最近做了个项目,exchange 2016两台有DAG,要做个负载均衡,想到用NGINX。
目前NGINX已经架设好,对pop,IMAP,exchange等都可以,只有SMTP TLS死活过不去,有知道这方面的高人吗?
NGINX上弄了证书也不行。
NGINX版本如下:
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabledNGINX -V也测试过
[root@nginx1 logs]# ../sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
目前NGINX已经架设好,对pop,IMAP,exchange等都可以,只有SMTP TLS死活过不去,有知道这方面的高人吗?
NGINX上弄了证书也不行。
NGINX版本如下:
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabledNGINX -V也测试过
[root@nginx1 logs]# ../sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
worker_processes 5;#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 10; #gzip on;# server {
# listen 80;
# server_name localhost; #charset koi8-r; #access_log logs/host.access.log main;# location / {
# root /usr/local/nginx/html;
# index index.php index.html index.htmi;
# } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root html;
# } # proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
# location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
# include fastcgi_params;
# }include owa.conf;
}
include mail.conf;
# configuration file /usr/local/nginx/conf/mime.types:types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss; text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc; image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp; application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip; application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm; application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra; video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}# configuration file /usr/local/nginx/conf/owa.conf:
server {
listen 443;
server_name cas.texhong.com;
# auth_basic "sun will"
# auth_basic_user_file nginx_passwd;
# Redirect from "/" to "/owa" by default
rewrite ^/$ https://cas.texhong.com/owa permanent;
# Enable SSL ssl on;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/33iq.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/33iq_nopass.key;
ssl_session_timeout 5m;
# Set global proxy settings proxy_read_timeout 360;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /owa {
proxy_pass https://cas.texhong.com/owa;
}
location /exchange {
proxy_pass https://cas.texhong.com/exchange;
}
location /exchweb {
proxy_pass https://cas.texhong.com/exchweb;
}
location /public {
proxy_pass https://cas.texhong.com/public;
}
location /Microsoft-Server-ActiveSync {
proxy_pass https://cas.texhong.com/Microsoft-Server-ActiveSync;
}
error_log /usr/local/nginx/logs/error.log;
access_log /usr/local/nginx/logs/access.log;
}# configuration file /usr/local/nginx/conf/mail.conf:
mail {
auth_http 10.0.2.31/auth.php;
pop3_capabilities "TOP" "USER";
imap_capabilities "IMAP4rev1" "UIDPLUS"; ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/33iq.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/33iq_nopass.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m; server {
listen 25;
protocol smtp;
proxy on;
#xclient on;
smtp_auth login plain cram-md5;
#client off;
} server {
listen 110;
protocol pop3;
proxy on;
#xclient on;
} server {
listen 143;
protocol imap;
proxy on;
#xclient on;
}}[root@nginx1 logs]# ../sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx1 logs]# cat ../conf/nginx.conf#user nobody;
worker_processes 5;#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 10; #gzip on;# server {
# listen 80;
# server_name localhost; #charset koi8-r; #access_log logs/host.access.log main;# location / {
# root /usr/local/nginx/html;
# index index.php index.html index.htmi;
# } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root html;
# } # proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
# location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
# include fastcgi_params;
# }include owa.conf;
}
include mail.conf;
listen 443;
server_name cas.texhong.com;
# auth_basic "sun will"
# auth_basic_user_file nginx_passwd;
# Redirect from "/" to "/owa" by default
rewrite ^/$ https://cas.texhong.com/owa permanent;
# Enable SSL ssl on;
nginx -V
--with-mail_ssl_module 先查看这个模块编译了没有 listen 这里要加 ssl
ssl_protocols TLSv1.1 TLSv1.2; 不要用TLSv1 有漏洞
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;你的配置文件太乱了,简化了一下
你按照这个改
worker_processes automail {
server_name mail.example.com;
auth_http localhost:9000/cgi-bin/nginxauth.cgi; proxy_pass_error_message on; ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m; server {
listen 25;
protocol smtp;
smtp_auth login plain cram-md5;
} server {
listen 110;
protocol pop3;
pop3_auth plain apop cram-md5;
} server {
listen 143;
protocol imap;
}
}