boutzamat · October 16, 2023 10:34 · Nov 22, 2021
diff --git a/exchange.conf b/exchange.conf
@@ -0,0 +1,72 @@
+server {
+    listen 80;
+    server_name mail.example.com;
+    return 301 https://mail.example.com;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name mail.example.com autodiscover.example.com;
+
+    location / {
+        return 301 https://mail.example.com/owa;
+    }
+
+    # Alllowed endpoints (use DNS or IP for target server)
+    location ~* ^/owa { proxy_pass https://mail.example.com; }
+    location ~* ^/Autodiscover { proxy_pass https://mail.example.com; }
+    location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://mail.example.com; }
+    location ~* ^/ecp { proxy_pass https://mail.example.com; }
+    location ~* ^/mapi { proxy_pass https://mail.example.com; }
+    location ~* ^/EWS { proxy_pass https://mail.example.com; }
+
+    # Proxy options
+    proxy_pass_request_headers on;
+
+    proxy_read_timeout      360s;
+    proxy_pass_header       Date;
+    proxy_pass_header       Server;
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        Accept-Encoding "";
+    proxy_set_header        Connection "Keep-Alive";
+    proxy_buffering off;
+
+    # Hiding headers to prevent information disclosure
+    proxy_hide_header	    X-FEServer;
+	proxy_hide_header	    X-ASPNET-Version;
+	proxy_hide_header	    x-calculatedbetarget;
+	proxy_hide_header	    x-beserver;
+	proxy_hide_header	    x-diaginfo;
+	proxy_hide_header	    x-owa-minimumsupportedowsversion;
+	proxy_hide_header	    x-owa-owsversion;
+	proxy_hide_header	    x-owa-diagnosticsinfo;
+	proxy_hide_header	    x-owa-version;
+
+
+    # Max filesize that can be used (for example attachments)
+    client_max_body_size 10M;
+
+    # Authentication for Outlook against /mapi
+    more_set_headers -s 401 'WWW-Authenticate: Basic realm="mail.example.com"';
+
+    # SSL certificate (LetsEncrypt based)
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    ssl_session_timeout 5m;
+
+    # Securityheaders
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Content-Security-Policy "frame-ancestors 'self' https://mail.example.com; block-all-mixed-content; upgrade-insecure-requests";
+    add_header Feature-Policy "microphone 'none'; geolocation 'none'";
+    add_header Expect-CT "max-age=0";
+    add_header Referrer-Policy "no-referrer";
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
+
+    # Log files
+    error_log /var/log/nginx/owa-ssl-error.log;
+    access_log /var/log/nginx/owa-ssl-access.log;
+}
diff --git a/nginx.conf b/nginx.conf
@@ -0,0 +1,41 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+	# Basic Settings
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	server_tokens off;
+
+	# Server header replacement (requires: nginx-extras)
+	more_set_headers 'Server: ';
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	# SSL Settings
+	ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:EECDH+CHACHA20:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
+
+	# Logging Settings
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	# Gzip Settings
+	gzip off;
+
+	# Virtual Host Configs
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
No results found