# NGINX Plus configuration for enhanced load balancing of Microsoft Exchange # servers # # For simplicity, all directives appear in this file. You can also create # function-specific files in the /etc/nginx/conf.d directory (for example, # create separate files for the 'http' and 'stream' blocks in this file). Then # use the 'include' directive in the main nginx.conf file to reference the # function-specific files. # # For more information, see http://nginx.org/r/include, and the # "Load Balancing Microsoft Exchange Servers with NGINX Plus" deployment guide # at www.nginx.com. user nginx; worker_processes auto; error_log /var/log/nginx/error.log debug; pid /var/run/nginx.pid; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_user_agent" "$upstream_addr"'; access_log /var/log/nginx/access.log main; keepalive_timeout 3h; proxy_read_timeout 3h; tcp_nodelay on; # This 'include' directive is appropriate if you are placing all # Exchange-related directives in the main nginx.conf file. Adjust as # necessary if already using included feature-specific configuration # files. include conf.d/status.conf; upstream exchange { zone exchange-general 64k; ntlm; server 10.0.0.237:443; # Replace with IP address of a CAS server 10.0.0.238:443; # Replace with IP address of a CAS } upstream exchange-activesync { zone exchange-activesync 64k; ntlm; server 10.0.0.237:443; # Replace with IP address of a CAS server 10.0.0.238:443; # Replace with IP address of a CAS } upstream exchange-ecp { zone exchange-ecp 64k; ntlm; server 10.0.0.237:443; # Replace with IP address of a CAS server 10.0.0.238:443; # Replace with IP address of a CAS } upstream exchange-mapi { zone exchange-mapi 64k; ntlm; server 10.0.0.237:443; # Replace with IP address of a CAS server 10.0.0.238:443; # Replace with IP address of a CAS } upstream exchange-owa { zone exchange-owa 64k; ntlm; server 10.0.0.237:443; # Replace with IP address of a CAS server 10.0.0.238:443; # Replace with IP address of a CAS } upstream exchange-rpc { zone exchange-rpc 64k; ntlm; server 10.0.0.237:443; # Replace with IP address of a CAS server 10.0.0.238:443; # Replace with IP address of a CAS sticky learn create=$remote_addr lookup=$remote_addr zone=client_sessions:10m timeout=3h; } match exchange-auth { status 401; header WWW-Authenticate ~ Basic; } match exchange-health { status 200; body ~ "200 OK"; } server { listen 80; location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; client_max_body_size 2G; ssl_certificate /etc/nginx/ssl/company.com.crt; ssl_certificate_key /etc/nginx/ssl/company.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; status_zone exchange-combined; location = / { return 301 "/owa/"; } location = /favicon.ico { empty_gif; access_log off; } location / { proxy_pass https://exchange; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; } location /ecp { # Grant access to admin users only, by uncommenting the 'allow' # and 'deny' directives and substituting the IP address and # prefix of your admin network. Or configure more sophisticated # access control. #allow 172.16.0.0/16; # Replace with your admin network #deny all; proxy_pass https://exchange-ecp; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; health_check uri=/ecp/healthcheck.htm interval=3s match=exchange-health; } location /mapi { proxy_pass https://exchange-mapi; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; health_check uri=/mapi/healthcheck.htm interval=3s match=exchange-health; } location /Microsoft-Server-ActiveSync { proxy_pass https://exchange-activesync; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; } location /owa { proxy_pass https://exchange-owa; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; health_check uri=/owa/healthcheck.htm interval=3s match=exchange-health; } location /rpc/rpcproxy.dll { proxy_pass https://exchange-rpc; proxy_buffering off; proxy_http_version 1.1; proxy_request_buffering off; proxy_set_header Connection "Keep-Alive"; proxy_set_header Host $host; health_check uri=/rpc/rpcproxy.dll interval=3s match=exchange-auth; } } } stream { upstream exchange-imaps { zone exchange-imaps 64k; server 10.0.0.237:993; # Replace with IP address of a CAS server 10.0.0.238:993; # Replace with IP address of a CAS } upstream exchange-smtp { zone exchange-smtp 64k; server 10.0.0.237:25; # Replace with IP address of a CAS server 10.0.0.238:25; # Replace with IP address of a CAS } server { listen 993; status_zone exchange-imaps; proxy_pass exchange-imaps; } server { listen 25; # SMTP port can be changed here (to 587, for example) status_zone exchange-smtp; proxy_pass exchange-smtp; } }