# appsamurai-owa.conf - Partial Apache configuration for AppSamurai # reverse proxy front end for Outlook Web Access # $Id: appsamurai-owa.conf,v 1.10 2007/09/29 23:22:15 pauldoom Exp $ # This example should be customized for your environment and either # added to your existing httpd.conf, or included into it. # # All items that must be configured are surrounded by __, like # "__OWA_SERVER_FQDN__" You may use the "confconfer.pl" script under # examples/conf in the AppSamurai distribution to interactively enter these # fields, or just use good ol' search and replace. # IMPORTANT: Your Exchange Outlook Web Access/ActiveSync server (referred to # simply as "OWA server" below), must be properly configured for this to work! # In addition, DNS and a properly laid out security perimeter are required. # Finally, PLEASE do not deploy this system without some sort of strong # authentication component for AppSamurai to use! # # For your OWA server: # 1) SSL must be enabled and required on the OWA server. (A self-signed or # internal CA signed certificate is fine.) # 2) You must have an internal DNS or hosts file entry pointing # the FQDN of your server to its real IP address inside your network. # 3) Basic Authentication must be configured (Form based login breaks # ActiveSync. This config is for a Basic Auth backend only.) # 4) You should be able to use OWA (https://servername.domain/exchange/) # from inside your network. # 5) You should be able to use ActiveSync with a device attached to your # internal network. (Microsoft's Windows Mobile emulator is helpful # for testing.) # # For your AppSamurai server: # 1) You must have a SSL certificate signed by a trusted CA. # 2) You must have an EXTERNAL DNS entry pointing the FQDN of your OWA # server to the external IP (or NAT IP) your AppSamurai proxy will be # available from. # 3) You must configure (at least one) SSL enabled VirtualHost section # 4) You must enable Rewrite and pull in global Rewrite rules inside your # VirtualHost section (See last section of this file for sample) # # On your firewall: # 1) Open up access to port 443 on your AppSamurai proxy # 2) Open access from your AppSamurai server's real IP to port 443 of your # OWA server # 3) Open access from your AppSamurai server's real IP to any authentication # services it will be using. # # Reference: # * http://3cx.org/item/38 - Very helpful HowTo on setting up Apache to proxy # OWA. (This is only for reference: All the directives you need should # already be in this configuration example.) # * I would point to a good doc on setting up OWA and ActiveSync, but I can't # recommend any. Search technet.microsoft.com and Google as needed. # This is a Apache1/mod_perl1 - Apache2/mod_perl2 dual configuration. # Thanks to some silly nesting rules in Apache2, some and # sections are duplicated. Pay close attention to # sections for your version of mod_perl (!MODPERL2 for mod_perl 1 and # MODPERL2 for mod_perl 2) # The following modules are required for this setup: #LoadModule rewrite_module /usr/lib/apache/modules/mod_rewrite.so #LoadModule proxy_module /usr/lib/apache/modules/libproxy.so #LoadModule perl_module /usr/lib/apache/modules/mod_perl.so # Load the main AppSamurai module and the mod_perl registry, # and also enable taint and warnings PerlModule Apache::AppSamurai PerlModule Apache::Registry PerlWarn On PerlTaintCheck On PerlModule ModPerl::Registry PerlSwitches -wT #### AppSamurai Setup #### # We with use the auth_name "Owa" for this sample. If you prefer # "TheMagnificentRonnieWilson" instead, just replace "Owa" with # that in each PerlSetVar line. # # Set to 1 for debugging (only for troubleshooting or non-production testing, # as this produces a TON of noise, and leaks some semi-sensitive info, # into the Apache error logs) (Default: 0) PerlSetVar OwaDebug 0 # Name of authentication cookie PerlSetVar OwaCookieName ChocholateChipOfDoom # Path to set on authentication cookie (Default: /) PerlSetVar OwaPath / # Point to the form login page/script PerlSetVar OwaLoginScript /AppSamurai/login.pl # Must satisfy all authentication checks (Default: All) PerlSetVar OwaSatisfy All # Set the "secure" flag on the authentication cookie (Note - If you are not # using SSL, well, USE SSL!!!) PerlSetVar OwaSecure 1 # Set the silly Microsoft http-only cookie flag PerlSetVar OwaHttpOnly 1 # Custom mapping of xxxxxx;yyyyyy Basic authentication password input # to specific and separate individual credentials. # Example: If the user logs into the basic auth popup with the password: # myRockinPassword;1234123456 # The map below will set credential_1 as "1234123456" and credential_2 # as "myRockinPassword", then proceed as if the same were entered into # a form login. (Default: undef) #PerlSetVar OwaBasicAuthMap "2,1=(.+);([^;]+)" # List the authentication methods (modules) you will be using, in order of # credential number on the login form. (credential_1, credential_2, etc) PerlSetVar OwaAuthMethods "AuthBasic" # AuthUnique forces each login to use at least one unique credential. # You should enable this if a OTP or token (SecurID, etc.) is part of # the authentication mix. # (Note - Uses the Tracker system) (Default: 0) #PerlSetVar OwaAuthUnique 1 ## AppSamurai::AuthBasic options # # The URL to send basic authentication checks to PerlSetVar OwaAuthBasicLoginUrl "https://__OWA_SERVER_FQDN__/exchange/" # Use the special "HEADER:" to pass the named header field from # the client to the backend authenticator directly. (Default: undef) PerlSetVar OwaAuthBasicUserAgent "header:User-Agent" # Abort the check unless the "realm" returned by the server matches # this string. (Note - most OWA servers use the Active Directory # domain as the realm. Try a direct login to the backend server to check.) # (Default: undef) PerlSetVar OwaAuthBasicRequireRealm "__OWA_SERVER_LOGIN_REALM__" # Continue to send the same Authorization: header to the backend server # after login. (Only use this when the AuthBasic check is run against # the backend server you are protecting) (Default: 1) PerlSetVar OwaAuthBasicKeepAuth 1 # Collect cookes from AuthBasic check and send back to the user's browser # on login (Default: 1) PerlSetVar OwaAuthBasicPassBackCookies 1 ## AppSamurai::AuthRadius options # # Set the IP and port to send Radius requests to PerlSetVar OwaAuthRadiusConnect "__RADIUS_SERVER_IP__:__RADIUS_PORT__" # Set the RADIUS key to use PerlSetVar OwaAuthRadiusSecret "__RADIUS_PASSWORD__" ## Session storage options # # Inactivity timeout (in seconds) for normal (form based) OWA sessions # (Default: 3600) PerlSetVar OwaSessionTimeout 3600 # This is the AppSamurai instance's password. Set it to something long. # All AppSamurai servers in a cluster (sharing the same auth name), and # using a common storage area (central session database server), must # use the same ServerPass. # (Note - ServerKey is only used with HMAC session generators and # encrypting session serializers: Both are on by default) PerlSetVar OwaSessionServerPass "__APPSAMURAI_SERVER_PASSWORD__" # If using th default File session store, you must point to a filesystem # directory to store sessions in. (Should be readable/writable only to # the user httpd is running under) PerlSetVar OwaSessionDirectory "__SESSION_PATH__/sessions" # Ditto for the file lock type PerlSetVar OwaSessionLockDirectory "__SESSION_PATH__/slock" ## Tracker System # # Cleanup items older than this many seconds (Default: undef) PerlSetVar OwaTrackerCleanup 86400 ## Misc Features # # IPFailures takes an argument in the format "X:Y", where X is the number of # failures and Y is the window (in seconds) between the failures. # Note - If TrackerCleanup is LESS than the failure window, you may miss # slow attacks. (Default: undef) PerlSetVar OwaIPFailures "20:60" ## Directory and Location Configuration # # AppSamurai login/logout pages AllowOverride None deny from all # The login and logout pages are Perl scripts, so we enable normal # mod_perl CGI handling for them SetHandler perl-script Options +ExecCGI AuthType Apache::AppSamurai PerlHandler Apache::Registry PerlResponseHandler ModPerl::Registry # IMPORTANT - The auth name MUST match a configured AppSamurai auth name AuthName "Owa" allow from all # This is a fake file that is mapped to the login() method in # Apache::AppSamurai (Your login page should post to this) SetHandler perl-script AuthType Apache::AppSamurai # IMPORTANT - The auth name MUST match a configured AppSamurai auth name AuthName "Owa" # Map to method PerlHandler Apache::AppSamurai->login PerlResponseHandler Apache::AppSamurai->login allow from all # This is a fake file that is mapped to the logout() method in # Apache::AppSamurai SetHandler perl-script AuthType Apache::AppSamurai # IMPORTANT - The auth name MUST match a configured AppSamurai auth name AuthName "Owa" # Map to method PerlHandler Apache::AppSamurai->logout PerlResponseHandler Apache::AppSamurai->logout allow from all # Images used on AppSamurai login page Options None AllowOverride None allow from all # Local copies of static OWA content (images, styles, etc) # This is to speed up serving of things that need no protection. # COPY THESE FOLDERS FROM YOUR OWA SERVER IF YOU WISH TO USE # THIS SECTION! Then, proceed to the rewrite rules and uncomment # the corresponding rewrite lines. # # AllowOverride None # Order allow,deny # Allow from all # # Turn off client proxy requests (All requests mapped by Rewrite) ProxyRequests Off # Protect ALL proxied areas (by default) The actual proxy mapping is # done with rewrite rules. (Be careful if you decide to make this # a more specific path: You do not want to expose internal servers!) # !!! MAKE SURE TO CONFIGURE THE IfDefine SECTION FOR YOUR VERSION !!! # !!! OF MOD_PERL !!! AuthType Apache::AppSamurai # IMPORTANT - The auth name MUST match a configured AppSamurai auth name AuthName "Owa" # Map authentication checks to this method PerlAuthenHandler Apache::AppSamurai->authenticate # Map authorization checks to this method PerlAuthzHandler Apache::AppSamurai->authorize # Allow all IPs, but require a logged in user Order deny,allow Allow from all Require valid-user # (See !MODPERL2 section directly above for comments) AuthType Apache::AppSamurai AuthName "Owa" PerlAuthenHandler Apache::AppSamurai->authenticate PerlAuthzHandler Apache::AppSamurai->authorize Order deny,allow Allow from all Require valid-user # Special ActiveSync configuration: Protects /Microsoft-Server-ActiveSync # path with Basic Authentication login instead of form based. This is # to support Windows Mobile devices. Other special parameters are used # to support the non-cookie aware ActiveSync # !!! MAKE SURE TO CONFIGURE THE IfDefine SECTION FOR YOUR VERSION !!! # !!! OF MOD_PERL !!! # Set hard expiration (no matter what, the session is killed after this # many seconds) PerlSetVar OwaSessionExpire 86400 # Override the previously configured inactivity timer (only applies to this # directory) 0 disables the timer PerlSetVar OwaSessionTimeout 0 # ActiveSync does not maintain session cookies. This sets up a "custom # keysource" to compute the session authentication key based on a set of # headers and arguments. (Sort of a pseudo-cookie). This avoids losing # sessions with ActiveSync. It is MUCH less secure, though! Only # use this in conjuction with at least one token or OTP based authentication # module. (SecurID, SafeWord, etc....) This custom keysource uses: # 1) The "Authorization" header value # 2) The "User-agent" header value # 3) The "User" argument (ActiveSync devices add this to each request) # 4) The "DeviceId" argument (ActiveSync adds this, and it should be unique # per-device... not that it couldn't be spoofed) PerlAddVar OwaKeysource header:Authorization PerlAddVar OwaKeysource header:User-agent PerlAddVar OwaKeysource arg:User PerlAddVar OwaKeysource arg:DeviceId # Note that "Basic" is used instead of "Apache::AppSamurai". This causes # Apache to handle the basic authentication grunt work for us AuthType Basic # IMPORTANT - The auth name MUST match a configured AppSamurai auth name AuthName "Owa" # Map authentication checks to this method PerlAuthenHandler Apache::AppSamurai->authenticate # Map authorization checks to this method PerlAuthzHandler Apache::AppSamurai->authorize # Allow all IPs, but require a logged in user Order deny,allow Allow from all require valid-user # (See !MODPERL2 section directly above for comments) PerlSetVar OwaSessionExpire 86400 PerlSetVar OwaSessionTimeout 0 PerlAddVar OwaKeysource header:Authorization PerlAddVar OwaKeysource header:User-agent PerlAddVar OwaKeysource arg:User PerlAddVar OwaKeysource arg:DeviceId AuthType Basic AuthName "Owa" PerlAuthenHandler Apache::AppSamurai->authenticate PerlAuthzHandler Apache::AppSamurai->authorize Order deny,allow Allow from all require valid-user #### Rewrite/Proxy Rules #### # !!! IMPORTANT NOTE !!! # Rewrite options are not global by default! Make sure to read the # extra section at the bottom of this file. # Enable rewrites for default (non-virtual) hosts RewriteEngine On # Block access to common IIS hackable areas RewriteRule ^(.*)?/iisadmin/? - [F,L] RewriteRule ^(.*)?/samples/? - [F,L] RewriteRule ^(.*)?/scripts/? - [F,L] RewriteRule ^(.*).ida$ - [F,L] RewriteRule ^(.*).htw$ - [F,L] RewriteRule ^(.*)./_vti/_. - [F,L] RewriteRule ^(.*).idq$ - [F,L] RewriteRule ^(.*).exe$ - [F] RewriteRule ^(.*)?/winnt/? - [F,L] # Redirect our default into the main OWA app RewriteRule ^/?$ /exchange/ [R,L] # Remap logout URLs to our AppSamurai virtual logout page RewriteRule ^/exchweb/bin/.*logoff\.asp$ /AppSamurai/LOGOUT [L] # Reverse proxy (P) /public/ RewriteRule ^/public/(.*)$ https://__OWA_SERVER_FQDN__/public/$1 [P,L] # Use local copies static /exchweb/ content # ONLY USE THESE RULES IF YOU HAVE COPIED THE CONTENT TO THIS SERVER AND # YOU HAVE READ AND CONFIGURED THE Directory SECTION FOR /exchweb ABOVE! #RewriteRule ^/exchweb/controls/ - [L] #RewriteRule ^/exchweb/img/ - [L] #RewriteRule ^/exchweb/themes/ - [L] #RewriteRule ^/exchweb/views/ - [L] # Reverse proxy items in /exchweb/, /exchange/, and /iisadmpwd/ RewriteRule ^/exchweb/(.*)$ https://__OWA_SERVER_FQDN__/exchweb/$1 [P,L] RewriteRule ^/exchange/(.*)$ https://__OWA_SERVER_FQDN__/exchange/$1 [P,L] RewriteRule ^/iisadmpwd/(.*)$ https://__OWA_SERVER_FQDN__/iisadmpwd/$1 [P,L] # ActiveSync - For Windows Mobile devices (requires special setup - See # corresponding directory section for it above) RewriteRule ^/Microsoft-Server-ActiveSync(.*)$ https://__OWA_SERVER_FQDN__/Microsoft-Server-ActiveSync$1 [P,L] # Outlook Remote Access - Currently not tested (RPC over HTTP makes me nauseous) #RewriteRule ^/rpc/(.*)$ https://__OWA_SERVER_FQDN__/rpc/$1 [P,L] # /AppSamurai/ files are local to the proxy RewriteRule ^/AppSamurai - [L] # Allow in robots.txt access. Please consider using one! You will need to # place it into your document root directory, or setup an alias. # Here is the suggested content: # # User-agent: * # Disallow: / # # Comment this out if you choose NOT to use a robots.txt file RewriteRule ^/robots.txt - [L] # send everything else to forbidden (Yea, I set a default deny up top, too.) RewriteRule .* - [F,L] #### Force SSL-only (Optional) #### # Use this (or a similar) VirtualHost section to redirect all port 80 # HTTP access to your HTTPS VirtualHost DocumentRoot __DOCUMENT_ROOT__ ServerName __OWA_SERVER_FQDN__ # This redirects and strips any GET arguments RedirectMatch (.*) https://__OWA_SERVER_FQDN__ #### Per-VirtualHost Configuration #### # Rewrite rules are not (by default) global. In addition, Apache 2 introduced # the SSLProxyEngine option. The following lines (till the #### END ... line) # should be inserted into the VirtualHost section(s) serving your AppSamurai # protected resources. # Enable rewrite engine inside virtualhost RewriteEngine on # Inherit rewrite settings from parent (global) RewriteOptions inherit # Enable proxy connections to SSL (Why is this off by default?) SSLProxyEngine on #### END Per-VirtualHost Configuration ####