os-OPNWAF / Exchange 2019 authentication Popups

Started by humnab, December 05, 2025, 04:44:04 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
December 11, 2025, 11:09:10 AM #15
Thanks for testing.

The Sophos config has these two settings, can you add them to the location?

Code Select
SetEnv proxy-initial-not-pooled
SetEnv proxy-aside-c

If that didn't change anything remove http/2 and force http/1.1

Replace:
Code Select
Protocols h2 http/1.1With:
Code Select
Protocols http/1.1
Please try these one by one so we can figure out which one did the trick. I imagine the http/1.1 might do something, since Caddy does the same when enabling the NTML module in it.
Hardware:
DEC740
December 11, 2025, 04:51:40 PM #16
Hello,

no difference, I have to enter the Password 3 time after starting Outlook before I can read the body of a Mail:

Code Select
ServerName mail.example.com
Listen 443




<VirtualHost *:443>
    ServerName mail.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
    SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>

<LocatioN />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>





    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>



<VirtualHost *:443>
    ServerName autodiscover.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
    SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>



    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
December 11, 2025, 04:57:49 PM #17 Last Edit: December 12, 2025, 08:29:13 AM by Monviech (Cedrik)
Sorry to be really specific but in the first virtual host you have

"LocatioN"

and in the second virtual host you dont have any location. Can you put the same location in there?

Could you fix that and retry just to be 100% sure?

------

A tangent, I dont think the password input is relevant, I think it also work if you click the popup away without entering anything (I assume).

------

EDIT: I will test this again with my own exchange server so I can iterate faster over possible solutions and come back here if I find something.
Hardware:
DEC740
December 12, 2025, 08:37:50 AM #18
Hello,

sorry, I'm not good with vi...


Code Select
ServerName mail.example.com
Listen 443




<VirtualHost *:443>
    ServerName mail.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
    SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>

<Location />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>





    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>



<VirtualHost *:443>
    ServerName autodiscover.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
    SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>
<Location />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>



    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>

Now Outlook asks permanently for the password, no Email Body will we displayed even after entering the password.
December 12, 2025, 09:19:07 AM #19 Last Edit: December 12, 2025, 05:21:33 PM by Monviech (Cedrik)
Thank you so far I am in the process of creating a new AD/Exchange VM and test it myself. I'll post here when I found out what it is.

EDIT:

I used Exchange 2019 CU 15 for testing.
- There seem to be new features that make using a proxy harder: https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-extended-protection#ssl-bridging-scenarios
- NTLM was hardened too: https://www.heise.de/en/news/Microsoft-takes-measures-against-NTLM-relay-attacks-10194340.html
- NTML is also deprecated, and Kerberos cannot work through a reverse proxy: https://learn.microsoft.com/de-de/windows/whats-new/deprecated-features (check for NTLM)
- The mod_proxy_msrpc only tries to fix "Outlook Anywhere" which is the RPC/http endpoint, not the MAPI/http endpoint. But even that does not seem to work reliably anymore.
- Outlook Classic shows that Microsoft aims to use the web app more prominently

I couldn't even get Outlook Classic it to work with Caddy anymore, also authentication popups.

I have a strong feeling there is no magic solution, and the way Exchange is still sometimes able to be reverse proxied is not actively pursued by any developer anymore since everyone uses the cloud anyway.

If somebody has an idea please let me know.
Hardware:
DEC740
December 15, 2025, 08:52:34 AM #20
Hello,

Caddy works in my Environment with Exchange 2016 CU22 (Windows Server 2016), in the same Environment the UTM also works but the OPNWAF does not.
Extended Security requires the same certificate on the Exchange IIS and the reverse Proxy, we have that in those three configurations.
I will try OPNWAF wit a Exchange 2019 and report the results.
December 15, 2025, 11:59:30 AM #21
Hello everyone,
we have the same problem and the same entries in the log file. We use Exchange 2019 CU 14.
We haven't found a solution yet.
In addition, uploading file attachments in OWA takes forever since we started using OPNsense. We also used Sophos UTM before.
Best regards,
Thomas
December 19, 2025, 02:23:57 PM #22
Hello,

I configured a Apache Reverse Proxy on Ubuntu 24 LTS:

Code Select
# Tipp von Bernd Krumböck wegen Sicherheitsproblemen mit dem MPM Modul und NTLM Authentifizierung
# Clients welche EWS verwenden (z.B. AquaMail) bekommen E-Mails anderer Sitzungen synchronisiert
# ServerLimit und MaxRequestWorkers ggf. an die Anzahl der vorhandenen Clients anpassen
#ServerLimit 300
#MaxRequestWorkers 300
MaxConnectionsPerChild 1

<VirtualHost 192.168.80.221:80>
        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAdmin webmaster@znil.org

        ErrorLog /var/log/apache2/error.log
        # Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
        CustomLog /var/log/apache2/access.log combined
        #CustomLog /dev/null common

        Header always set X-Frame-Options SAMEORIGIN
        Header set Server Apache
        RequestHeader unset Expect early
        Header unset X-AspNet-Version
        Header unset X-OWA-Version
        Header unset X-Powered-By

        ProxyRequests Off
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/owa(.*) https://mail.example.com/owa$1 [R,L]
        RewriteRule ^/ecp(.*) https://mail.example.com/ecp$1 [R,L]
        RewriteRule ^/Microsoft-Server-ActiveSync(.*) https://mail.example.com/Microsoft-Server-ActiveSync$1 [R,L]

        DocumentRoot /var/www/mail.example.com/web

        <Directory />
            Order deny,allow
            Deny from all
        </Directory>

        <Directory /var/www/mail.example.com/web>
            DirectoryIndex index.php index.html
            Options -Indexes +FollowSymLinks
            Order allow,deny
            Allow from all
        </Directory>

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
</VirtualHost>

<VirtualHost 192.168.80.221:443>
        DocumentRoot /var/www/mail.example.com/web

        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAdmin webmaster@znil.org

        ErrorLog /var/log/apache2/error.log
        # Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
        CustomLog /var/log/apache2/access.log combined
        #CustomLog /dev/null common

        Header always set X-Frame-Options SAMEORIGIN
        Header set Server Apache
        Header unset X-AspNet-Version
        Header unset X-OWA-Version
        Header unset X-Powered-By

        RequestHeader unset Expect early

        SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
        # 10.12.2020: Nachfolgende Zeilen würden eine Standardauthentifizierung erzwingen, ist nun nicht mehr Notwendig
        # Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
        # Header unset WWW-Authenticate
        # Header add WWW-Authenticate "Basic realm=mail.example.com"
        ProxyRequests Off
        ProxyPreserveHost On

        #abgeschaut von https://github.com/phr0gz/Apache-reverse-proxy-for-Exchange-2010-2013-2016/blob/master/webmail.conf
        ProxyVia Full
        RequestHeader edit Transfer-Encoding Chunked chunked early
        RequestHeader unset Accept-Encoding
        TimeOut 1800
        # Ende abgeschaut

        SSLProxyEngine On
        # Problemen mit Kommunikation zwischen Apache-Proxy und Exchange-Server aus dem Wege gehen
        # Alle SSL Prüfungen werden damit ausgeschaltet. So kann z.B. auch intern ein Selbstsigniertes Zertifikat verwendet werden
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        #Nachfolgende Zeile bewirkt das ein Aufruf von nur https://sub.name.suffix auf https://sub.name.suffix/owa weiter geleitet wird.
        Redirect / /owa/

        # owa
        ProxyPass /owa https://192.168.80.112/owa
        ProxyPassReverse /owa https://192.168.80.112/owa
        ProxyPass /OWA https://192.168.80.112/OWA
        ProxyPassReverse /OWA https://192.168.80.112/OWA
        ProxyPass /Owa https://192.168.80.112/Owa
        ProxyPassReverse /Owa https://192.168.80.112/Owa

        # ecp = Adminoberfläche - falls Zugriff nicht gewünscht einfach auskommentieren!
        ProxyPass /ecp https://192.168.80.112/ecp
        ProxyPassReverse /ecp https://192.168.80.112/ecp
        ProxyPass /ECP https://192.168.80.112/ECP
        ProxyPassReverse /ECP https://192.168.80.112/ECP
        ProxyPass /Ecp https://192.168.80.112/Ecp
        ProxyPassReverse /Ecp https://192.168.80.112/Ecp

        # mapi
        ProxyPass /mapi https://192.168.80.112/mapi
        ProxyPassReverse /mapi https://192.168.80.112/mapi

        # ews -> Exchange Web Services
        ProxyPass /ews https://192.168.80.112/ews
        ProxyPassReverse /ews https://192.168.80.112/ews
        ProxyPass /EWS https://192.168.80.112/EWS
        ProxyPassReverse /EWS https://192.168.80.112/EWS
        ProxyPass /Ews https://192.168.80.112/Ews
        ProxyPassReverse /Ews https://192.168.80.112/Ews
        ProxyPass /exchange https://192.168.80.112/exchange
        ProxyPassReverse /exchange https://192.168.80.112/exchange
        ProxyPass /Exchange https://192.168.80.112/Exchange
        ProxyPassReverse /Exchange https://192.168.80.112/Exchange
        ProxyPass /exchweb https://192.168.80.112/exchweb
        ProxyPassReverse /exchweb https://192.168.80.112/exchweb
        ProxyPass /public https://192.168.80.112/public
        ProxyPassReverse /public https://192.168.80.112/public

        # oab (Offline Address Book)
        ProxyPass /oab https://192.168.80.112/oab
        ProxyPassReverse /oab https://192.168.80.112/oab
        ProxyPass /OAB https://192.168.80.112/OAB
        ProxyPassReverse /OAB https://192.168.80.112/OAB

        # RPC over http(s) / Outlook Anywhere
        #OutlookAnywherePassthrough On
        ProxyPass /rpc https://192.168.80.112/rpc
        ProxyPassReverse /rpc https://192.168.80.112/rpc
        ProxyPass /Rpc https://192.168.80.112/Rpc
        ProxyPassReverse /Rpc https://192.168.80.112/Rpc

        # Microsoft-Server-ActiveSync
        ProxyPass /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
        ProxyPassReverse /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync

        # Problem mit dem Versenden von Dateianhängen > 128KByte per ActiceSync umgehen (neuer Wert 30MByte)
        <Directory /Microsoft-Server-ActiveSync>
                SSLRenegBufferSize 31457280
        </Directory>

        # AutoDiscover  -> Autodiscover for non-AD integrated Clients (Mac, eg.)
        ProxyPass /autodiscover https://192.168.80.112/autodiscover
        ProxyPassReverse /autodiscover https://192.168.80.112/autodiscover
        ProxyPass /Autodiscover https://192.168.80.112/Autodiscover
        ProxyPassReverse /Autodiscover https://192.168.80.112/Autodiscover
        ProxyPass /AutoDiscover https://192.168.80.112/AutoDiscover
        ProxyPassReverse /AutoDiscover https://192.168.80.112/AutoDiscover

        # Zeichensatz spezifieren fuer Umlaute
        AddDefaultCharset ISO-8859-1

        <Directory />
                Order deny,allow
                Deny from all
        </Directory>

        <Directory /var/www/mail.example.com/web>
                DirectoryIndex index.php index.html
                 Options -Indexes +FollowSymLinks
                Order allow,deny
                Allow from all
        </Directory>

        <Proxy *>
                # 10.12.2020: Nachfolgende 2 Zeilen sind nicht mehr Notwendig
                # Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
                # SetEnv proxy-nokeepalive 1
                # SetEnv force-proxy-request-1.0 1
                Order deny,allow
                Allow from all
        </Proxy>

        # Nach extern ein Lets Encrypt Zertifikat nutzen:
        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder     on
        SSLCertificateFile /etc/ssl/certs/wsmail03.pem
        SSLCertificateKeyFile /etc/ssl/private/wsmail03.key
        SSLCertificateChainFile /etc/ssl/certs/r13.pem

        BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

No Popups, Outlook and ActiveSync works.

Environment:

Exchange 2019 CU15 on Windows Server 2022
I enabled Extended Protection with: ExchangeExtendedProtectionManagement.ps1
The certificate on Exchange IIS and the Apache2 is the same.

Installation:

apt-get install apache2
a2enmod headers
a2enmod rewrite
a2enmod proxy_http
a2enmod ssl
a2dismod mpm_event
a2enmod mpm_prefork

I followed this Guide:

https://znil.net/index.php?title=Apache2_als_Reverse_Proxy_f%C3%BCr_Exchange_2010_2013_2016_2019_inklusive_Outlook_Anywhere_RPC_over_http




December 19, 2025, 03:18:10 PM #23
We use almost the exact same template.

Only major difference is that mpm-event is used, and not mpm-prefork.

Yet in early tests it did not make a difference, it really did work like a year ago.

Since in my tests now, caddy has also issues, it paints an interesting picture.

Maybe the issue is found outside of apache. Since it always works on linux (ubuntu, sophos UTM), yet not on freebsd (opnsense) anymore, it could be an interaction with pf, or the TCP network stack.
Hardware:
DEC740
December 22, 2025, 03:16:19 PM #24
Hello,

perhaps mpm-prefork / mpm-event is the point to look on:


Quotehttps://znil.net/index.php?title=Apache2_als_Reverse_Proxy_f%C3%BCr_Exchange_2010_2013_2016_2019_inklusive_Outlook_Anywhere_RPC_over_http

a2dismod mpm_event
a2enmod mpm_prefork
systemctl apache2.service restart

Dieser Hinweis stammt von Marco Maus und ist wichtig damit die Authentifizierung per NTLM funktioniert.

This information comes from Marco Maus and is important for NTLM authentication to work.




December 23, 2025, 10:25:02 AM #25
Hello,
we have disabled the mpm_event module in OPNsense on a trial basis and loaded the mpm_prefork module instead by adjusting the httpd.conf:

#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so

We then restarted the service (service apache24 restart).
Unfortunately, the behaviour is the same.

Merry Christmas and best regards

Thomas
Today at 03:57:24 PM #26
Hello,

I tried it with FreeBSD 14.3, works the same way as with Linux (no Popups):

/usr/local/etc/apache24/httpd.conf

Code Select
#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/usr/local"

#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:/var/run

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
Listen 443

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
#LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
#LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
#LoadModule http2_module libexec/apache24/mod_http2.so
#LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
#LoadModule md_module libexec/apache24/mod_md.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
<IfModule !mpm_prefork_module>
        #LoadModule cgid_module libexec/apache24/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
        #LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so

# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf

<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User www
Group www

</IfModule>

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
ServerAdmin you@example.com

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
    Require all denied
</Files>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "/var/log/httpd-error.log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog "/var/log/httpd-access.log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog "/var/log/httpd-access.log" combined
</IfModule>

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to
    # exist in your server's namespace, but do not anymore. The client
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"

</IfModule>

<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock cgisock
</IfModule>

#
# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig etc/apache24/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
</IfModule>

#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile etc/apache24/magic

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited

#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
#EnableSendfile on

# Supplemental configuration
#
# The configuration files in the etc/apache24/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.

# Server-pool management (MPM specific)
#Include etc/apache24/extra/httpd-mpm.conf

# Multi-language error messages
#Include etc/apache24/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
#Include etc/apache24/extra/httpd-autoindex.conf

# Language settings
#Include etc/apache24/extra/httpd-languages.conf

# User home directories
#Include etc/apache24/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf

# Virtual hosts
#Include etc/apache24/extra/httpd-vhosts.conf
Include etc/apache24/extra/wsmail03.conf

# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf

# Various default settings
#Include etc/apache24/extra/httpd-default.conf

# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf
</IfModule>

# Secure (SSL/TLS) connections
#Include etc/apache24/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Include etc/apache24/Includes/*.conf
Today at 04:00:15 PM #27
/usr/local/etc/apache24/extra/wsmail03.conf


Code Select
# Tipp von Bernd Krumböck wegen Sicherheitsproblemen mit dem MPM Modul und NTLM Authentifizierung
# Clients welche EWS verwenden (z.B. AquaMail) bekommen E-Mails anderer Sitzungen synchronisiert
# ServerLimit und MaxRequestWorkers ggf. an die Anzahl der vorhandenen Clients anpassen
#ServerLimit 300
#MaxRequestWorkers 300
MaxConnectionsPerChild 1

<VirtualHost 192.168.80.43:80>
        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAdmin webmaster@znil.org

        ErrorLog /var/log/apache2/error.log
        # Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
        CustomLog /var/log/apache2/access.log combined
        #CustomLog /dev/null common

        Header always set X-Frame-Options SAMEORIGIN
        Header set Server Apache
        RequestHeader unset Expect early
        Header unset X-AspNet-Version
        Header unset X-OWA-Version
        Header unset X-Powered-By

        ProxyRequests Off
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/owa(.*) https://mail.example.com/owa$1 [R,L]
        RewriteRule ^/ecp(.*) https://mail.example.com/ecp$1 [R,L]
        RewriteRule ^/Microsoft-Server-ActiveSync(.*) https://mail.example.com/Microsoft-Server-ActiveSync$1 [R,L]

        DocumentRoot /var/www/mail.example.com/web

        <Directory />
            Order deny,allow
            Deny from all
        </Directory>

        <Directory /var/www/mail.example.com/web>
            DirectoryIndex index.php index.html
            Options -Indexes +FollowSymLinks
            Order allow,deny
            Allow from all
        </Directory>

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
</VirtualHost>

<VirtualHost 192.168.80.43:443>
        DocumentRoot /var/www/mail.example.com/web

        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAdmin webmaster@znil.org

        ErrorLog /var/log/apache2/error.log
        # Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
        CustomLog /var/log/apache2/access.log combined
        #CustomLog /dev/null common

        Header always set X-Frame-Options SAMEORIGIN
        Header set Server Apache
        Header unset X-AspNet-Version
        Header unset X-OWA-Version
        Header unset X-Powered-By

        RequestHeader unset Expect early

        SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
        # 10.12.2020: Nachfolgende Zeilen würden eine Standardauthentifizierung erzwingen, ist nun nicht mehr Notwendig
        # Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
        # Header unset WWW-Authenticate
        # Header add WWW-Authenticate "Basic realm=mail.example.com"
        ProxyRequests Off
        ProxyPreserveHost On

        #abgeschaut von https://github.com/phr0gz/Apache-reverse-proxy-for-Exchange-2010-2013-2016/blob/master/webmail.conf
        ProxyVia Full
        RequestHeader edit Transfer-Encoding Chunked chunked early
        RequestHeader unset Accept-Encoding
        TimeOut 1800
        # Ende abgeschaut

        SSLProxyEngine On
        # Problemen mit Kommunikation zwischen Apache-Proxy und Exchange-Server aus dem Wege gehen
        # Alle SSL Prüfungen werden damit ausgeschaltet. So kann z.B. auch intern ein Selbstsigniertes Zertifikat verwendet werden
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        #Nachfolgende Zeile bewirkt das ein Aufruf von nur https://sub.name.suffix auf https://sub.name.suffix/owa weiter geleitet wird.
        Redirect / /owa/

        # owa
        ProxyPass /owa https://192.168.80.112/owa
        ProxyPassReverse /owa https://192.168.80.112/owa
        ProxyPass /OWA https://192.168.80.112/OWA
        ProxyPassReverse /OWA https://192.168.80.112/OWA
        ProxyPass /Owa https://192.168.80.112/Owa
        ProxyPassReverse /Owa https://192.168.80.112/Owa

        # ecp = Adminoberfläche - falls Zugriff nicht gewünscht einfach auskommentieren!
        ProxyPass /ecp https://192.168.80.112/ecp
        ProxyPassReverse /ecp https://192.168.80.112/ecp
        ProxyPass /ECP https://192.168.80.112/ECP
        ProxyPassReverse /ECP https://192.168.80.112/ECP
        ProxyPass /Ecp https://192.168.80.112/Ecp
        ProxyPassReverse /Ecp https://192.168.80.112/Ecp

        # mapi
        ProxyPass /mapi https://192.168.80.112/mapi
        ProxyPassReverse /mapi https://192.168.80.112/mapi

        # ews -> Exchange Web Services
        ProxyPass /ews https://192.168.80.112/ews
        ProxyPassReverse /ews https://192.168.80.112/ews
        ProxyPass /EWS https://192.168.80.112/EWS
        ProxyPassReverse /EWS https://192.168.80.112/EWS
        ProxyPass /Ews https://192.168.80.112/Ews
        ProxyPassReverse /Ews https://192.168.80.112/Ews
        ProxyPass /exchange https://192.168.80.112/exchange
        ProxyPassReverse /exchange https://192.168.80.112/exchange
        ProxyPass /Exchange https://192.168.80.112/Exchange
        ProxyPassReverse /Exchange https://192.168.80.112/Exchange
        ProxyPass /exchweb https://192.168.80.112/exchweb
        ProxyPassReverse /exchweb https://192.168.80.112/exchweb
        ProxyPass /public https://192.168.80.112/public
        ProxyPassReverse /public https://192.168.80.112/public

        # oab (Offline Address Book)
        ProxyPass /oab https://192.168.80.112/oab
        ProxyPassReverse /oab https://192.168.80.112/oab
        ProxyPass /OAB https://192.168.80.112/OAB
        ProxyPassReverse /OAB https://192.168.80.112/OAB

        # RPC over http(s) / Outlook Anywhere
        #OutlookAnywherePassthrough On
        ProxyPass /rpc https://192.168.80.112/rpc
        ProxyPassReverse /rpc https://192.168.80.112/rpc
        ProxyPass /Rpc https://192.168.80.112/Rpc
        ProxyPassReverse /Rpc https://192.168.80.112/Rpc

        # Microsoft-Server-ActiveSync
        ProxyPass /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
        ProxyPassReverse /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync

        # Problem mit dem Versenden von Dateianhängen > 128KByte per ActiceSync umgehen (neuer Wert 30MByte)
        <Directory /Microsoft-Server-ActiveSync>
                SSLRenegBufferSize 31457280
        </Directory>

        # AutoDiscover  -> Autodiscover for non-AD integrated Clients (Mac, eg.)
        ProxyPass /autodiscover https://192.168.80.112/autodiscover
        ProxyPassReverse /autodiscover https://192.168.80.112/autodiscover
        ProxyPass /Autodiscover https://192.168.80.112/Autodiscover
        ProxyPassReverse /Autodiscover https://192.168.80.112/Autodiscover
        ProxyPass /AutoDiscover https://192.168.80.112/AutoDiscover
        ProxyPassReverse /AutoDiscover https://192.168.80.112/AutoDiscover

        # Zeichensatz spezifieren fuer Umlaute
        AddDefaultCharset ISO-8859-1

        <Directory />
                Order deny,allow
                Deny from all
        </Directory>

        <Directory /var/www/mail.example.com/web>
                DirectoryIndex index.php index.html
                 Options -Indexes +FollowSymLinks
                Order allow,deny
                Allow from all
        </Directory>

        <Proxy *>
                # 10.12.2020: Nachfolgende 2 Zeilen sind nicht mehr Notwendig
                # Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
                # SetEnv proxy-nokeepalive 1
                # SetEnv force-proxy-request-1.0 1
                Order deny,allow
                Allow from all
        </Proxy>

        # Nach extern ein Lets Encrypt Zertifikat nutzen:
        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder     on
        SSLCertificateFile /etc/ssl/certs/wsmail03.pem
        SSLCertificateKeyFile /etc/ssl/private/wsmail03.key
        SSLCertificateChainFile /etc/ssl/certs/r13.pem

        BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
Print
Go Up Pages 1 2
User actions