LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-11-2011, 02:32 PM   #1
rvicker
Member
 
Registered: Jul 2005
Distribution: Fedora
Posts: 34

Rep: Reputation: 15
Question Bad Gateway using Apache as rev proxy for Exchange 2007


I am trying to move an ancient (FC8) config of using Apache as a reverse proxy to an Exchange 2007 server to a new Fedora 14 system.

I am using HTTPS both to the reverse proxy and from it to the Exchange server. Both are using self signed certificates.

I copied all the settings over from the old system however, when I go to the web page I get

Bad Gateway

The proxy server received an invalid response from an upstream server.
Apache/2.2.17 (Fedora) Server at newserver.company.org Port 443

The only things I can find in the logs are in the error log:

[Tue Oct 11 14:17:57 2011] [error] [client 10.0.1.22] Certificate Verification: Error (20): unable to get local issuer certificate

[Tue Oct 11 14:17:57 2011] [error] (502)Unknown error 502: proxy: pass request body failed to 10.0.1.22:443 (exchange.company.org)

[Tue Oct 11 14:17:57 2011] [error] proxy: pass request body failed to 10.0.1.22:443 (exchange.company.org) from 10.0.0.199 ()


What am I missing that is different from the old apache that is still work and the new one?

Thanks.

Last edited by rvicker; 10-11-2011 at 02:35 PM.
 
Old 10-14-2011, 01:05 PM   #2
cheesus
Member
 
Registered: Jan 2005
Location: Munich, Germany
Distribution: SuSE
Posts: 183

Rep: Reputation: 25
Well, errno 20 is
Quote:
#define ENOTDIR 20 /* Not a directory */
(from /usr/include/asm-generic/errno-base.h)
so maybe you gave file parameter, where Apache expected a directory ?
Without seeing your config, this is hard...
Cheers!
 
Old 10-18-2011, 11:14 AM   #3
rvicker
Member
 
Registered: Jul 2005
Distribution: Fedora
Posts: 34

Original Poster
Rep: Reputation: 15
I have checked and the .crt and .key files referenced exist.

=========
.conf file
=========

Code:
ProxyReceiveBufferSize 1024


#Exchange

<VirtualHost *:443>
#   DocumentRoot /var/www/html/

   RequestHeader set Front-End-Https "On"

   RewriteEngine On

   SSLCertificateFile /etc/pki/tls/certs/localhost.crt
   SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

   SSLEngine On
   SSLProxyEngine On
   SSLProxyVerify Optional

   SetEnv HTTPS_PORT 443

   ExpiresActive On
   ExpiresDefault "access plus 300 seconds"

   <Proxy *>
      Order deny,allow
      Allow from all
   </Proxy>

   ProxyPreserveHost On
   ProxyBadHeader StartBody
   ProxyVia On

   RewriteRule ^/owa$ owa/ [R]

<Location /owa>
    ProxyPass https://exchange.company.org/owa
    ProxyPassReverse https://exchange.company.org/owa
    SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /OAB>
      ProxyPass https://exchange.company.org/OAB
      ProxyPassReverse https://exchange.company.org/OAB
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /rpc>
      ProxyPass https://exchange.company.org/rpc 
      ProxyPassReverse https://exchange.company.org/rpc
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /ecp>
      ProxyPass https://exchange.company.org/ecp 
      ProxyPassReverse https://exchange.company.org/ecp
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /RpcWithCert>
      ProxyPass https://exchange.company.org/RpcWithCert
      ProxyPassReverse https://exchange.company.org/RpcWithCert
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

# Enables Windows Mobile ActiveSync
<Location /Microsoft-Server-ActiveSync>
      ProxyPass https://exchange.company.org/Microso...ver-ActiveSync
      ProxyPassReverse https://exchange.company.org/Microso...ver-ActiveSync
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

</VirtualHost>
#/Exchange
 
Old 10-18-2011, 11:27 AM   #4
cheesus
Member
 
Registered: Jan 2005
Location: Munich, Germany
Distribution: SuSE
Posts: 183

Rep: Reputation: 25
I see no newserver.company.org in your config ?

Use
curl -i yoururl
to see what's really going over the wire.
(or any other tool like wget, which will display/log the full http(s) traffic...
 
Old 10-18-2011, 09:35 PM   #5
rvicker
Member
 
Registered: Jul 2005
Distribution: Fedora
Posts: 34

Original Poster
Rep: Reputation: 15
It looks like the exchange cert is machine name only while Apache is expecting FQDN.

When I tried changing the config to use only the machine name I got an error about verification since the certificate is self signed.

Why did the older system accept this but the new build won't?

=======
wget debug output
=======

Code:
--20:51:39--  https://exchange.company.org/owa/
           => `index.html'
Resolving exchange.company.org... seconds 0.00, 10.0.1.22
Caching exchange.company.org => 10.0.1.22
Connecting to exchange.company.org|10.0.1.22|:443... seconds 0.00, connected.
Created socket 1868.
Releasing 0x009b2d38 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 1868 to SSL handle 0x009b2d98
certificate:
  subject: /CN=exchange
  issuer:  /CN=exchange
ERROR: Certificate verification error for exchange.company.org: unable to get local issuer certificate
ERROR: certificate common name `exchange' doesn't match requested host name exchange.company.org'.
To connect to exchange.company.org insecurely, use `--no-check-certificate'.
Closed 1868/SSL 0x9b2d98
Unable to establish SSL connection.
 
Old 10-19-2011, 06:48 AM   #6
cheesus
Member
 
Registered: Jan 2005
Location: Munich, Germany
Distribution: SuSE
Posts: 183

Rep: Reputation: 25
Talking

Well, doing SSL with not-fully-QDN seems like a very bad idea to me, so maybe they forbid that for security reasons...
In any case, did you now try with a FQDN ?
 
Old 11-22-2011, 03:04 PM   #7
rvicker
Member
 
Registered: Jul 2005
Distribution: Fedora
Posts: 34

Original Poster
Rep: Reputation: 15
Just for grins I tried another config. I removed the REQUIRE SSL from the Exchange server's IIS configs and changed the Apache proxy/reversproxy statements from https://... to http://...

Now it connects but some of the urls in the browser are missing https:// as in after entering https://public.company.com/owa it changes to public.company.com/owa/auth/logon.aspx?url=http://public.company.com/owa/&reason=0 and if I manually add the https:// to the front I get the login screen and everything works from there except for the page AFTER a logout has the same missing https://

Apache is the only public accessible server so this config would be workable if the missing https:// didn't happen. Is there a way to make Apache do this correctly?

Do I need to import the exchange certificate into Apache somehow, to make end to end SSL work?
 
Old 11-29-2011, 01:02 PM   #8
cheesus
Member
 
Registered: Jan 2005
Location: Munich, Germany
Distribution: SuSE
Posts: 183

Rep: Reputation: 25
Aha! I would say, if the certificate of the IIS is a self-signed one, yes, you need to import the certificate.
 
  


Reply

Tags
apache, exchange, proxy, reverse


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Evolution-EWS and Exchange 2007 metallica1973 Linux - Desktop 1 05-19-2011 03:51 PM
Evolution and MS Exchange 2007 Red_Man Linux - Software 1 04-02-2010 01:52 PM
mandriva 2007 proxy settings - no proxy.cfg file. shankhs Mandriva 7 06-17-2009 06:27 AM
Duplicating Exchange 2007 to another server? Thymox Linux - Server 9 05-17-2009 07:57 PM
Exchange 2007 Durham Linux - Software 3 12-07-2007 05:21 AM


All times are GMT -5. The time now is 09:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration