!KkOYRJWUONSuNfPsXt:matrix.org

Support (Authelia)

368 Members
The Official Authelia HQ - please come chat here, feel free to ask for support! | https://github.com/authelia/authelia | https://buildkite.com/authelia/authelia | https://www.authelia.com | https://opencollective.com/authelia-sponsors52 Servers

Load older messages


SenderMessageTime
16 Jun 2021
@james.elliott:matrix.orgJamesAs long as you can get nginx/haproxy working in front of OWA it will just work.02:27:59
@netlol-60bf13a16da03739847e67d0:gitter.imnetlol (netlol) As I know MS has ARR for reverse proxy already. 02:28:32
@james.elliott:matrix.orgJamesWe've not tested ARR, or IIS with authelia. It would have to support the method of authentication verification we provide.02:30:01
@netlol-60bf13a16da03739847e67d0:gitter.imnetlol (netlol) Hmm.. 02:30:50
@netlol-60bf13a16da03739847e67d0:gitter.imnetlol (netlol) The solution I found work with OWA is Duo Security only. 02:31:14
@james.elliott:matrix.orgJamesIf you found something similar to these, we'd be able to help figure it out with you: https://doc.traefik.io/traefik/middlewares/forwardauth/ https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/02:31:47
@netlol-60bf13a16da03739847e67d0:gitter.imnetlol (netlol) For some reason we cann't use cloud base mail. 02:32:13
@netlol-60bf13a16da03739847e67d0:gitter.imnetlol (netlol) Thank you. 02:32:29
@james.elliott:matrix.orgJamesI have actually setup my OWA to work behind another proxy, let me see how I have it configured02:35:15
@james.elliott:matrix.orgJamesYeah I just proxy 443 -> 44302:36:37
@james.elliott:matrix.orgJamesSo it would be relatively simple to configure that if you really wanted.02:37:09
@netlol-60bf13a16da03739847e67d0:gitter.imnetlol (netlol) MS itself dosen't support 2FA On-Premises Exchnage. 02:37:53
@netlol-60bf13a16da03739847e67d0:gitter.imnetlol (netlol) hmm... 02:38:02
@james.elliott:matrix.orgJamesYea absolutely, what I'm saying is you could theoretically run nginx in front of the IIS running OWA, and install authelia there.02:38:48
@netlol-60bf13a16da03739847e67d0:gitter.imnetlol (netlol) yes! 02:39:47
@james.elliott:matrix.orgJamesIt would still require the users to login with their username/password twice, but they'd still need to use their 2FA if you configure that02:40:48
@james.elliott:matrix.orgJamesAlso if you configured Authelia with a decent remember me duration, like 1 week, they'd only have to sign into Authelia once a week02:41:22
@netlol-60bf13a16da03739847e67d0:gitter.imnetlol (netlol) Yap, so authelia worth give it a try. 02:43:55
@james.elliott:matrix.orgJamesFairly positive it will work. The fact OWA works fine behind my additional proxy is a good sign that it will. Usually things like this either refuse to work behind an additional proxy or are happy to.02:47:11
@nightah:nerv.com.auAmirI proxy exchange with nginx03:05:10
@nightah:nerv.com.auAmirRedacted or Malformed Event03:06:18
@nightah:nerv.com.auAmiryou need to turn on basic auth in IIS I believe, as it's disabled by default03:06:43
@nightah:nerv.com.auAmir * you need to turn on basic auth in IIS I believe, as it's disabled by default03:06:49
@nightah:nerv.com.auAmir *
server {
    server_name mail.example.com autoconfig.* autodiscover.*;
    listen 80;
    return 301 https://$server_name$request_uri;
}

server {
    server_name mail.example.com autoconfig.* autodiscover.*;
    listen 443 ssl http2;
    include /config/nginx/ssl.conf;

    location / {
        set $upstream_exchange https://exchange.internal;
        proxy_pass $upstream_exchange;
        # include /config/nginx/auth.conf;
        include /config/nginx/proxy.conf;

        # Exchange Config
        client_max_body_size 0;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_pass_request_headers on;
        proxy_pass_header Date;
        proxy_pass_header Server;
        proxy_pass_header Authorization;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Connection "Keep-Alive";
        more_set_input_headers 'Authorization: $http_authorization';
        more_set_headers -s 401 'WWW-Authenticate: Basic realm="exchange.example.com"';
    }
}
03:07:12
@nightah:nerv.com.auAmir
server {
    server_name mail.example.com autoconfig.* autodiscover.*;
    listen 80;
    return 301 https://$server_name$request_uri;
}

server {
    server_name mail.example.com autoconfig.* autodiscover.*;
    listen 443 ssl http2;
    include /config/nginx/ssl.conf;

    location / {
        set $upstream_exchange https://exchange.internal;
        proxy_pass $upstream_exchange;
        # include /config/nginx/auth.conf;
        include /config/nginx/proxy.conf;

        # Exchange Config
        client_max_body_size 0;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_pass_request_headers on;
        proxy_pass_header Date;
        proxy_pass_header Server;
        proxy_pass_header Authorization;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Connection "Keep-Alive";
        more_set_input_headers 'Authorization: $http_authorization';
        more_set_headers -s 401 'WWW-Authenticate: Basic realm="exchange.example.com"';
    }
}
03:07:29
@james.elliott:matrix.orgJamesWhy do you need basic auth btw?03:08:19
@nightah:nerv.com.auAmirYou need it for EAS (ActiveSync) to work properly.03:10:00
@nightah:nerv.com.auAmir if you don't need/use ActiveSync it's fine without but if you do you'll need the part proceeding # Exchange Config and basic auth turned on 03:10:36
@nightah:nerv.com.auAmir * You need it for EAS (ActiveSync) to work properly.03:11:05
@james.elliott:matrix.orgJamesAh gotcha03:14:48

There are no newer messages yet.


Back to Room List