Configuring NGINX as a Reverse Proxy for Skype4Business

I had to setting up a reverse proxy for an Lync 2013 edge server but I don't want to use an IIS for this purpose.

So I decided to use nginx (nginx-1.8.0_3,2) on FreeBSD (FreeBSD 10.1-RELEASE).

the configuration has been made for lync 2013 but continued to operate even after upgrading to Skype4Business

 

#################
# nginx.conf	#
#################

worker_processes  4;

events {
    worker_connections  1024;
}

http {
    server_names_hash_bucket_size 64;

    include             /usr/local/etc/nginx/mime.types;
    default_type        application/octet-stream;

    log_format upstream '$remote_addr - $host - [$time_local] '
						'"$request" $status $body_bytes_sent "$http_referer" '
						'"$http_user_agent" "$http_x_forwarded_for" "$upstream_addr" '
                        '"$upstream_cache_status" "$upstream_response_time" "$request_time"';

    access_log          syslog:server=localhost:514,tag=nginx,facility=local1,severity=info upstream;
    error_log           syslog:server=localhost:514,tag=nginx_error,facility=local2,severity=info;

    client_body_temp_path /var/spool/nginx-client-body 1 2;
    client_max_body_size 400m;
    client_body_buffer_size    128k;

    server_tokens       off;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         off;

    keepalive_timeout   5;

    proxy_redirect     off;

    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_max_temp_file_size 0;

    reset_timedout_connection on;

    proxy_connect_timeout      10;
    proxy_send_timeout         300;
    proxy_read_timeout         300;

    proxy_buffer_size          4k;
    proxy_buffers              4 32k;
    proxy_busy_buffers_size    64k;
    proxy_temp_file_write_size 64k;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_dhparam "/usr/local/etc/nginx/dhparam4k.pem";
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    include             /usr/local/etc/nginx/sites/*.conf;
}

########################
# sites/lyncpool.conf  #
########################


upstream lyncpool {
        ip_hash;
        server 172.xxx.xxx.222:4443 max_fails=1 fail_timeout=10s;
        server 172.xxx.xxx.223:4443 max_fails=1 fail_timeout=10s;
        keepalive 32;
}
server {
        listen 80;
        server_name lync.domain.com sip.domain.com dialin.domain.com meet.domain.com lyncdiscover.domain.com im.domain.com scheduler.domain.com lyncdiscoverinternal.domain.com lyncfrontend1.internaldomain.lan lyncfrontend2.internaldomain.lan lyncpool.internaldomain.lan lyncfrontend1.domain.com lyncfrontend2.domain.com lyncpool.domain.com;
        return 301 https://$server_name$request_uri;
}
server {
        listen 443;
        server_name lync.domain.com sip.domain.com dialin.domain.com meet.domain.com lyncdiscover.domain.com im.domain.com scheduler.domain.com lyncdiscoverinternal.domain.com lyncfrontend1.internaldomain.lan lyncfrontend2.internaldomain.lan lyncpool.internaldomain.lan lyncfrontend1.domain.com lyncfrontend2.domain.com lyncpool.domain.com;
	
		ssl on;
        ssl_certificate      /usr/local/etc/nginx/conf/domain.com.pem;
        ssl_certificate_key  /usr/local/etc/nginx/conf/domain.com.key;

        proxy_redirect off;
        proxy_buffering off;
        proxy_read_timeout 3600;
        proxy_pass_header Date;
        proxy_pass_header Server;
        proxy_set_header Connection "";
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto off;
        add_header Front-End-Https on;
        proxy_http_version 1.1;

        location / {
                proxy_pass https://lyncpool;
  }
}

############################
# sites/lyncpool-int.conf  #
############################

upstream lyncpool-int {
        ip_hash;
        server 172.xxx.xxx.222:443 max_fails=1 fail_timeout=10s;
        server 172.xxx.xxx.223:443 max_fails=1 fail_timeout=10s;
        keepalive 32;
}
server {
        listen 80;
        server_name lyncpool-int.internaldomain.lan admin.internaldomain.lan;
        return         301 https://$server_name$request_uri;
}

server {
        listen 443;
        server_name lyncpool-int.internaldomain.lan admin.internaldomain.lan;

        ssl on;
        ssl_certificate      /usr/local/etc/nginx/conf/lyncpool_internaldomain_lan.cer;
        ssl_certificate_key  /usr/local/etc/nginx/conf/lyncpool_internaldomain_lan.key;

        proxy_redirect off;
        proxy_buffering off;
        proxy_read_timeout 3600;
        proxy_pass_header Date;
        proxy_pass_header Server;
        proxy_set_header Connection "";
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto off;
        add_header Front-End-Https on;
        proxy_http_version 1.1;

        location / {
                proxy_pass https://lyncpool-int;
  }
}