SME Server:Documentation:ProxyPass

From SME Server
Jump to: navigation, search

Is this article helpful to you?
Please consider donating or volunteering
Thank you!

Proxy Pass

ProxyPass a domain

This section covers ProxyPass directives in the "domains" database

  • I want to pass some http requests to a server behind my SME Server or external to my site, how can I do this?

You can set a ProxyPass directive that will pass certain requests to an internal or external server that hosts the domain to be proxypassed:

db domains set proxypassdomain.com domain 
db domains setprop proxypassdomain.com Nameservers internet
db domains setprop proxypassdomain.com ProxyPassTarget http://xxx.xxx.xxx.xxx/
db domains setprop proxypassdomain.com TemplatePath ProxyPassVirtualHosts 
signal-event domain-create proxypassdomain.com

where proxypassdomain.com is the domain name hosted on the internal or external server and http://xxx.xxx.xxx.xxx/ is the IP address of the internal or external server eg 192.168.1.20 or 122.456.12.171 (it must be the publicly accessible IP if an external server)

To delete a ProxyPass directive that you previously set up:

db domains delete proxypassdomain.com
signal-event domain-delete proxypassdomain.com


Important.png Note:
If you have added the internal or external server's domain name as a virtual domain on the SME Server, you must remove it prior to issuing these commands. The server-manager domains panel will show the proxy pass entry but you will not be able to edit it, see bugzilla:1612

Also refer to these links for information regarding the proxypass virtual domain feature of SME server, from this thread http://forums.contribs.org/index.php/topic,47795.0.html

http://bugs.contribs.org/show_bug.cgi?id=999

http://forums.contribs.org/index.php?topic=47160.0

http://forums.contribs.org/index.php?topic=46975.0

From this forum post by Charlie Brady http://forums.contribs.org/index.php/topic,49181.msg245408.html#msg245408 is information about https access & expected behaviour re certificates

What happens is that the browser connects to the SME server, then negotiates SSL (verifies the certificate and starts encrypting the connection), then sends the request (hostname + URL). Apache in the SME server then proxies the connection (creates the connection to the internal webserver, passes the request, passes back the response). There's no way that the internal server's certificate can be presented to the browser and used to enable encryption.

ProxyPass a alias/directory/location

This section covers the db settings in the "accounts" database that generate ProxyPass directives in httpd.conf

You can do what you want by creating a custom template fragment that enables proxypass on ".../extra"; the notes from this forum discussion http://forums.contribs.org/index.php/topic,40075.0.html should help.

The following works on SME 7.5.1 and SME 8beta6 systems where the template fragment /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35ProxyPass contains the appropriate code which is automatically generated by issuing the following db commands:

db accounts set extra ProxyPass
db accounts setprop extra Target http://192.168.1.35
db accounts setprop extra Description InternalServer
db accounts setprop extra HTTP on
db accounts setprop extra HTTPS on
db accounts setprop extra ValidFrom 80.90.100.0/24,74.125.93.105
expand-template /etc/httpd/conf/httpd.conf
sv t httpd-e-smith

Note: In the above commands set xxxx ProxyPass, setprop xxxx Target http://<target> and setprop xxxx Description <description> are required; all other lines are optional

Note: It doesn't look like these directives are going to work for HTTPS connections by default (they end up inside a "Listen 0.0.0.0:80" section in httpd.conf). It appears that 35ProxyPass is old (mentioned in a bug from year 2006), while ProxyPass SSL support was fixed in a later bug (in year 2007), by which time the ProxyPass code had been moved to the virtual domains templates.

Note: HTTP and HTTPS are set to yes by default, so there is no need to set it. Apart from that it is preferred to use no when you want it to be disabled, over on/off or enabled/disabled.

Refer to these forum posts:

http://forums.contribs.org/index.php/topic,47741.msg236017.html#msg236017

http://forums.contribs.org/index.php/topic,40075.0.html

ProxyPass for Exchange Outlook Web Access

Users wishing to implement this setup are strongly advised to read in full this forum thread http://forums.contribs.org/index.php/topic,40075.0.html from which the following information was obtained.

  • How can I configure Outlook Web Access access to an internal Exchange 2003 server ?

Issue the following commands (replace "a.b.c.d" with the LAN IP of your exchange server):

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
echo '# ProxyPass Support for Internal Exchange Server
        ProxyPreserveHost On
        #OWA % character in email subject fix
        RewriteEngine On
        RewriteMap percentsubject int:escape
        RewriteCond $1 ^/exchange/.*\%.*$
        RewriteRule (/exchange/.*) ${percentsubject:$1} [P]
        #OWA
        ProxyPass /exchange https://a.b.c.d/exchange
        ProxyPassReverse /exchange https://a.b.c.d/exchange
        ProxyPass /Exchange https://a.b.c.d/exchange
        ProxyPassReverse /Exchange https://a.b.c.d/exchange
        ProxyPass /exchweb https://a.b.c.d/exchweb
        ProxyPassReverse /exchweb https://a.b.c.d/exchweb
        ProxyPass /public https://a.b.c.d/public
        ProxyPassReverse /public https://a.b.c.d/public
        ProxyPass /iisadmpwd https://a.b.c.d/iisadmpwd
        ProxyPassReverse /iisadmpwd https://a.b.c.d/iisadmpwd
        #OMA
        ProxyPass /oma https://a.b.c.d/oma
        ProxyPassReverse /oma https://a.b.c.d/oma
        #ActiveSync (for WM5+ devices)
        ProxyPass /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync
        ProxyPassReverse /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync
        #Force 'RequestHeader' in order to get IE to work
# End of Exchange settings
' > 91ProxyPassOWA
expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith

It is then possible to login to OWA at https://any.sme.domainname.com/exchange from Firefox (and presumably Opera or Safari), but not login using IE7.

In order to login from Internet Explorer it is necessary to disable "Integrated Windows authentication" in IIS on the Exchange Server as follows:

  • start the Internet Information Services (IIS) Manager on the Exchange 2003 server
  • Expand Web Sites
  • Expand Default Web Site
  • right-click on Exchange and select "Properties"
  • click on the Directory Security tab
  • click on the Edit button for "Authentication and access control"
  • remove the check from "Integrated Windows authentication"
  • Click OK
  • Click OK again

Note: no restarts were required on the Exchange server - as soon as the above changes are made it is possible to login successfully using Internet Explorer

  • References & More information:

The above information is based mostly on this post:

http://systembash.com/content/outlook-web-access-apache-proxy/

Note: The "RequestHeader" directive discussed here was unnecessary when tested on a SME 7.2 system

Here is an expanded entry that includes info on Exchange 2007:

http://www.utahsysadmin.com/2007/12/20/apache-reverseproxy-for-owa/

Here are the apache docs for mod_proxy and mod_headers:

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass

http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypass

http://httpd.apache.org/docs/2.0/mod/mod_headers.html

  • User feedback & additional information re above method:

This method works well except that it was necessary to add a line or two to support /owa which is the directory expected for owa to run. It works with every domain hosted on the SME 7.4 server used. To limit it to one publically resolvable domain, was resolved as follows:

This applies to a SME 7.4 with more than one virtual host that has publically accessible FQDN. To achieve this ISP like setup, the SME server (and all other server) was configured with a ficticious domain like private.local and everything in the network setup such that it is not routable from outside. In this scenario, only the SME server is publically accessible (and behind a WAG54GP2 router with ports 80, 443 open). Using DYNDNS.ORG an account was created and two domains purchased:

domainA.com

domainB.co.nz

Use the DynDNS administrator to setup cnames like:

www.domainA.com -> domainA.com

remote.domainA.com -> domainA.com

www.domainB -> domainB.co.nz

Also note that DynDNS does not sell co.nz domains, these were purchased from domainz.com and pointed the DNS to the DynDNS DNS servers. In the end, any hosts point to the static IP address obtained from World Exchange for an extra $20. In this situation dynamic dns is not being used, but the DynDNS account existed, and it provided redundant DNS, so was easy to retain.

SME server was setup with add-ons like Wordpress etc. in each iBay as required such that www.domainA.com and www.domainB.co.nz go to different Wordpress blogs by default (refer to the FAQ on contribs.org and the instructons on wordpress.org to setup wordpress in an iBay).

On the LAN and on a 192.168.* address (non-routable) there is an Exchange server.

The requirements were to have the OWA component available from outside the LAN and a 'home office' webpage.

Making it slightly more difficult to implement, the requirement was for www.domainA.com to go to SME iBay and homeoffice.domainA.com to go to Windows server - iis.private.local and have iis.private.local/owa work correctly.

This is so that the IIS and Exchange server can be "hidden" behind Apache, and a single certificate obtained & utilised.

To achieve this, Apache must resolve everything to iBays, except the one virtual host and it's /owa directories.

1. Enable SSLProxy:

create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSLProxyEngine containing only the words "SSLProxyEngine on" on a single line, no quotes.

2. Using this threads info as above, except, include a VirtualHosts directive for the remote domain:

create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/76ProxyPass

which looks like this:

# Forward remote.domainA.com to iis.private.local
 <VirtualHost 0.0.0.0:80>
 ServerName remote.domainA.com
 ProxyPass / http://iis.private.local/
 ProxyPassReverse / http://iis.private.local/
 </VirtualHost>
 <VirtualHost 0.0.0.0:443>
 ServerName remote.domainA.com
 ProxyPass / https://iis.private.local/
 ProxyPassReverse / https://iis.private.local/
# Preserve meta info in the http line as a resolvable request
 ProxyPreserveHost On
#OWA % character in email subject fix
 RewriteEngine On
 RewriteMap percentsubject int:escape
 RewriteCond $1 ^/exchange/.*\%.*$
 RewriteRule (/exchange/.*) ${percentsubject:$1} [P]
#OWA
 ProxyPass /exchange https://iis.private.local/exchange
 ProxyPassReverse /exchange https://iis.private.local/exchange
 ProxyPass /owa https://iis.private.local/owa
 ProxyPassReverse /owa https://iis.private.local/owa
 ProxyPass /Exchange https://iis.private.local/exchange
 ProxyPassReverse /Exchange https://iis.private.local/exchange
 ProxyPass /exchweb https://iis.private.local/exchweb
 ProxyPassReverse /exchweb https://iis.private.local/exchweb
 ProxyPass /public https://iis.private.local/public
 ProxyPassReverse /public https://iis.private.local/public
 ProxyPass /iisadmpwd https://iis.private.local/iisadmpwd
 ProxyPassReverse /iisadmpwd https://iis.private.local/iisadmpwd
#OMA
 ProxyPass /oma https://iis.private.local/oma
 ProxyPassReverse /oma https://iis.private.local/oma
#ActiveSync (for WM5+ devices)
 ProxyPass /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync
 ProxyPassReverse /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync
# End of Exchange settings
</VirtualHost>

where iis.private.local is the private instance of IIS. and remote.domainA.com is a publically addressable domain that resolves to the public side of the SME server. To be sure this works, you must be able to resolve iis.private.local from the sme server (add a hostname record with correct internal IP address). Ensure the Integrated Authentication is disabled for OWA (leave basic auth on).

3. Expand template & Restart the SME webserver

expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith

Note: You can use IPaddresses, but this is cumbersome to maintain and open to error. All FQDN's must be resolvable internally and externally respectively. If this is confusing, start small. Also, IIS will not have a default page except to say the site is under construction, it is necessary to create a basic webpage with a link to the owa page to make usage easy.

Testing:

From another external computer at another location or internet cafe, go to http://www.domainA.com, it should go to the wordpress server as has been setup.

http://www.domainB.com should go to that other wordpress server as setup. If you access any https site, it should also give a certificate and open the respective wordpress server as has been setup.

If you access http://remote.domainA.com or https://remote.domainA.com it should go to the IIS server and no other address (this for example will allow you to sell webhosting without the possibility of customers accessing the IIS server). Next step is to create a default page on IIS that has useful information for the own home office and includes links to webmail for people who cannot remember long or confusing URLs etc.

  • Other useful resources:

http://bugs.contribs.org/show_bug.cgi?id=1612

The apache docs

Google

DNS Forwarding

The dnscache service can be configured to forward all queries for a specific domain to an alternate server, or to block DNS for a domain by configuring forwarding to 'localhost', without affecting any other services or configuration files. See Bugzilla:6848

This is done using the "domain-remote" record type in the domains db:

To forward all DNS for <domainname> to the specified remote DNS server:

db domains set <domainname> domain-remote a.b.c.d

To block lookups for <domainname>:

db domains set <domainname> domain-remote localhost