Apache-AppSamurai
view release on metacpan or search on metacpan
examples/conf/appsamurai-owa.conf view on Meta::CPAN
# appsamurai-owa.conf - Partial Apache configuration for AppSamurai
# reverse proxy front end for Outlook Web Access
# $Id: appsamurai-owa.conf,v 1.10 2007/09/29 23:22:15 pauldoom Exp $
# This example should be customized for your environment and either
# added to your existing httpd.conf, or included into it.
#
# All items that must be configured are surrounded by __, like
# "__OWA_SERVER_FQDN__" You may use the "confconfer.pl" script under
# examples/conf in the AppSamurai distribution to interactively enter these
# fields, or just use good ol' search and replace.
# IMPORTANT: Your Exchange Outlook Web Access/ActiveSync server (referred to
# simply as "OWA server" below), must be properly configured for this to work!
# In addition, DNS and a properly laid out security perimeter are required.
# Finally, PLEASE do not deploy this system without some sort of strong
# authentication component for AppSamurai to use!
#
# For your OWA server:
# 1) SSL must be enabled and required on the OWA server. (A self-signed or
# internal CA signed certificate is fine.)
# 2) You must have an internal DNS or hosts file entry pointing
# the FQDN of your server to its real IP address inside your network.
# 3) Basic Authentication must be configured (Form based login breaks
# ActiveSync. This config is for a Basic Auth backend only.)
# 4) You should be able to use OWA (https://servername.domain/exchange/)
# from inside your network.
# 5) You should be able to use ActiveSync with a device attached to your
# internal network. (Microsoft's Windows Mobile emulator is helpful
# for testing.)
#
# For your AppSamurai server:
# 1) You must have a SSL certificate signed by a trusted CA.
# 2) You must have an EXTERNAL DNS entry pointing the FQDN of your OWA
# server to the external IP (or NAT IP) your AppSamurai proxy will be
# available from.
# 3) You must configure (at least one) SSL enabled VirtualHost section
# 4) You must enable Rewrite and pull in global Rewrite rules inside your
# VirtualHost section (See last section of this file for sample)
#
# On your firewall:
# 1) Open up access to port 443 on your AppSamurai proxy
# 2) Open access from your AppSamurai server's real IP to port 443 of your
# OWA server
# 3) Open access from your AppSamurai server's real IP to any authentication
# services it will be using.
#
# Reference:
# * http://3cx.org/item/38 - Very helpful HowTo on setting up Apache to proxy
# OWA. (This is only for reference: All the directives you need should
# already be in this configuration example.)
# * I would point to a good doc on setting up OWA and ActiveSync, but I can't
# recommend any. Search technet.microsoft.com and Google as needed.
# This is a Apache1/mod_perl1 - Apache2/mod_perl2 dual configuration.
# Thanks to some silly nesting rules in Apache2, some <Directory> and
# <Proxy> sections are duplicated. Pay close attention to <IfDefine>
# sections for your version of mod_perl (!MODPERL2 for mod_perl 1 and
# MODPERL2 for mod_perl 2)
# The following modules are required for this setup:
#LoadModule rewrite_module /usr/lib/apache/modules/mod_rewrite.so
#LoadModule proxy_module /usr/lib/apache/modules/libproxy.so
#LoadModule perl_module /usr/lib/apache/modules/mod_perl.so
# Load the main AppSamurai module and the mod_perl registry,
# and also enable taint and warnings
PerlModule Apache::AppSamurai
<IfDefine !MODPERL2>
PerlModule Apache::Registry
PerlWarn On
PerlTaintCheck On
</IfDefine>
<IfDefine MODPERL2>
PerlModule ModPerl::Registry
PerlSwitches -wT
</IfDefine>
#### AppSamurai Setup ####
# We with use the auth_name "Owa" for this sample. If you prefer
# "TheMagnificentRonnieWilson" instead, just replace "Owa" with
# that in each PerlSetVar line.
#
# Set to 1 for debugging (only for troubleshooting or non-production testing,
# as this produces a TON of noise, and leaks some semi-sensitive info,
# into the Apache error logs) (Default: 0)
PerlSetVar OwaDebug 0
# Name of authentication cookie
PerlSetVar OwaCookieName ChocholateChipOfDoom
# Path to set on authentication cookie (Default: /)
PerlSetVar OwaPath /
# Point to the form login page/script
PerlSetVar OwaLoginScript /AppSamurai/login.pl
# Must satisfy all authentication checks (Default: All)
examples/conf/appsamurai-owa.conf view on Meta::CPAN
PerlSetVar OwaSessionTimeout 0
# ActiveSync does not maintain session cookies. This sets up a "custom
# keysource" to compute the session authentication key based on a set of
# headers and arguments. (Sort of a pseudo-cookie). This avoids losing
# sessions with ActiveSync. It is MUCH less secure, though! Only
# use this in conjuction with at least one token or OTP based authentication
# module. (SecurID, SafeWord, etc....) This custom keysource uses:
# 1) The "Authorization" header value
# 2) The "User-agent" header value
# 3) The "User" argument (ActiveSync devices add this to each request)
# 4) The "DeviceId" argument (ActiveSync adds this, and it should be unique
# per-device... not that it couldn't be spoofed)
PerlAddVar OwaKeysource header:Authorization
PerlAddVar OwaKeysource header:User-agent
PerlAddVar OwaKeysource arg:User
PerlAddVar OwaKeysource arg:DeviceId
# Note that "Basic" is used instead of "Apache::AppSamurai". This causes
# Apache to handle the basic authentication grunt work for us
AuthType Basic
# IMPORTANT - The auth name MUST match a configured AppSamurai auth name
AuthName "Owa"
# Map authentication checks to this method
PerlAuthenHandler Apache::AppSamurai->authenticate
# Map authorization checks to this method
PerlAuthzHandler Apache::AppSamurai->authorize
# Allow all IPs, but require a logged in user
Order deny,allow
Allow from all
require valid-user
</Directory>
</IfDefine>
<IfDefine MODPERL2>
# (See !MODPERL2 section directly above for comments)
<Proxy https://__OWA_SERVER_FQDN__/Microsoft-Server-ActiveSync*>
PerlSetVar OwaSessionExpire 86400
PerlSetVar OwaSessionTimeout 0
PerlAddVar OwaKeysource header:Authorization
PerlAddVar OwaKeysource header:User-agent
PerlAddVar OwaKeysource arg:User
PerlAddVar OwaKeysource arg:DeviceId
AuthType Basic
AuthName "Owa"
PerlAuthenHandler Apache::AppSamurai->authenticate
PerlAuthzHandler Apache::AppSamurai->authorize
Order deny,allow
Allow from all
require valid-user
</Proxy>
</IfDefine>
#### Rewrite/Proxy Rules ####
# !!! IMPORTANT NOTE !!!
# Rewrite options are not global by default! Make sure to read the
# extra section at the bottom of this file.
# Enable rewrites for default (non-virtual) hosts
RewriteEngine On
# Block access to common IIS hackable areas
RewriteRule ^(.*)?/iisadmin/? - [F,L]
RewriteRule ^(.*)?/samples/? - [F,L]
RewriteRule ^(.*)?/scripts/? - [F,L]
RewriteRule ^(.*).ida$ - [F,L]
RewriteRule ^(.*).htw$ - [F,L]
RewriteRule ^(.*)./_vti/_. - [F,L]
RewriteRule ^(.*).idq$ - [F,L]
RewriteRule ^(.*).exe$ - [F]
RewriteRule ^(.*)?/winnt/? - [F,L]
# Redirect our default into the main OWA app
RewriteRule ^/?$ /exchange/ [R,L]
# Remap logout URLs to our AppSamurai virtual logout page
RewriteRule ^/exchweb/bin/.*logoff\.asp$ /AppSamurai/LOGOUT [L]
# Reverse proxy (P) /public/
RewriteRule ^/public/(.*)$ https://__OWA_SERVER_FQDN__/public/$1 [P,L]
# Use local copies static /exchweb/ content
# ONLY USE THESE RULES IF YOU HAVE COPIED THE CONTENT TO THIS SERVER AND
# YOU HAVE READ AND CONFIGURED THE Directory SECTION FOR /exchweb ABOVE!
#RewriteRule ^/exchweb/controls/ - [L]
#RewriteRule ^/exchweb/img/ - [L]
#RewriteRule ^/exchweb/themes/ - [L]
#RewriteRule ^/exchweb/views/ - [L]
# Reverse proxy items in /exchweb/, /exchange/, and /iisadmpwd/
RewriteRule ^/exchweb/(.*)$ https://__OWA_SERVER_FQDN__/exchweb/$1 [P,L]
RewriteRule ^/exchange/(.*)$ https://__OWA_SERVER_FQDN__/exchange/$1 [P,L]
RewriteRule ^/iisadmpwd/(.*)$ https://__OWA_SERVER_FQDN__/iisadmpwd/$1 [P,L]
# ActiveSync - For Windows Mobile devices (requires special setup - See
# corresponding directory section for it above)
RewriteRule ^/Microsoft-Server-ActiveSync(.*)$ https://__OWA_SERVER_FQDN__/Microsoft-Server-ActiveSync$1 [P,L]
# Outlook Remote Access - Currently not tested (RPC over HTTP makes me nauseous)
#RewriteRule ^/rpc/(.*)$ https://__OWA_SERVER_FQDN__/rpc/$1 [P,L]
# /AppSamurai/ files are local to the proxy
RewriteRule ^/AppSamurai - [L]
# Allow in robots.txt access. Please consider using one! You will need to
# place it into your document root directory, or setup an alias.
# Here is the suggested content:
#
# User-agent: *
# Disallow: /
#
# Comment this out if you choose NOT to use a robots.txt file
RewriteRule ^/robots.txt - [L]
# send everything else to forbidden (Yea, I set a default deny up top, too.)
RewriteRule .* - [F,L]
#### Force SSL-only (Optional) ####
# Use this (or a similar) VirtualHost section to redirect all port 80
# HTTP access to your HTTPS VirtualHost
<VirtualHost _default_:80>
DocumentRoot __DOCUMENT_ROOT__
ServerName __OWA_SERVER_FQDN__
# This redirects and strips any GET arguments
RedirectMatch (.*) https://__OWA_SERVER_FQDN__
</VirtualHost>
<IfDefine Comment>
#### Per-VirtualHost Configuration ####
# Rewrite rules are not (by default) global. In addition, Apache 2 introduced
# the SSLProxyEngine option. The following lines (till the #### END ... line)
# should be inserted into the VirtualHost section(s) serving your AppSamurai
# protected resources.
# Enable rewrite engine inside virtualhost
RewriteEngine on
# Inherit rewrite settings from parent (global)
RewriteOptions inherit
# Enable proxy connections to SSL (Why is this off by default?)
SSLProxyEngine on
#### END Per-VirtualHost Configuration ####
</IfDefine>
( run in 0.940 second using v1.01-cache-2.11-cpan-39bf76dae61 )