Hello List, I've run into what I hope will be the last problem of trying to get OWA and Squid to behave! :-) I've seen several posts where folks have got OWA to work with Squid, but the spell check function was broken. Unfortunately, after much searching on the net via Google for answers, I'm coming up blank (those posts didn't seem to have any resolution). Here are my details: - I'm running Squid 2.5.STABLE5-2 on Fedora Core 2. - Squid is configured as a reverse-proxy to an Exchange 2003 server (OWA) - User -> (HTTPS) -> Proxy -> (HTTP) -> OWA - Users can access their mail boxes with no problem; system is VERY stable - Spell check works fine if you access the OWA server directly - Spell check hangs if you access it via a proxied connection - Turning on debugging reveals NO ACL problems in cache log - I see a POST request in the access log, however, the POST doesn't seem to get passed to OWA Here are the log entries from the OWA server (IIS): via proxy: ---------- 2005-07-12 13:03:20 10.1.2.37 GET /exchange/ - 80 owauser@xxxxxxxxxxxxxx 192.168.252.101 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0 2005-07-12 13:03:20 10.1.2.37 GET /exchange/owauser/ Cmd=navbar 80 owauser@xxxxxxxxxxxxxx 192.168.252.101 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0 2005-07-12 13:03:20 10.1.2.37 GET /exchange/owauser/Inbox/ Cmd=contents 80 owauser@xxxxxxxxxxxxxx 192.168.252.101 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0 2005-07-12 13:03:20 10.1.2.37 GET /exchweb/6.5.7226.0/controls/tf_Messages.xsl - 80 - 192.168.252.101 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0 2005-07-12 13:03:20 10.1.2.37 SEARCH /exchange/owauser/Inbox/ - 80 owauser@xxxxxxxxxxxxxx 192.168.252.101 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 207 0 0 direct to OWA server: --------------------- 2005-07-12 13:08:14 10.1.2.37 GET /exchange/owauser/ cmd=spellcheck 443 owauser@xxxxxxxxxxxxxx 10.1.2.37 Mozilla/4.0+(compatible;+MSIE+6.)+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0 2005-07-12 13:08:14 10.1.2.37 POST /exchweb/bin/spell/owaspell.dll - 443 - 10.1.2.37 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 401 2 2148074254 2005-07-12 13:08:14 10.1.2.37 POST /exchweb/bin/spell/owaspell.dll - 443 owauser@xxxxxxxxxxxxxx 10.1.2.37 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0 2005-07-12 13:08:20 10.1.2.37 POLL /exchange/owauser/Inbox - 80 owauser@xxxxxxxxxxxxxx 192.168.252.101 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 207 0 0 It appears that the log entries in the "via proxy" section are actually the user browsing their inbox, not the actual spell check function. In other words, it doesn't appear that the POST is even making it to IIS. In the "direct to OWA server" section, we see the POSTS and life is good. Here's my squid.conf: # Squid Reverse Proxy Configuration file cache_access_log /var/log/squid/access.outlook.log cache_store_log /var/log/squid/store.outlook.log cache_log /var/log/squid/cache.outlook.log pid_filename /var/run/squid.outlook.pid # Bind to NAT'd address for outlook server http_port 192.168.252.16:80 # Setup SSL Parameters # Note: disable the following line if SSL is not being proxied https_port 192.168.252.16:443 cert=crt_file key=key_file # Disable ICP icp_port 0 # Disable Caching cache_dir null /tmp acl all_no_cache src 0/0 no_cache deny all_no_cache # Setup ACL's to restrict traffic # Allow traffic to ports 80 & 443 only acl Safe_ports port 80 # http acl Safe_ports port 81 # http acl Safe_ports port 443 # https http_access deny !Safe_ports # Block "connect" attempts acl CONNECT method CONNECT http_access deny CONNECT # Protect against shell attempts # Note: blocks attempts to call "cmd.exe" "/bin/sh" and "default.ida" # can add others as needed acl bad_requests urlpath_regex -i cmd.exe \/bin\/sh default\.ida http_access deny bad_requests ########################## # Test for OWA Spell Check #acl owa-exchange urlpath_regex \/exchange(\/|$|\?) #acl owa-webid urlpath_regex \/WebID\/ #acl owa-host dst 10.1.2.37/255.255.255.255 #http_access allow owa-host owa-exchange #http_access allow owa-host owa-webid #debug_options ALL,1 33,2 # Final Permit All acl all src 0.0.0.0/0.0.0.0 http_access allow all # Final Deny All #acl all src 0.0.0.0/0.0.0.0 #http_access deny all # Setup Reverse Proxy Parameters #redirect_program /etc/squid/redirect.outlook.pl #redirect_children 5 #redirect_rewrites_host_header on httpd_accel_host owahost.ourcompany.com #httpd_accel_host 10.1.11.21 httpd_accel_port 80 httpd_accel_single_host on httpd_accel_uses_host_header on # Specify where core dumps are written coredump_dir /var/spool/squid The configuration is a bit odd because I've been playing around with different combinations of things. I'm trying to minimize ACL conflicts so I'm not beating my head against the wall! :-) Microsoft has been involved with this issue, and they're pointing to the proxy. Unfortunately, based on what I'm seeing, it appears they may be correct. I'd really appreciate help from the list. FWIW, I'm not a programmer...just a Cisco network dude who is the only "opensource guy" in our company; I'm by no means a Squid/Opensource guru. I could definitely use the community's assistance. If anyone who responds to this request needs specific info, please let me know what the correct syntax is for the info you need - it may take me twice as long to try and find it, and I want to respond with the correct info the first time. Thanks in advance! -Jason
