daily system administration

Linux, Debian and the rest
any questions or comments: Tom@d7031.de

Apache2 with modsecurity as MS Exchange OWA proxy

by Tom in  

The intention for this short howto was to use the power of modsecurity to secure a Apache2 running as proxy for an MS Exchange OWA on wild wild web. The system described below is based on a debian lenny machine.

Let’s start with editing the sources.list to get the latest version of modsecurity module. Simply add this line:

deb http://etc.inittab.org/~agi/debian/libapache-mod-security2 ./

and install the stuff.

aptitude install libapache-mod-security apache2-mpm-worker

Now I’ve disabled all sites and modules not needed and enable the new modules:

a2dissite default
a2dismod alias autoindex status authz_default authz_user authz_groupfile authn_file

Enable the modules to use:

a2enmod rewrite ssl proxy proxy_http proxy_connect mod-security
apache2ctl graceful

The apache-daemon should only listening on port 80 to redirect user to the SSL-URL. Here is my virtualhost config for rewriting the URL:

sites-available/proxy-rewrite

<VirtualHost *:80>
        ServerAdmin webmaster@example.com

# Redirect http -> https

        RewriteEngine On
        RewriteCond %25{HTTPS} off
        RewriteRule ^/$.* https://%25{HTTP_HOST}%25{REQUEST_URI}owa/ [R]

        LogLevel warn
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined

</VirtualHost>

Now setting up your SSL-frontend with the MS Exchange server as backend:

sites-available/proxy-ssl

<VirtualHost *:443>
        ServerAdmin webmaster@example.com

# SSl web -> proxy
        SSLEngine on
        # change the path to your cert and key
        SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

        # remote authentification if configured
        # SSLProxyCACertificateFile /etc/apache2/webmailCA.cert
        # SSLProxyMachineCertificateFile /etc/apache2/webmailMachine.cert

# SSl proxy -> owa
        SSLProxyEngine on
        ProxyRequests Off
        ProxyPreserveHost On

       <Proxy *>
                SetEnv proxy-nokeepalive 1
                SetEnv force-proxy-request-1.0 1
                Order deny,allow
                Allow from all
        </Proxy>

        <Location /owa>
                ProxyPass https://<dns-from-your-intern-server>/owa
                ProxyPassReverse https://<dns-from-your-intern-server>/owa
                SSLRequireSSL
        </Location>

# Logging
        LogLevel warn
        ErrorLog /var/log/apache2/error-ssl.log
        CustomLog /var/log/apache2/access-ssl.log combined

</VirtualHost>

and enable both.

a2ensite proxy-rewrite proxy-ssl

The second step is make apache more reserved and let modsecurity work by edititing conf.d/security.

--- security.orig       2009-11-06 13:44:00.000000000 +0100
+++ security    2009-11-06 13:49:02.000000000 +0100
@@ -24,7 +24,7 @@
 # where Full conveys the most information, and Prod the least.
 #
 #ServerTokens Minimal
-ServerTokens Full
+ServerTokens Prod
 
 #
 # Optionally add a line containing the server version and virtual host
@@ -35,7 +35,7 @@
 # Set to one of:  On | Off | EMail
 #
 #ServerSignature Off
-ServerSignature On
+ServerSignature EMail
 
 #
 # Allow TRACE method
@@ -48,3 +48,9 @@
 #TraceEnable Off
 TraceEnable On
 
+# enable modsecurity
+<IfModule mod_security2.c>
+      Include modsecurity/rules/*.conf
+</IfModule>

Modsecurity under debian comes with a set default rules. The are a good start point. Copy this rules under the apache2-config directory.

mkdir /etc/apache2/modsecurity
cp -R /usr/share/doc/mod-security-common/examples/rules /etc/apache2/modsecurity/

I prefer to have all my log files on the same place.

--- modsecurity_crs_10_config.conf.orig 2009-11-06 13:50:19.000000000 +0100
+++ modsecurity_crs_10_config.conf      2009-11-06 13:55:45.000000000 +0100
@@ -188,7 +188,7 @@
 #      exists and has write permissions for the Apache user. 
 
 SecAuditLogType Serial
-SecAuditLog logs/modsec_audit.log
+SecAuditLog /var/log/apache2/modsec_audit.log
 # SecAuditLogStorageDir logs/modsec_audit
 
 # Select what portions of the request to log
@@ -282,7 +282,7 @@
 # NOTE Debug logging is generally very slow. You should never
 #      use values greater than `3` in production.
 #
-SecDebugLog             logs/modsec_debug.log
+SecDebugLog             /var/log/apache2/modsec_debug.log
 SecDebugLogLevel        3
 
 # Path where persistent data (e.g. IP address data, session data, etc) is to

MS Exchange OWA needs also some rules changes to work. Especially the called owaauth.dll must be callable.

--- modsecurity_crs_30_http_policy.conf.orig    2009-11-06 13:50:19.000000000 +0100
+++ modsecurity_crs_30_http_policy.conf 2009-11-06 14:26:50.000000000 +0100
@@ -90,7 +90,7 @@
 #      You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
 #      comment the whole rule.       
 #
-SecRule REQUEST_BASENAME `.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$` 
+SecRule REQUEST_BASENAME `.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$` 
     `phase:2,t:none,t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED'`

Now it’s time for fine tuning e.g. rules for limit the attachment size.

If you find this article useful, please leave a comment.

Tom