Weberns Hideout

I’ve been working on this case to deploy OCS 2007 R2 in a Hosted (multi-tenant) environment to our customers and an important part of that is security.

Because of that we decided to use a reverse proxy in front of the web components server, and at first the software we chose was squid. After messing around and not getting it to work I gave up and went to give nginx a try.

With no previous nginx experience I sure as hell was excited about it, “would this actually work? how long would it take to get the configuration right? Squid took forever with scrolling through (old) configuration examples”.

To my enjoyment it was exremely easy to get up and running. Here’s a walkthrough:

• Reverse proxy DNS name (should be available in the external DNS): ocsedgeweb.fabrikam.com
• Web components server (with a single server in my case the pool server): ocspool01.fabrikam.com
• Now, make sure that the reverse proxy server is able to connect to ocspool01.fabrikam.com (needs the DNS lookup and open ports — 443 presumably). You can test this by typing the following in the console on the reverse proxy:
  telnet ocspool01.fabrikam.com 443
• Next up is to install nginx, I won’t go into the details here since it differs from distribution to distribution, but it should be fairly easy.
• Get some certificates, yours should have the subject name ocsedgeweb.fabrikam.com. Save the certificate and private key in /etc/nginx
• Edit /etc/nginx/nginx.conf as follows

user nobody;
worker_processes 4;
events {
	worker_connections 1024;
}

http {
	include mime.types;
	default_type application/octet-stream;

	sendfile on;
	keepalive_timeout 65;
	server {
		listen 443;
		ssl on;
		ssl_certificate /etc/nginx/certificate.crt;
		ssl_certificate_key /etc/nginx/private.key;
		ssl_session_timeout 5m;
		ssl_protocols SSLv2 SSLv3 TLSv1;
		ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
		ssl_prefer_server_ciphers on;
		server_name ocsedgeweb.fabrikam.com;
		location / {
			proxy_pass https://ocspool01.fabrikam.com:443;
			proxy_set_header Host ocsedgeweb.fabrikam.com;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_max_temp_file_size 0;
			proxy_connect_timeout 30;
			proxy_read_timeout 120;
		}
	}
}

Now start nginx and try uploading a file in Live Meeting for example.

As a note: we’ve set authentication on /Abs/Ext/, /etc/place and /GroupExpansion/Ext to ‘Basic’ instead of the default ‘Windows Integrated’

Tired of setting up small web hotels just so you can redirect domains to another url? Well, so was I.
Luckily we’re using PowerDNS which supports URL-type record. What it basically do, is telling your PowerDNS nameserver that you have a fancy record it should do something with.

Let’s get started:

• First of all, you should enable fancy records in PowerDNS. Open up pdns.conf and paste this:

  fancy-records=yes

• Then, you should tell it where your redirector-service is, replace 192.168.1.1 with your publically accessible redirector-service:

  urlredirector=192.168.1.1

• Next up is to enable your webserver to redirect the requests. First, add a new virtual site. How you do this varies between different distros I’ll leave that up to the reader. Here’s my current virtual host for it:

  <VirtualHost _default_:80>
  ServerAdmin hostmaster@localhost
  DocumentRoot /var/www/html/urlredirect
  ErrorLog logs/urlredirect-error_log
  CustomLog logs/urlredirect-access_log common
  </VirtualHost>

• Next, and finally, create a simple php-page that actually does the redirecting. It will connect to the MySQL-backend of PowerDNS, read the URL-record and redirect the user to that location.

  index.php
  <?php
  
  // Get the server name our user requested
  $servername = $_SERVER["HTTP_HOST"]; 
  
  // replace this with credentials to your powerdns database
  @mysql_connect('db-host','username','password');
  // replace this with the right database name
  @mysql_select_db('powerdns');
  $result = @mysql_query("SELECT content FROM records WHERE name = '$servername' AND type = 'URL' LIMIT 1");
  // Query for our redirection
  if (mysql_num_rows($result) == 1) {
  // we got a result, redirect to that
  $row = @mysql_fetch_object($result);
  header("Location: $row->content");
  } else {
  // we didn't get any result for unknown reason, redirect to failsafe place
  header("Location: http://www.google.com");
  }
  ?>

• This should be it! If you’re really brave you could also add a rewrite rule to make sure all requests get redirect, not only those to somedomain.com/