Wednesday, November 11. 2009
Apache2 with modsecurity as MS Exchange OWA proxy
Securing MS Exchange OWA with Apache2 and modsecurity
The intention for this short howto was to use the power of modsecurity to secure a Apache2 running as proxy for an MS Exchange OWA on wild wild web. The system described below is based on a debian lenny machine.
Let's start with editing the sources.list to get the latest version of modsecurity module. Simply add this line:
deb http://etc.inittab.org/~agi/debian/libapache-mod-security2 ./
and install the stuff.
aptitude install libapache-mod-security apache2-mpm-worker
Now I've disabled all sites and modules not needed and enable the new modules:
a2dissite default a2dismod alias autoindex status authz_default authz_user authz_groupfile authn_file
Enable the modules to use:
a2enmod rewrite ssl proxy proxy_http proxy_connect mod-security apache2ctl graceful
The apache-daemon should only listening on port 80 to redirect user to the SSL-URL. Here is my virtualhost config for rewriting the URL:
sites-available/proxy-rewrite
<VirtualHost *:80>
ServerAdmin webmaster@example.com
# Redirect http -> https
RewriteEngine On
RewriteCond %25{HTTPS} off
RewriteRule ^/$.* https://%25{HTTP_HOST}%25{REQUEST_URI}owa/ [R]
LogLevel warn
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
Now setting up your SSL-frontend with the MS Exchange server as backend:
sites-available/proxy-ssl
<VirtualHost *:443>
ServerAdmin webmaster@example.com
# SSl web -> proxy
SSLEngine on
# change the path to your cert and key
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# remote authentification if configured
# SSLProxyCACertificateFile /etc/apache2/webmailCA.cert
# SSLProxyMachineCertificateFile /etc/apache2/webmailMachine.cert
# SSl proxy -> owa
SSLProxyEngine on
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
SetEnv proxy-nokeepalive 1
SetEnv force-proxy-request-1.0 1
Order deny,allow
Allow from all
</Proxy>
<Location /owa>
ProxyPass https://<dns-from-your-intern-server>/owa
ProxyPassReverse https://<dns-from-your-intern-server>/owa
SSLRequireSSL
</Location>
# Logging
LogLevel warn
ErrorLog /var/log/apache2/error-ssl.log
CustomLog /var/log/apache2/access-ssl.log combined
</VirtualHost>
and enable both.
a2ensite proxy-rewrite proxy-ssl
The second step is make apache more reserved and let modsecurity work by edititing conf.d/security.
--- security.orig 2009-11-06 13:44:00.000000000 +0100 +++ security 2009-11-06 13:49:02.000000000 +0100 @@ -24,7 +24,7 @@ # where Full conveys the most information, and Prod the least. # #ServerTokens Minimal -ServerTokens Full +ServerTokens Prod # # Optionally add a line containing the server version and virtual host @@ -35,7 +35,7 @@ # Set to one of: On | Off | EMail # #ServerSignature Off -ServerSignature On +ServerSignature EMail # # Allow TRACE method @@ -48,3 +48,9 @@ #TraceEnable Off TraceEnable On +# enable modsecurity +<IfModule mod_security2.c> + Include modsecurity/rules/*.conf +</IfModule>
Modsecurity under debian comes with a set default rules. The are a good start point. Copy this rules under the apache2-config directory.
mkdir /etc/apache2/modsecurity cp -R /usr/share/doc/mod-security-common/examples/rules /etc/apache2/modsecurity/
I prefer to have all my log files on the same place.
--- modsecurity_crs_10_config.conf.orig 2009-11-06 13:50:19.000000000 +0100 +++ modsecurity_crs_10_config.conf 2009-11-06 13:55:45.000000000 +0100 @@ -188,7 +188,7 @@ # exists and has write permissions for the Apache user. SecAuditLogType Serial -SecAuditLog logs/modsec_audit.log +SecAuditLog /var/log/apache2/modsec_audit.log # SecAuditLogStorageDir logs/modsec_audit # Select what portions of the request to log @@ -282,7 +282,7 @@ # NOTE Debug logging is generally very slow. You should never # use values greater than `3` in production. # -SecDebugLog logs/modsec_debug.log +SecDebugLog /var/log/apache2/modsec_debug.log SecDebugLogLevel 3 # Path where persistent data (e.g. IP address data, session data, etc) is to
MS Exchange OWA needs also some rules changes to work. Especially the called owaauth.dll must be callable.
--- modsecurity_crs_30_http_policy.conf.orig 2009-11-06 13:50:19.000000000 +0100
+++ modsecurity_crs_30_http_policy.conf 2009-11-06 14:26:50.000000000 +0100
@@ -90,7 +90,7 @@
# You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
# comment the whole rule.
#
-SecRule REQUEST_BASENAME `.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$`
+SecRule REQUEST_BASENAME `.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$`
`phase:2,t:none,t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED'`
Now it's time for fine tuning e.g. rules for limit the attachment size.
If you find this article useful, please leave a comment.
Tom Geißler
Disclaimer
No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies, that could be damage your system. Proceed with caution, and although this is highly unlikely, the author do not take any responsibility. All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.
