Bad Gateway using Apache as rev proxy for Exchange 2007

rvicker · 10-11-2011, 02:32 PM

I am trying to move an ancient (FC8) config of using Apache as a reverse proxy to an Exchange 2007 server to a new Fedora 14 system.

I am using HTTPS both to the reverse proxy and from it to the Exchange server. Both are using self signed certificates.

I copied all the settings over from the old system however, when I go to the web page I get

Bad Gateway

The proxy server received an invalid response from an upstream server.
Apache/2.2.17 (Fedora) Server at newserver.company.org Port 443

The only things I can find in the logs are in the error log:

[Tue Oct 11 14:17:57 2011] [error] [client 10.0.1.22] Certificate Verification: Error (20): unable to get local issuer certificate

[Tue Oct 11 14:17:57 2011] [error] (502)Unknown error 502: proxy: pass request body failed to 10.0.1.22:443 (exchange.company.org)

[Tue Oct 11 14:17:57 2011] [error] proxy: pass request body failed to 10.0.1.22:443 (exchange.company.org) from 10.0.0.199 ()

What am I missing that is different from the old apache that is still work and the new one?

Thanks.

cheesus · 10-14-2011, 01:05 PM

Well, errno 20 is

Quote:

#define ENOTDIR 20 /* Not a directory */

(from /usr/include/asm-generic/errno-base.h)
so maybe you gave file parameter, where Apache expected a directory ?
Without seeing your config, this is hard...
Cheers!

rvicker · 10-18-2011, 11:14 AM

I have checked and the .crt and .key files referenced exist.

=========
.conf file
=========

Code:

ProxyReceiveBufferSize 1024


#Exchange

<VirtualHost *:443>
#   DocumentRoot /var/www/html/

   RequestHeader set Front-End-Https "On"

   RewriteEngine On

   SSLCertificateFile /etc/pki/tls/certs/localhost.crt
   SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

   SSLEngine On
   SSLProxyEngine On
   SSLProxyVerify Optional

   SetEnv HTTPS_PORT 443

   ExpiresActive On
   ExpiresDefault "access plus 300 seconds"

   <Proxy *>
      Order deny,allow
      Allow from all
   </Proxy>

   ProxyPreserveHost On
   ProxyBadHeader StartBody
   ProxyVia On

   RewriteRule ^/owa$ owa/ [R]

<Location /owa>
    ProxyPass https://exchange.company.org/owa
    ProxyPassReverse https://exchange.company.org/owa
    SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /OAB>
      ProxyPass https://exchange.company.org/OAB
      ProxyPassReverse https://exchange.company.org/OAB
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /rpc>
      ProxyPass https://exchange.company.org/rpc 
      ProxyPassReverse https://exchange.company.org/rpc
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /ecp>
      ProxyPass https://exchange.company.org/ecp 
      ProxyPassReverse https://exchange.company.org/ecp
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /RpcWithCert>
      ProxyPass https://exchange.company.org/RpcWithCert
      ProxyPassReverse https://exchange.company.org/RpcWithCert
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

# Enables Windows Mobile ActiveSync
<Location /Microsoft-Server-ActiveSync>
      ProxyPass https://exchange.company.org/Microso...ver-ActiveSync
      ProxyPassReverse https://exchange.company.org/Microso...ver-ActiveSync
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

</VirtualHost>
#/Exchange

cheesus · 10-18-2011, 11:27 AM

I see no newserver.company.org in your config ?

Use
curl -i yoururl
to see what's really going over the wire.
(or any other tool like wget, which will display/log the full http(s) traffic...

rvicker · 10-18-2011, 09:35 PM

It looks like the exchange cert is machine name only while Apache is expecting FQDN.

When I tried changing the config to use only the machine name I got an error about verification since the certificate is self signed.

Why did the older system accept this but the new build won't?

=======
wget debug output
=======

Code:

--20:51:39--  https://exchange.company.org/owa/
           => `index.html'
Resolving exchange.company.org... seconds 0.00, 10.0.1.22
Caching exchange.company.org => 10.0.1.22
Connecting to exchange.company.org|10.0.1.22|:443... seconds 0.00, connected.
Created socket 1868.
Releasing 0x009b2d38 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 1868 to SSL handle 0x009b2d98
certificate:
  subject: /CN=exchange
  issuer:  /CN=exchange
ERROR: Certificate verification error for exchange.company.org: unable to get local issuer certificate
ERROR: certificate common name `exchange' doesn't match requested host name exchange.company.org'.
To connect to exchange.company.org insecurely, use `--no-check-certificate'.
Closed 1868/SSL 0x9b2d98
Unable to establish SSL connection.

cheesus · 10-19-2011, 06:48 AM

Well, doing SSL with not-fully-QDN seems like a very bad idea to me, so maybe they forbid that for security reasons...
In any case, did you now try with a FQDN ?

rvicker · 11-22-2011, 03:04 PM

Just for grins I tried another config. I removed the REQUIRE SSL from the Exchange server's IIS configs and changed the Apache proxy/reversproxy statements from https://... to http://...

Now it connects but some of the urls in the browser are missing https:// as in after entering https://public.company.com/owa it changes to public.company.com/owa/auth/logon.aspx?url=http://public.company.com/owa/&reason=0 and if I manually add the https:// to the front I get the login screen and everything works from there except for the page AFTER a logout has the same missing https://

Apache is the only public accessible server so this config would be workable if the missing https:// didn't happen. Is there a way to make Apache do this correctly?

Do I need to import the exchange certificate into Apache somehow, to make end to end SSL work?

cheesus · 11-29-2011, 01:02 PM

Aha! I would say, if the certificate of the IIS is a self-signed one, yes, you need to import the certificate.