Forum: NGINX Cookie/Session Expired - OWA SSL Reverse Proxy

2974d09ac2541e892966b762aad84943?d=identicon&s=25 spacecwoboy (Guest)
on 2013-08-14 19:21
(Received via mailing list)
Hi.

Trying to configure a reverse proxy to allow external access to an
outlook
web access server. I am able to route traffic through the NGINX to the
OWA
server, present the web page, and place the username & pw into the form.
OWA rejects valid username/pwd's with a: "Your session has timed
out...."
error.

Looking through my custom log files, somehow the session ID and the
expired
values are munged in the GET & POST process through the proxy.  There
may be
a simple fix that I'm not able to find.  Any suggestions will be
appreciated!


=======Logs====== $request  |[set_cookie - "$sent_http_set_cookie" ]|'
==========Logs=========

POST /owa/auth.owa HTTP/1.1 |[ set_cookie -
"sessionid=9a0d1af8-9406-4c3d-b225-cf28e56a8bb6; path=/" ]|
GET /owa/ HTTP/1.1 |[ set_cookie - "sessionid=; path=/; expires=Thu,
01-Jan-1970 00:00:00 GMT" ]|
GET /owa/auth/logon.aspx?url=https://email.internal.local/owa/&reason=3
HTTP/1.1 |[ set_cookie - "-" ]|
GET
/owa/auth/logon.aspx?replaceCurrent=1&reason=3&url=https%3a%2f%2femail.internal.local%2fowa%2f
HTTP/1.1 |[ set_cookie - "-" ]|
POST /owa/auth.owa HTTP/1.1 |[ set_cookie -
"sessionid=50bfb645-4ed1-4bd8-8d69-7fa0e79d748d; path=/" ]|
GET /owa/ HTTP/1.1 |[ set_cookie - "sessionid=; path=/; expires=Thu,
01-Jan-1970 00:00:00 GMT" ]|



=======OWA=======
server {
listen 80;
server_name email;
rewrite ^(,*) https://email$1 permanent;
}

server {
listen 443;
server_name email;
rewrite ^/$ https://email/owa permanent;
ssl on;
ssl_certificate /etc/ssl/certs/myssl.crt;
ssl_certificate_key /etc/ssl/private/myssl.key;
ssl_session_timeout 5m;
proxy_read_timeout 360;

location /owa { proxy_pass https://email.internal.local/owa;
proxy_pass_header Set-Cookie;
proxy_pass_header P3P;
}
}

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241856,241856#msg-241856
34011bc56457235a2caa5ed1d4a29f3c?d=identicon&s=25 Jonathan Matthews (Guest)
on 2013-08-14 19:35
(Received via mailing list)
On 14 August 2013 18:20, spacecwoboy <nginx-forum@nginx.us> wrote:
> a simple fix that I'm not able to find.  Any suggestions will be
> appreciated!

I have a vague recollection that OWA uses a nasty form of
authentication which *requires* that each client's end-to-end
connection to the backend be long-lived, and only used by that one
client (as the auth is done in the first few packets and not
repeated). I don't know how you'd configure that in nginx.

I may be wrong about it, however. I've never tried Nginx in front of
OWA myself. This question comes up on the HAProxy list sometimes, and
it seems solvable by HAP users.

Jonathan
2974d09ac2541e892966b762aad84943?d=identicon&s=25 spacecwoboy (Guest)
on 2013-08-16 15:43
(Received via mailing list)
Jonathan Matthews Wrote:
-------------------------------------------------------
> out...."
> authentication which *requires* that each client's end-to-end
> connection to the backend be long-lived, and only used by that one
> client (as the auth is done in the first few packets and not
> repeated). I don't know how you'd configure that in nginx.
>
> I may be wrong about it, however. I've never tried Nginx in front of
> OWA myself. This question comes up on the HAProxy list sometimes, and
> it seems solvable by HAP users.
>
> Jonathan


Much Appreciated Jonathan - it prompted me to take some different
testing
steps.

I pointed ngnix to a 'test' OWA back-end, which is a mirror of the prod
environment, less the rigid SSL certs.  Authentication passed right on
through, everything was jive.

I'll likely take a different route of trunking SSL to nginx, remove the
OWA
cert, then ipsec'ing the nginx server to the OWA server host-to-host.

Seems that's the fairly common approach?

( This thread helped btw:
http://forum.nginx.org/read.php?2,234641,234654#msg-234654 )

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241856,241939#msg-241939
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.