| 16 Jun 2021 |
 James | As long as you can get nginx/haproxy working in front of OWA it will just work. | 02:27:59 |
 netlol (netlol) | As I know MS has ARR for reverse proxy already. | 02:28:32 |
| James | We've not tested ARR, or IIS with authelia. It would have to support the method of authentication verification we provide. | 02:30:01 |
| netlol (netlol) | Hmm.. | 02:30:50 |
| netlol (netlol) | The solution I found work with OWA is Duo Security only. | 02:31:14 |
| James | If you found something similar to these, we'd be able to help figure it out with you:
https://doc.traefik.io/traefik/middlewares/forwardauth/
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ | 02:31:47 |
| netlol (netlol) | For some reason we cann't use cloud base mail. | 02:32:13 |
| netlol (netlol) | Thank you. | 02:32:29 |
| James | I have actually setup my OWA to work behind another proxy, let me see how I have it configured | 02:35:15 |
| James | Yeah I just proxy 443 -> 443 | 02:36:37 |
| James | So it would be relatively simple to configure that if you really wanted. | 02:37:09 |
| netlol (netlol) | MS itself dosen't support 2FA On-Premises Exchnage. | 02:37:53 |
| netlol (netlol) | hmm... | 02:38:02 |
| James | Yea absolutely, what I'm saying is you could theoretically run nginx in front of the IIS running OWA, and install authelia there. | 02:38:48 |
| netlol (netlol) | yes! | 02:39:47 |
| James | It would still require the users to login with their username/password twice, but they'd still need to use their 2FA if you configure that | 02:40:48 |
| James | Also if you configured Authelia with a decent remember me duration, like 1 week, they'd only have to sign into Authelia once a week | 02:41:22 |
| netlol (netlol) | Yap, so authelia worth give it a try. | 02:43:55 |
| James | Fairly positive it will work. The fact OWA works fine behind my additional proxy is a good sign that it will. Usually things like this either refuse to work behind an additional proxy or are happy to. | 02:47:11 |
 Amir | I proxy exchange with nginx | 03:05:10 |
| Amir | Redacted or Malformed Event | 03:06:18 |
| Amir | you need to turn on basic auth in IIS I believe, as it's disabled by default | 03:06:43 |
| Amir | * you need to turn on basic auth in IIS I believe, as it's disabled by default | 03:06:49 |
| Amir | * server {
server_name mail.example.com autoconfig.* autodiscover.*;
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name mail.example.com autoconfig.* autodiscover.*;
listen 443 ssl http2;
include /config/nginx/ssl.conf;
location / {
set $upstream_exchange https://exchange.internal;
proxy_pass $upstream_exchange;
# include /config/nginx/auth.conf;
include /config/nginx/proxy.conf;
# Exchange Config
client_max_body_size 0;
proxy_buffering off;
proxy_request_buffering off;
proxy_pass_request_headers on;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_pass_header Authorization;
proxy_set_header Accept-Encoding "";
proxy_set_header Connection "Keep-Alive";
more_set_input_headers 'Authorization: $http_authorization';
more_set_headers -s 401 'WWW-Authenticate: Basic realm="exchange.example.com"';
}
}
| 03:07:12 |
| Amir | server {
server_name mail.example.com autoconfig.* autodiscover.*;
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name mail.example.com autoconfig.* autodiscover.*;
listen 443 ssl http2;
include /config/nginx/ssl.conf;
location / {
set $upstream_exchange https://exchange.internal;
proxy_pass $upstream_exchange;
# include /config/nginx/auth.conf;
include /config/nginx/proxy.conf;
# Exchange Config
client_max_body_size 0;
proxy_buffering off;
proxy_request_buffering off;
proxy_pass_request_headers on;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_pass_header Authorization;
proxy_set_header Accept-Encoding "";
proxy_set_header Connection "Keep-Alive";
more_set_input_headers 'Authorization: $http_authorization';
more_set_headers -s 401 'WWW-Authenticate: Basic realm="exchange.example.com"';
}
}
| 03:07:29 |
| James | Why do you need basic auth btw? | 03:08:19 |
| Amir | You need it for EAS (ActiveSync) to work properly. | 03:10:00 |
| Amir | if you don't need/use ActiveSync it's fine without but if you do you'll need the part proceeding # Exchange Config and basic auth turned on | 03:10:36 |
| Amir | * You need it for EAS (ActiveSync) to work properly. | 03:11:05 |
| James | Ah gotcha | 03:14:48 |
