.80.112/ews
        ProxyPassReverse https://192.168.80.112/ews
    </Location>
    <Location /EWS>

        ProxyPass https://192.168.80.112/EWS
        ProxyPassReverse https://192.168.80.112/EWS
    </Location>
    <Location /Ews>

        ProxyPass https://192.168.80.112/Ews
        ProxyPassReverse https://192.168.80.112/Ews
    </Location>
    <Location /exchange>

        ProxyPass https://192.168.80.112/exchange
        ProxyPassReverse https://192.168.80.112/exchange
    </Location>
    <Location /Exchange>

        ProxyPass https://192.168.80.112/Exchange
        ProxyPassReverse https://192.168.80.112/Exchange
    </Location>
    <Location /exchweb>

        ProxyPass https://192.168.80.112/exchweb
        ProxyPassReverse https://192.168.80.112/exchweb
    </Location>
    <Location /public>

        ProxyPass https://192.168.80.112/public
        ProxyPassReverse https://192.168.80.112/public
    </Location>
    <Location /oab>

        ProxyPass https://192.168.80.112/oab
        ProxyPassReverse https://192.168.80.112/oab
    </Location>
    <Location /OAB>

        ProxyPass https://192.168.80.112/OAB
        ProxyPassReverse https://192.168.80.112/OAB
    </Location>
    <Location /rpc>

        ProxyPass https://192.168.80.112/rpc
        ProxyPassReverse https://192.168.80.112/rpc
    </Location>
    <Location /Rpc>

        ProxyPass https://192.168.80.112/Rpc
        ProxyPassReverse https://192.168.80.112/Rpc
    </Location>
    <Location /Microsoft-Server-ActiveSync>

        ProxyPass https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
        ProxyPassReverse https://192.168.80.112/Microsoft-Server-ActiveSync
    </Location>
    <Location /autodiscover>

        ProxyPass https://192.168.80.112/autodiscover
        ProxyPassReverse https://192.168.80.112/autodiscover
    </Location>
    <Location /Autodiscover>

        ProxyPass https://192.168.80.112/Autodiscover
        ProxyPassReverse https://192.168.80.112/Autodiscover
    </Location>
    <Location /AutoDiscover>

        ProxyPass https://192.168.80.112/AutoDiscover
        ProxyPassReverse https://192.168.80.112/AutoDiscover
    </Location>
    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>



<VirtualHost *:443>
    ServerName autodiscover.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols h2 http/1.1
    SSLCertificateFile    /var/etc/apache_3a95ed6e-9594-4345-872e-f5a7570a6c03.pem
    SSLCertificateKeyFile /var/etc/apache_3a95ed6e-9594-4345-872e-f5a7570a6c03.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>



    <Location /owa>

        ProxyPass https://192.168.80.112/owa
        ProxyPassReverse https://192.168.80.112/owa
    </Location>
    <Location /OWA>

        ProxyPass https://192.168.80.112/OWA
        ProxyPassReverse https://192.168.80.112/OWA
    </Location>
    <Location /Owa>

        ProxyPass https://192.168.80.112/Owa
        ProxyPassReverse https://192.168.80.112/Owa
    </Location>
    <Location /ecp>

        ProxyPass https://192.168.80.112/ecp
        ProxyPassReverse https://192.168.80.112/ecp
    </Location>
    <Location /ECP>

        ProxyPass https://192.168.80.112/ECP
        ProxyPassReverse https://192.168.80.112/ECP
    </Location>
    <Location /Ecp>

        ProxyPass https://192.168.80.112/Ecp
        ProxyPassReverse https://192.168.80.112/Ecp
    </Location>
    <Location /mapi>

        ProxyPass https://192.168.80.112/mapi
        ProxyPassReverse https://192.168.80.112/mapi
    </Location>
    <Location /ews>

        ProxyPass https://192.168.80.112/ews
        ProxyPassReverse https://192.168.80.112/ews
    </Location>
    <Location /EWS>

        ProxyPass https://192.168.80.112/EWS
        ProxyPassReverse https://192.168.80.112/EWS
    </Location>
    <Location /Ews>

        ProxyPass https://192.168.80.112/Ews
        ProxyPassReverse https://192.168.80.112/Ews
    </Location>
    <Location /exchange>

        ProxyPass https://192.168.80.112/exchange
        ProxyPassReverse https://192.168.80.112/exchange
    </Location>
    <Location /Exchange>

        ProxyPass https://192.168.80.112/Exchange
        ProxyPassReverse https://192.168.80.112/Exchange
    </Location>
    <Location /exchweb>

        ProxyPass https://192.168.80.112/exchweb
        ProxyPassReverse https://192.168.80.112/exchweb
    </Location>
    <Location /public>

        ProxyPass https://192.168.80.112/public
        ProxyPassReverse https://192.168.80.112/public
    </Location>
    <Location /oab>

        ProxyPass https://192.168.80.112/oab
        ProxyPassReverse https://192.168.80.112/oab
    </Location>
    <Location /OAB>

        ProxyPass https://192.168.80.112/OAB
        ProxyPassReverse https://192.168.80.112/OAB
    </Location>
    <Location /rpc>

        ProxyPass https://192.168.80.112/rpc
        ProxyPassReverse https://192.168.80.112/rpc
    </Location>
    <Location /Rpc>

        ProxyPass https://192.168.80.112/Rpc
        ProxyPassReverse https://192.168.80.112/Rpc
    </Location>
    <Location /Microsoft-Server-ActiveSync>

        ProxyPass https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
        ProxyPassReverse https://192.168.80.112/Microsoft-Server-ActiveSync
    </Location>
    <Location /autodiscover>

        ProxyPass https://192.168.80.112/autodiscover
        ProxyPassReverse https://192.168.80.112/autodiscover
    </Location>
    <Location /Autodiscover>

        ProxyPass https://192.168.80.112/Autodiscover
        ProxyPassReverse https://192.168.80.112/Autodiscover
    </Location>
    <Location /AutoDiscover>

        ProxyPass https://192.168.80.112/AutoDiscover
        ProxyPassReverse https://192.168.80.112/AutoDiscover
    </Location>
    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<Proxy balancer://43438267-8453-4c41-86c5-6f4b41d3dcac>
BalancerMember https://web02.example.com
</Proxy>



<VirtualHost *:443>
    ServerName stage.kuguar.ch
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols h2 http/1.1
    SSLCertificateFile    /var/etc/apache_29a381c7-cd21-4964-aeb7-e2ac011c6500.pem
    SSLCertificateKeyFile /var/etc/apache_29a381c7-cd21-4964-aeb7-e2ac011c6500.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    <Location "/">


        ProxyPreserveHost  Off
        ProxyPass "balancer://43438267-8453-4c41-86c5-6f4b41d3dcac/"
        ProxyPassReverse "balancer://43438267-8453-4c41-86c5-6f4b41d3dcac/"
    </Location>

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<Proxy balancer://35e073ae-4c24-45ec-b1e4-3a88e02b3f91>
BalancerMember https://web01.example.com
</Proxy>



<VirtualHost *:443>
    ServerName stage.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols h2 http/1.1
    SSLCertificateFile    /var/etc/apache_769da8bf-3d71-4cf0-ac1e-bc331edbfb1d.pem
    SSLCertificateKeyFile /var/etc/apache_769da8bf-3d71-4cf0-ac1e-bc331edbfb1d.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    <Location "/">


        ProxyPreserveHost  Off
        ProxyPass "balancer://35e073ae-4c24-45ec-b1e4-3a88e02b3f91/"
        ProxyPassReverse "balancer://35e073ae-4c24-45ec-b1e4-3a88e02b3f91/"
    </Location>

    # Add HSTS header
    Header always merge Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
    # Add security and privacy related headers
    Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;"
    Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin"
    Header set X-Frame-Options "deny"
    SetEnv modHeadersAvailable true
    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<Proxy balancer://fbc2840d-4c18-414f-8992-fd55b1aa214e>
BalancerMember https://web01.example.com
</Proxy>



<VirtualHost *:443>
    ServerName www.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols h2 http/1.1
    SSLCertificateFile    /var/etc/apache_51189fe3-1283-4171-a589-96e73f7d5666.pem
    SSLCertificateKeyFile /var/etc/apache_51189fe3-1283-4171-a589-96e73f7d5666.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    <Location "/">


        ProxyPreserveHost  Off
        ProxyPass "balancer://fbc2840d-4c18-414f-8992-fd55b1aa214e/"
        ProxyPassReverse "balancer://fbc2840d-4c18-414f-8992-fd55b1aa214e/"
    </Location>

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<Proxy balancer://ff902e1b-b680-4227-827c-f60408e17474>
BalancerMember https://web01.example.com
</Proxy>



<VirtualHost *:443>
    ServerName example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols h2 http/1.1
    SSLCertificateFile    /var/etc/apache_aeb2e6dd-c10e-4cd5-b4aa-bbf5cde41d88.pem
    SSLCertificateKeyFile /var/etc/apache_aeb2e6dd-c10e-4cd5-b4aa-bbf5cde41d88.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    <Location "/">


        ProxyPreserveHost  Off
        ProxyPass "balancer://ff902e1b-b680-4227-827c-f60408e17474/"
        ProxyPassReverse "balancer://ff902e1b-b680-4227-827c-f60408e17474/"
    </Location>

    # Add HSTS header
    Header always merge Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
    # Add security and privacy related headers
    Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;"
    Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin"
    Header set X-Frame-Options "deny"
    SetEnv modHeadersAvailable true
    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>


/usr/local/etc/apache24/extra/wsmail03.conf

Code Select Expand

# Tipp von Bernd Krumböck wegen Sicherheitsproblemen mit dem MPM Modul und NTLM Authentifizierung
# Clients welche EWS verwenden (z.B. AquaMail) bekommen E-Mails anderer Sitzungen synchronisiert
# ServerLimit und MaxRequestWorkers ggf. an die Anzahl der vorhandenen Clients anpassen
#ServerLimit 300
#MaxRequestWorkers 300
MaxConnectionsPerChild 1

<VirtualHost 192.168.80.43:80>
        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAdmin webmaster@znil.org

        ErrorLog /var/log/apache2/error.log
        # Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
        CustomLog /var/log/apache2/access.log combined
        #CustomLog /dev/null common

        Header always set X-Frame-Options SAMEORIGIN
        Header set Server Apache
        RequestHeader unset Expect early
        Header unset X-AspNet-Version
        Header unset X-OWA-Version
        Header unset X-Powered-By

        ProxyRequests Off
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/owa(.*) https://mail.example.com/owa$1 [R,L]
        RewriteRule ^/ecp(.*) https://mail.example.com/ecp$1 [R,L]
        RewriteRule ^/Microsoft-Server-ActiveSync(.*) https://mail.example.com/Microsoft-Server-ActiveSync$1 [R,L]

        DocumentRoot /var/www/mail.example.com/web

        <Directory />
            Order deny,allow
            Deny from all
        </Directory>

        <Directory /var/www/mail.example.com/web>
            DirectoryIndex index.php index.html
            Options -Indexes +FollowSymLinks
            Order allow,deny
            Allow from all
        </Directory>

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
</VirtualHost>

<VirtualHost 192.168.80.43:443>
        DocumentRoot /var/www/mail.example.com/web

        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAdmin webmaster@znil.org

        ErrorLog /var/log/apache2/error.log
        # Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
        CustomLog /var/log/apache2/access.log combined
        #CustomLog /dev/null common

        Header always set X-Frame-Options SAMEORIGIN
        Header set Server Apache
        Header unset X-AspNet-Version
        Header unset X-OWA-Version
        Header unset X-Powered-By

        RequestHeader unset Expect early

        SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
        # 10.12.2020: Nachfolgende Zeilen würden eine Standardauthentifizierung erzwingen, ist nun nicht mehr Notwendig
        # Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
        # Header unset WWW-Authenticate
        # Header add WWW-Authenticate "Basic realm=mail.example.com"
        ProxyRequests Off
        ProxyPreserveHost On

        #abgeschaut von https://github.com/phr0gz/Apache-reverse-proxy-for-Exchange-2010-2013-2016/blob/master/webmail.conf
        ProxyVia Full
        RequestHeader edit Transfer-Encoding Chunked chunked early
        RequestHeader unset Accept-Encoding
        TimeOut 1800
        # Ende abgeschaut

        SSLProxyEngine On
        # Problemen mit Kommunikation zwischen Apache-Proxy und Exchange-Server aus dem Wege gehen
        # Alle SSL Prüfungen werden damit ausgeschaltet. So kann z.B. auch intern ein Selbstsigniertes Zertifikat verwendet werden
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        #Nachfolgende Zeile bewirkt das ein Aufruf von nur https://sub.name.suffix auf https://sub.name.suffix/owa weiter geleitet wird.
        Redirect / /owa/

        # owa
        ProxyPass /owa https://192.168.80.112/owa
        ProxyPassReverse /owa https://192.168.80.112/owa
        ProxyPass /OWA https://192.168.80.112/OWA
        ProxyPassReverse /OWA https://192.168.80.112/OWA
        ProxyPass /Owa https://192.168.80.112/Owa
        ProxyPassReverse /Owa https://192.168.80.112/Owa

        # ecp = Adminoberfläche - falls Zugriff nicht gewünscht einfach auskommentieren!
        ProxyPass /ecp https://192.168.80.112/ecp
        ProxyPassReverse /ecp https://192.168.80.112/ecp
        ProxyPass /ECP https://192.168.80.112/ECP
        ProxyPassReverse /ECP https://192.168.80.112/ECP
        ProxyPass /Ecp https://192.168.80.112/Ecp
        ProxyPassReverse /Ecp https://192.168.80.112/Ecp

        # mapi
        ProxyPass /mapi https://192.168.80.112/mapi
        ProxyPassReverse /mapi https://192.168.80.112/mapi

        # ews -> Exchange Web Services
        ProxyPass /ews https://192.168.80.112/ews
        ProxyPassReverse /ews https://192.168.80.112/ews
        ProxyPass /EWS https://192.168.80.112/EWS
        ProxyPassReverse /EWS https://192.168.80.112/EWS
        ProxyPass /Ews https://192.168.80.112/Ews
        ProxyPassReverse /Ews https://192.168.80.112/Ews
        ProxyPass /exchange https://192.168.80.112/exchange
        ProxyPassReverse /exchange https://192.168.80.112/exchange
        ProxyPass /Exchange https://192.168.80.112/Exchange
        ProxyPassReverse /Exchange https://192.168.80.112/Exchange
        ProxyPass /exchweb https://192.168.80.112/exchweb
        ProxyPassReverse /exchweb https://192.168.80.112/exchweb
        ProxyPass /public https://192.168.80.112/public
        ProxyPassReverse /public https://192.168.80.112/public

        # oab (Offline Address Book)
        ProxyPass /oab https://192.168.80.112/oab
        ProxyPassReverse /oab https://192.168.80.112/oab
        ProxyPass /OAB https://192.168.80.112/OAB
        ProxyPassReverse /OAB https://192.168.80.112/OAB

        # RPC over http(s) / Outlook Anywhere
        #OutlookAnywherePassthrough On
        ProxyPass /rpc https://192.168.80.112/rpc
        ProxyPassReverse /rpc https://192.168.80.112/rpc
        ProxyPass /Rpc https://192.168.80.112/Rpc
        ProxyPassReverse /Rpc https://192.168.80.112/Rpc

        # Microsoft-Server-ActiveSync
        ProxyPass /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
        ProxyPassReverse /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync

        # Problem mit dem Versenden von Dateianhängen > 128KByte per ActiceSync umgehen (neuer Wert 30MByte)
        <Directory /Microsoft-Server-ActiveSync>
                SSLRenegBufferSize 31457280
        </Directory>

        # AutoDiscover  -> Autodiscover for non-AD integrated Clients (Mac, eg.)
        ProxyPass /autodiscover https://192.168.80.112/autodiscover
        ProxyPassReverse /autodiscover https://192.168.80.112/autodiscover
        ProxyPass /Autodiscover https://192.168.80.112/Autodiscover
        ProxyPassReverse /Autodiscover https://192.168.80.112/Autodiscover
        ProxyPass /AutoDiscover https://192.168.80.112/AutoDiscover
        ProxyPassReverse /AutoDiscover https://192.168.80.112/AutoDiscover

        # Zeichensatz spezifieren fuer Umlaute
        AddDefaultCharset ISO-8859-1

        <Directory />
                Order deny,allow
                Deny from all
        </Directory>

        <Directory /var/www/mail.example.com/web>
                DirectoryIndex index.php index.html
                 Options -Indexes +FollowSymLinks
                Order allow,deny
                Allow from all
        </Directory>

        <Proxy *>
                # 10.12.2020: Nachfolgende 2 Zeilen sind nicht mehr Notwendig
                # Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
                # SetEnv proxy-nokeepalive 1
                # SetEnv force-proxy-request-1.0 1
                Order deny,allow
                Allow from all
        </Proxy>

        # Nach extern ein Lets Encrypt Zertifikat nutzen:
        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder     on
        SSLCertificateFile /etc/ssl/certs/wsmail03.pem
        SSLCertificateKeyFile /etc/ssl/private/wsmail03.key
        SSLCertificateChainFile /etc/ssl/certs/r13.pem

        BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>


Hello,

I tried it with FreeBSD 14.3, works the same way as with Linux (no Popups):

/usr/local/etc/apache24/httpd.conf

Code Select Expand

#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/usr/local"

#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:/var/run

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
Listen 443

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
#LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
#LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
#LoadModule http2_module libexec/apache24/mod_http2.so
#LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
#LoadModule md_module libexec/apache24/mod_md.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
<IfModule !mpm_prefork_module>
        #LoadModule cgid_module libexec/apache24/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
        #LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so

# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf

<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User www
Group www

</IfModule>

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
ServerAdmin you@example.com

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
    Require all denied
</Files>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "/var/log/httpd-error.log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog "/var/log/httpd-access.log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog "/var/log/httpd-access.log" combined
</IfModule>

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to
    # exist in your server's namespace, but do not anymore. The client
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"

</IfModule>

<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock cgisock
</IfModule>

#
# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig etc/apache24/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
</IfModule>

#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile etc/apache24/magic

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited

#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
#EnableSendfile on

# Supplemental configuration
#
# The configuration files in the etc/apache24/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.

# Server-pool management (MPM specific)
#Include etc/apache24/extra/httpd-mpm.conf

# Multi-language error messages
#Include etc/apache24/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
#Include etc/apache24/extra/httpd-autoindex.conf

# Language settings
#Include etc/apache24/extra/httpd-languages.conf

# User home directories
#Include etc/apache24/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf

# Virtual hosts
#Include etc/apache24/extra/httpd-vhosts.conf
Include etc/apache24/extra/wsmail03.conf

# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf

# Various default settings
#Include etc/apache24/extra/httpd-default.conf

# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf
</IfModule>

# Secure (SSL/TLS) connections
#Include etc/apache24/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Include etc/apache24/Includes/*.conf


Hello,

perhaps mpm-prefork / mpm-event is the point to look on:

https://znil.net/index.php?title=Apache2_als_Reverse_Proxy_f%C3%BCr_Exchange_2010_2013_2016_2019_inklusive_Outlook_Anywhere_RPC_over_http

a2dismod mpm_event
a2enmod mpm_prefork
systemctl apache2.service restart

Dieser Hinweis stammt von Marco Maus und ist wichtig damit die Authentifizierung per NTLM funktioniert.

This information comes from Marco Maus and is important for NTLM authentication to work.

Hello,

I configured a Apache Reverse Proxy on Ubuntu 24 LTS:

Code Select Expand

# Tipp von Bernd Krumböck wegen Sicherheitsproblemen mit dem MPM Modul und NTLM Authentifizierung
# Clients welche EWS verwenden (z.B. AquaMail) bekommen E-Mails anderer Sitzungen synchronisiert
# ServerLimit und MaxRequestWorkers ggf. an die Anzahl der vorhandenen Clients anpassen
#ServerLimit 300
#MaxRequestWorkers 300
MaxConnectionsPerChild 1

<VirtualHost 192.168.80.221:80>
        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAdmin webmaster@znil.org

        ErrorLog /var/log/apache2/error.log
        # Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
        CustomLog /var/log/apache2/access.log combined
        #CustomLog /dev/null common

        Header always set X-Frame-Options SAMEORIGIN
        Header set Server Apache
        RequestHeader unset Expect early
        Header unset X-AspNet-Version
        Header unset X-OWA-Version
        Header unset X-Powered-By

        ProxyRequests Off
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/owa(.*) https://mail.example.com/owa$1 [R,L]
        RewriteRule ^/ecp(.*) https://mail.example.com/ecp$1 [R,L]
        RewriteRule ^/Microsoft-Server-ActiveSync(.*) https://mail.example.com/Microsoft-Server-ActiveSync$1 [R,L]

        DocumentRoot /var/www/mail.example.com/web

        <Directory />
            Order deny,allow
            Deny from all
        </Directory>

        <Directory /var/www/mail.example.com/web>
            DirectoryIndex index.php index.html
            Options -Indexes +FollowSymLinks
            Order allow,deny
            Allow from all
        </Directory>

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
</VirtualHost>

<VirtualHost 192.168.80.221:443>
        DocumentRoot /var/www/mail.example.com/web

        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAdmin webmaster@znil.org

        ErrorLog /var/log/apache2/error.log
        # Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
        CustomLog /var/log/apache2/access.log combined
        #CustomLog /dev/null common

        Header always set X-Frame-Options SAMEORIGIN
        Header set Server Apache
        Header unset X-AspNet-Version
        Header unset X-OWA-Version
        Header unset X-Powered-By

        RequestHeader unset Expect early

        SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
        # 10.12.2020: Nachfolgende Zeilen würden eine Standardauthentifizierung erzwingen, ist nun nicht mehr Notwendig
        # Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
        # Header unset WWW-Authenticate
        # Header add WWW-Authenticate "Basic realm=mail.example.com"
        ProxyRequests Off
        ProxyPreserveHost On

        #abgeschaut von https://github.com/phr0gz/Apache-reverse-proxy-for-Exchange-2010-2013-2016/blob/master/webmail.conf
        ProxyVia Full
        RequestHeader edit Transfer-Encoding Chunked chunked early
        RequestHeader unset Accept-Encoding
        TimeOut 1800
        # Ende abgeschaut

        SSLProxyEngine On
        # Problemen mit Kommunikation zwischen Apache-Proxy und Exchange-Server aus dem Wege gehen
        # Alle SSL Prüfungen werden damit ausgeschaltet. So kann z.B. auch intern ein Selbstsigniertes Zertifikat verwendet werden
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        #Nachfolgende Zeile bewirkt das ein Aufruf von nur https://sub.name.suffix auf https://sub.name.suffix/owa weiter geleitet wird.
        Redirect / /owa/

        # owa
        ProxyPass /owa https://192.168.80.112/owa
        ProxyPassReverse /owa https://192.168.80.112/owa
        ProxyPass /OWA https://192.168.80.112/OWA
        ProxyPassReverse /OWA https://192.168.80.112/OWA
        ProxyPass /Owa https://192.168.80.112/Owa
        ProxyPassReverse /Owa https://192.168.80.112/Owa

        # ecp = Adminoberfläche - falls Zugriff nicht gewünscht einfach auskommentieren!
        ProxyPass /ecp https://192.168.80.112/ecp
        ProxyPassReverse /ecp https://192.168.80.112/ecp
        ProxyPass /ECP https://192.168.80.112/ECP
        ProxyPassReverse /ECP https://192.168.80.112/ECP
        ProxyPass /Ecp https://192.168.80.112/Ecp
        ProxyPassReverse /Ecp https://192.168.80.112/Ecp

        # mapi
        ProxyPass /mapi https://192.168.80.112/mapi
        ProxyPassReverse /mapi https://192.168.80.112/mapi

        # ews -> Exchange Web Services
        ProxyPass /ews https://192.168.80.112/ews
        ProxyPassReverse /ews https://192.168.80.112/ews
        ProxyPass /EWS https://192.168.80.112/EWS
        ProxyPassReverse /EWS https://192.168.80.112/EWS
        ProxyPass /Ews https://192.168.80.112/Ews
        ProxyPassReverse /Ews https://192.168.80.112/Ews
        ProxyPass /exchange https://192.168.80.112/exchange
        ProxyPassReverse /exchange https://192.168.80.112/exchange
        ProxyPass /Exchange https://192.168.80.112/Exchange
        ProxyPassReverse /Exchange https://192.168.80.112/Exchange
        ProxyPass /exchweb https://192.168.80.112/exchweb
        ProxyPassReverse /exchweb https://192.168.80.112/exchweb
        ProxyPass /public https://192.168.80.112/public
        ProxyPassReverse /public https://192.168.80.112/public

        # oab (Offline Address Book)
        ProxyPass /oab https://192.168.80.112/oab
        ProxyPassReverse /oab https://192.168.80.112/oab
        ProxyPass /OAB https://192.168.80.112/OAB
        ProxyPassReverse /OAB https://192.168.80.112/OAB

        # RPC over http(s) / Outlook Anywhere
        #OutlookAnywherePassthrough On
        ProxyPass /rpc https://192.168.80.112/rpc
        ProxyPassReverse /rpc https://192.168.80.112/rpc
        ProxyPass /Rpc https://192.168.80.112/Rpc
        ProxyPassReverse /Rpc https://192.168.80.112/Rpc

        # Microsoft-Server-ActiveSync
        ProxyPass /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
        ProxyPassReverse /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync

        # Problem mit dem Versenden von Dateianhängen > 128KByte per ActiceSync umgehen (neuer Wert 30MByte)
        <Directory /Microsoft-Server-ActiveSync>
                SSLRenegBufferSize 31457280
        </Directory>

        # AutoDiscover  -> Autodiscover for non-AD integrated Clients (Mac, eg.)
        ProxyPass /autodiscover https://192.168.80.112/autodiscover
        ProxyPassReverse /autodiscover https://192.168.80.112/autodiscover
        ProxyPass /Autodiscover https://192.168.80.112/Autodiscover
        ProxyPassReverse /Autodiscover https://192.168.80.112/Autodiscover
        ProxyPass /AutoDiscover https://192.168.80.112/AutoDiscover
        ProxyPassReverse /AutoDiscover https://192.168.80.112/AutoDiscover

        # Zeichensatz spezifieren fuer Umlaute
        AddDefaultCharset ISO-8859-1

        <Directory />
                Order deny,allow
                Deny from all
        </Directory>

        <Directory /var/www/mail.example.com/web>
                DirectoryIndex index.php index.html
                 Options -Indexes +FollowSymLinks
                Order allow,deny
                Allow from all
        </Directory>

        <Proxy *>
                # 10.12.2020: Nachfolgende 2 Zeilen sind nicht mehr Notwendig
                # Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
                # SetEnv proxy-nokeepalive 1
                # SetEnv force-proxy-request-1.0 1
                Order deny,allow
                Allow from all
        </Proxy>

        # Nach extern ein Lets Encrypt Zertifikat nutzen:
        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder     on
        SSLCertificateFile /etc/ssl/certs/wsmail03.pem
        SSLCertificateKeyFile /etc/ssl/private/wsmail03.key
        SSLCertificateChainFile /etc/ssl/certs/r13.pem

        BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

No Popups, Outlook and ActiveSync works.

Environment:

Exchange 2019 CU15 on Windows Server 2022
I enabled Extended Protection with: ExchangeExtendedProtectionManagement.ps1
The certificate on Exchange IIS and the Apache2 is the same.

Installation:

apt-get install apache2
a2enmod headers
a2enmod rewrite
a2enmod proxy_http
a2enmod ssl
a2dismod mpm_event
a2enmod mpm_prefork

I followed this Guide:

https://znil.net/index.php?title=Apache2_als_Reverse_Proxy_f%C3%BCr_Exchange_2010_2013_2016_2019_inklusive_Outlook_Anywhere_RPC_over_http

Hello,

I'm using Squid as intranparent forward proxy, now I need to access a internal server over a public IP and this does not work.
When I use no proxy and the rules from:
https://docs.opnsense.org/manual/how-tos/nat_reflection.html#method-1-creating-manual-port-forward-nat-dnat-manual-outbound-nat-snat-and-automatic-firewall-rules
it works, but I found no possibility to SNAT the Squid proxy itself, how can this be done?

Hello,

Caddy works in my Environment with Exchange 2016 CU22 (Windows Server 2016), in the same Environment the UTM also works but the OPNWAF does not.
Extended Security requires the same certificate on the Exchange IIS and the reverse Proxy, we have that in those three configurations.
I will try OPNWAF wit a Exchange 2019 and report the results.

Hello,

sorry, I'm not good with vi...

Code Select Expand

ServerName mail.example.com
Listen 443




<VirtualHost *:443>
    ServerName mail.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
    SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>

<Location />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>





    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>



<VirtualHost *:443>
    ServerName autodiscover.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
    SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>
<Location />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>



    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>

Now Outlook asks permanently for the password, no Email Body will we displayed even after entering the password.

Hello,

no difference, I have to enter the Password 3 time after starting Outlook before I can read the body of a Mail:

Code Select Expand

ServerName mail.example.com
Listen 443




<VirtualHost *:443>
    ServerName mail.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
    SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>

<LocatioN />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>





    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>



<VirtualHost *:443>
    ServerName autodiscover.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
    SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>



    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>


And the log for the actual test:

Code Select Expand

<166>1 2025-12-11T10:51:22+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="1"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/nspi/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 3798 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="2"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/nspi/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="3"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/nspi/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1480 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="4"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="5"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1752 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="6"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="7"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1627 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="8"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="9"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1565 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="10"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="11"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1471 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="12"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="13"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1482 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="14"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="15"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1682 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="16"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="17"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1453 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="18"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="19"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 844 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="20"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1481 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="21"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="22"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 2149 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="23"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="24"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1472 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="25"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/nspi/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="26"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/nspi/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1479 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="27"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="28"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1484 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="29"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="30"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1482 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="31"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:23+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="32"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1488 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="33"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="34"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 2737 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="35"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="36"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1484 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="37"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="38"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1599 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="39"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="40"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1491 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="41"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="42"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1596 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="43"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="44"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1484 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="45"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="46"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1473 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="47"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="48"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1475 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="49"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 401 702 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"
<166>1 2025-12-11T10:51:24+01:00 rzfw01.example.com httpd 99272 - [meta sequenceId="50"] mail.example.com:443 62.54.xxx.xxx - - "POST /mapi/emsmdb/?MailboxId=31c164bf-6496-4b7c-8ed4-52e466adb9dd@example.com HTTP/1.1" 200 1455 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.14332; Pro)"

Hello,

I changed it to:

Code Select Expand

ServerName mail.example.com
Listen 443




<VirtualHost *:443>
    ServerName mail.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols h2 http/1.1
    SSLCertificateFile    /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
    SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>

<Location />
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>





    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>



<VirtualHost *:443>
    ServerName autodiscover.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols h2 http/1.1
    SSLCertificateFile    /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
    SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>



    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>

Unfortunately no difference, popups are still appearing.

Hello,

commenting the both lines out + service apache24 restart also didn't help in our environment:

cat /usr/local/etc/apache24/Includes/gateway_vhosts.conf | grep "Redirect / /owa/"
#    Redirect / /owa/
#    Redirect / /owa/

The popups still appear.
For our environment the problem was from the beginning with OPNWAF, but the opnsense runs onyl sinde 2 weeks...

We can debug or give you access to the firewall, for now the opnsense runs parallel to the UTM and is not really in use from internal or external (default GW is still the UTM, the DNS Records point to the UTM public IPs, when I test the OPNWAF I edit my hosts file)

Hello,

thats the content of ls -lla /var/chroot-reverseproxy/usr/apache/modules/

Thanks!

Code Select Expand

-rw-r--r-- 1 root root  17381 Jun 16  2023 httpd.exp
-rwxr-xr-x 1 root root   9832 Jun 16  2023 mod_access_compat.so
-rwxr-xr-x 1 root root  18080 Jun 16  2023 mod_alias.so
-rwxr-xr-x 1 root root   5704 Jun 16  2023 mod_allowmethods.so
-rwxr-xr-x 1 root root  13956 Jun 16  2023 mod_auth_basic.so
-rwxr-xr-x 1 root root  34636 Jun 16  2023 mod_auth_digest.so
-rwxr-xr-x 1 root root  26308 Jun 16  2023 mod_auth_form.so
-rwxr-xr-x 1 root root   9860 Jun 16  2023 mod_authn_core.so
-rwxr-xr-x 1 root root   9828 Jun 16  2023 mod_authn_file.so
-rwxr-xr-x 1 root root  13992 Jun 16  2023 mod_authn_socache.so
-rw-r--r-- 1 root root  30436 Jun 16  2023 mod_authnz_aua.so
-rwxr-xr-x 1 root root  18092 Jun 16  2023 mod_authz_blacklist.so
-rwxr-xr-x 1 root root  22212 Jun 16  2023 mod_authz_core.so
-rwxr-xr-x 1 root root  13956 Jun 16  2023 mod_authz_dbd.so
-rwxr-xr-x 1 root root   9868 Jun 16  2023 mod_authz_groupfile.so
-rwxr-xr-x 1 root root   9860 Jun 16  2023 mod_authz_host.so
-rwxr-xr-x 1 root root   5700 Jun 16  2023 mod_authz_user.so
-rwxr-xr-x 1 root root  79776 Jun 16  2023 mod_avscan.so
-rw-r--r-- 1 root root  18120 Jun 16  2023 mod_backtrace.so
-rwxr-xr-x 1 root root  13920 Jun 16  2023 mod_buffer.so
-rwxr-xr-x 1 root root  34532 Jun 16  2023 mod_cache_disk.so
-rwxr-xr-x 1 root root  71696 Jun 16  2023 mod_cache.so
-rwxr-xr-x 1 root root  34572 Jun 16  2023 mod_cache_socache.so
-rwxr-xr-x 1 root root  18112 Jun 16  2023 mod_cookie.so
-rw-r--r-- 1 root root   9804 Jun 16  2023 mod_custom_blockpage.so
-rwxr-xr-x 1 root root  34532 Jun 16  2023 mod_deflate.so
-rw-r--r-- 1 root root   7460 Jun 24  2010 mod_envbyip.so
-rwxr-xr-x 1 root root   9824 Jun 16  2023 mod_env.so
-rwxr-xr-x 1 root root  13960 Jun 16  2023 mod_expires.so
-rwxr-xr-x 1 root root  22308 Jun 16  2023 mod_ext_filter.so
-rwxr-xr-x 1 root root   9892 Jun 16  2023 mod_file_cache.so
-rwxr-xr-x 1 root root  18080 Jun 16  2023 mod_filter.so
-rw-r--r-- 1 root root  13988 Jun 16  2023 mod_firehose.so
-rwxr-xr-x 1 root root  59280 Oct 27  2023 mod_form_hardening.so
-rwxr-xr-x 1 root root  18180 Jun 16  2023 mod_headers.so
-rwxr-xr-x 1 root root  51044 Jun 16  2023 mod_include.so
-rwxr-xr-x 1 root root  26276 Jun 16  2023 mod_info.so
-rwxr-xr-x 1 root root   5712 Jun 16  2023 mod_lbmethod_bybusyness.so
-rwxr-xr-x 1 root root   5712 Jun 16  2023 mod_lbmethod_byrequests.so
-rwxr-xr-x 1 root root   5712 Jun 16  2023 mod_lbmethod_bytraffic.so
-rwxr-xr-x 1 root root  14032 Jun 16  2023 mod_lbmethod_heartbeat.so
-rwxr-xr-x 1 root root  30544 Jun 16  2023 mod_log_config.so
-rwxr-xr-x 1 root root   9860 Jun 16  2023 mod_log_debug.so
-rwxr-xr-x 1 root root  18080 Jun 16  2023 mod_macro.so
-rwxr-xr-x 1 root root  18112 Jun 16  2023 mod_mime.so
-rwxr-xr-x 1 root root  30632 Jun 16  2023 mod_mpm_prefork.so
-rwxr-xr-x 1 root root  43012 Jun 16  2023 mod_mpm_worker.so
-rwxr-xr-x 1 root root  30536 Jun 16  2023 mod_negotiation.so
-rw-r--r-- 1 root root  22148 Jun 16  2023 mod_pcap.so
-rwxr-xr-x 1 root root  59340 Jun 16  2023 mod_proxy_balancer.so
-rwxr-xr-x 1 root root  13992 Jun 16  2023 mod_proxy_connect.so
-rwxr-xr-x 1 root root   9832 Jun 16  2023 mod_proxy_express.so
-rwxr-xr-x 1 root root  30564 Jun 16  2023 mod_proxy_fcgi.so
-rwxr-xr-x 1 root root   9832 Jun 16  2023 mod_proxy_fdpass.so
-rwxr-xr-x 1 root root  30568 Jun 16  2023 mod_proxy_hcheck.so
-rwxr-xr-x 1 root root  38732 Jun 16  2023 mod_proxy_html.so
-rwxr-xr-x 1 root root  38820 Jun 16  2023 mod_proxy_http.so
-rwxr-xr-x 1 root root  67496 Jun 16  2023 mod_proxy_msrpc.so
-rwxr-xr-x 1 root root  18180 Jun 16  2023 mod_proxy_scgi.so
-rwxr-xr-x 1 root root 154504 Jun 16  2023 mod_proxy.so
-rwxr-xr-x 1 root root  14036 Jun 16  2023 mod_proxy_uwsgi.so
-rwxr-xr-x 1 root root  22216 Jun 16  2023 mod_proxy_wstunnel.so
-rwxr-xr-x 1 root root   9828 Jun 16  2023 mod_ratelimit.so
-rwxr-xr-x 1 root root  26340 Jun 16  2023 mod_remoteip.so
-rwxr-xr-x 1 root root  13992 Jun 16  2023 mod_reqtimeout.so
-rwxr-xr-x 1 root root   9860 Jun 16  2023 mod_request.so
-rw-r--r-- 1 root root  13928 Jun 16  2023 mod_reverse_auth.so
-rwxr-xr-x 1 root root  71748 Jun 16  2023 mod_rewrite.so
-rw-r--r-- 1 root root 617532 Jun 16  2023 mod_security2_beta.so
-rw-r--r-- 1 root root 650424 Jun 16  2023 mod_security2.so
-rwxr-xr-x 1 root root  34496 Jun 16  2023 mod_sed.so
-rwxr-xr-x 1 root root   9832 Jun 16  2023 mod_session_cookie.so
-rwxr-xr-x 1 root root  22248 Jun 16  2023 mod_session_crypto.so
-rwxr-xr-x 1 root root  13992 Jun 16  2023 mod_session_dbd.so
-rw-r--r-- 1 root root  51084 Jun 16  2023 mod_session_server.so
-rwxr-xr-x 1 root root  18116 Jun 16  2023 mod_session.so
-rwxr-xr-x 1 root root  13956 Jun 16  2023 mod_setenvif.so
-rwxr-xr-x 1 root root  18088 Jun 16  2023 mod_slotmem_shm.so
-rwxr-xr-x 1 root root  13992 Jun 16  2023 mod_socache_dbm.so
-rwxr-xr-x 1 root root  13968 Jun 16  2023 mod_socache_memcache.so
-rwxr-xr-x 1 root root  13964 Jun 16  2023 mod_socache_redis.so
-rwxr-xr-x 1 root root  22156 Jun 16  2023 mod_socache_shmcb.so
-rwxr-xr-x 1 root root 237392 Jun 16  2023 mod_ssl.so
-rwxr-xr-x 1 root root  22212 Jun 16  2023 mod_status.so
-rwxr-xr-x 1 root root  18084 Jun 16  2023 mod_substitute.so
-rwxr-xr-x 1 root root   9748 Jun 16  2023 mod_unique_id.so
-rwxr-xr-x 1 root root  13952 Jun 16  2023 mod_unixd.so
-rwxr-xr-x 1 root root  30472 Jun 16  2023 mod_url_hardening.so
-rwxr-xr-x 1 root root   9828 Jun 16  2023 mod_version.so
-rw-r--r-- 1 root root  14088 Jun 16  2023 mod_waf_exceptions.so
-rwxr-xr-x 1 root root  18152 Jun 16  2023 mod_watchdog.so
-rw-r--r-- 1 root root  18204 Jun 16  2023 mod_whatkilledus.so
-rwxr-xr-x 1 root root  26340 Jun 16  2023 mod_xml2enc.so


Hello,

here's the UTM configuration, I replaced the domain with example.com

/var/chroot-reverseproxy/usr/apache/conf/httpd.conf

Code Select Expand

ServerRoot /usr/apache
DefaultRuntimeDir /var/run/apache2
PidFile /var/run/apache2.pid

Include conf/modules.conf
Include conf/mpm.conf
Include conf/modsecurity.conf

HostnameLookups Off
ExtendedStatus On
ServerTokens Prod
ServerSignature Off
Header unset Server

User nobody
Group nogroup

Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 15

UseCanonicalName On
CoreDumpDirectory "/tmp"

SecDataDir /tmp
SecTmpDir /tmp

LogFormat "id=\"0299\" srcip=\"%a\" localip=\"%A\" size=\"%B\" user=\"%u\" host=\"%h\" method=\"%<m\" statuscode=\"%s\" reason=\"%<{block-reason}e\" extra=\"%<{block-reason-extra}e\" exceptions=\"%<{matched-exceptions}n\" time=\"%D\" url=\"%U\" server=\"%{Host}i\" port=\"%p\" query=\"%q\" referer=\"%{Referer}i\" cookie=\"%{Cookie}i\" set-cookie=\"%{Set-Cookie}o\" websocket_scheme=\"%{scheme}w\" websocket_protocol=\"%{protocol}w\" websocket_key=\"%{key}w\" websocket_version=\"%{version}w\" uid=\"%{UNIQUE_ID}e\"" astaro
ErrorLog syslog:local1
CustomLog "|/bin/logger -p local1.info -t httpd" astaro
LogLevel notice

## Uncomment these lines for extended debug logging
#LoadModule firehose_module /usr/apache/modules/mod_firehose.so
#FirehoseProxyConnectionInput /tmp/proxy-input.firehose
#FirehoseProxyConnectionOutput /tmp/proxy-output.firehose
#FirehoseConnectionInput /tmp/input.firehose
#FirehoseConnectionOutput /tmp/output.firehose

## Uncomment these lines for traffic dumping in pcap format
#LoadModule pcap_module /usr/apache/modules/mod_pcap.so
#PcapFileName /tmp/WAF.pcap
#PcapNetworkProtocol ip

SecRule ENV:block-reason "@streq cookie"         "phase:5,id:99001,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq url hardening"  "phase:5,id:99002,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq form hardening" "phase:5,id:99003,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq av"             "phase:5,id:99004,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq dnsrbl"         "phase:5,id:99005,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq geoip"          "phase:5,id:99006,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"

TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-bzip2 .bz2

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gvfs/1" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLHonorCipherOrder On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyCheckPeerName off
# Disable transparent compression of SSL data transfers.
# This mitigates impact of SSL "CRIME" attacks (CVE-2012-4929)
SSLCompression off
SSLSessionTickets off

# Drop the (Request-)Range header if more than 5 ranges (CVE-2011-3192)
SetEnvIf Range (,.*?){5} bad-range=1
RequestHeader unset Range env=bad-range
SetEnvIf Request-Range (,.*?){5} bad-request-range=1
RequestHeader unset Request-Range env=bad-request-range

ProxyWebsocketFallbackToProxyHttp off

# ClamavTmpdir    /tmp/clamav
# ClamavSocket    /var/run/clamav/clamd.ctl
# ClamavMode      daemon
# ClamavPermissions 0644

# <Location /clamav>
#       SetHandler clamav
# </Location>

CookieLimit 1000

Include conf/status.conf

Include conf/reverseproxy.conf


/var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf

Code Select Expand

KeepAlive On
ServerName rzfw01.example.com
ServerAdmin support-hsg@example.com
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AESGCM:RSA+AES:ECDH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!DHE
RemoteIPProxyProtocol Off
Listen 93.189.156.39:443 https
Listen 93.189.156.39:80 http
<VirtualHost 93.189.156.39:443>
        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAlias ex03.example.com
        SSLProxyEngine On
        SSLEngine On
        SSLCertificateFile /usr/apache/conf/ssl/REF_wyZfriWfxEsZ.pem
        SSLCACertificatePath /usr/apache/conf/cacerts/
        SSLCertificateKeyFile /usr/apache/conf/ssl/REF_wyZfriWfxEsZ.key
        RequestHeader set X-Forwarded-Proto https
        DocumentRoot /var/www/REF_RevFroAutodiscov
        SetEnv proxy-initial-not-pooled
        <Proxy balancer://0e9f56dedc1c6a43ee0c263a6d1b336b>
                BalancerMember https://10.10.10.5 status=-SE timeout=300
        </Proxy>
        <Proxy balancer://756724cd34319588665693abb5819b66>
                BalancerMember https://10.10.10.5 status=-SE timeout=300
        </Proxy>
        <Location "/">
                SetEnv proxy-aside-c
                ProxyPass "balancer://0e9f56dedc1c6a43ee0c263a6d1b336b/" lbmethod=bybusyness
                ProxyPassReverse "https://10.10.10.5:443/"
                ProxyPassReverse "https://10.10.10.5/"
                SetOutputFilter DEFLATE
                <RequireAll>
                        Require all granted
                </RequireAll>
        </Location>
        <Location "/ecp">
                SetEnv proxy-aside-c
                ProxyPass "balancer://756724cd34319588665693abb5819b66/ecp" lbmethod=bybusyness
                ProxyPassReverse "https://10.10.10.5:443/ecp"
                ProxyPassReverse "https://10.10.10.5/ecp"
                SetOutputFilter DEFLATE
                <RequireAll>
                        <RequireAny>
                                Require ip 10.0.0.0/16
                        </RequireAny>
                </RequireAll>
        </Location>
</VirtualHost>
<VirtualHost 93.189.156.39:80>
        ServerName REF_RevFroAutodiscov_redirect_ssl
        ServerAlias mail.example.com
        ServerAlias autodiscover.example.com
        ServerAlias ex03.example.com
        <Location />
                Require all granted
                RedirectSSL permanent / 443
        </Location>
</Virtualhost>


/var/chroot-reverseproxy/usr/apache/conf/status.conf

Code Select Expand

Listen 127.0.0.1:4080
<VirtualHost 127.0.0.1:4080>
        ServerName localhost
        ProxyStatus On
        RemoteIPProxyProtocol Off
        SecAuditEngine Off
        <Location /status>
                SetHandler server-status
                Require local
        </Location>
        <Location /lb-status>
                SetHandler balancer-status
                Require local
        </Location>
        <Location /session-cleanup>
                SetHandler session-cleanup-handler
                Require local
                SessionServerStorageDir /var/lib/apache2/sessions
                SessionServerStorageMaxFiles 25000
        </Location>
</VirtualHost>


Hello,

sure, I did it as described in https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server
I set up the mail and the autodiscover virtual server as described and I also played with the authentication settings in the exchange virtual directories, no change. The same exchnage server works with the Caddy Plugin and the Sophos UTM WAF, any ideas?