Chris Robertson wrote:
Killing-Time@xxxxxx wrote:
Hello everybody,
I'm trying to use squid in the following way at the company where I work:
[Internet] --SSL connection--> [Squid Reverse Proxy] --HTTP
connection--> [Outlook Web Access Server]
[Internet] <--SSL connection-- [Squid Reverse Proxy] <--HTTP
connection-- [Outlook Web Access Server]
As I'm new to squid, I tried using the configuration example which I
found here:
http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess
If I'm getting this right, the aforementioned configuration should do
exactly what I'm looking for. So I tried using the configuration file
(adjusted to our system/network of course), but instead of getting
through to Outlook, I get an error page:
(I entered https://squidserver/exchange into the browser on another
machine to test it)
Which is where your error lies...
ERROR
The requested URL could not be retrieved
----------------------------------------
While trying to retrieve the URL: https://owaserver/exchange
The following error was encountered:
- Access denied.
Access control configuration prevents your request from being allowed
at this time. Please contact your service provider if you feel this
is incorrect.
Your cache administrator is webmaster.
----------------------------------------
Generated Fri, 26 Oct 2007 13:25:09 by
squidserver.local.myCompany.com (squid/2.6.STABLE16)
Here's my squid.conf file:
# Added because of "ACL name 'all' not defined!" error on squid startup
acl all src 0.0.0.0/0.0.0.0
https_port xxx.xxx.xxx.xxx:443 cert=c:/squid/share/cert/cert.pem
key=c:/squid/share/cert/key.pem defaultsite=owaserver
cache_peer yyy.yyy.yyy.yyy parent 80 0 no-query originserver
login=PASS >front-end-https=on name=owaserver
acl OWAip dst yyy.yyy.yyy.yyy
acl OWA dstdomain owaserver
cache_peer_access owaserver allow OWA
never_direct allow OWAip
http_access allow OWAip
http_access deny all
You are only allowing accesses to yyy.yyy.yyy.yyy, but what you
requested was http://squidserver/exchange which translates to
https://xxx.xxx.xxx.xxx (and is therefore denied). Change the host file
on the client, so owaserver points to xxx.xxx.xxx.xxx and then try
surfing to https://owaserver/exchange. You should have better luck.
No need to play with host files.
Replace the acls and cache_peer_access with:
acl OWA dstdomain domain.resolves.to.squidserver
cache_peer_access owaserver allow OWA
never_direct allow OWA
defaultsite= on the _port should be domain.resolves.to.squidserver
name= on cache_peer is just a simple handle to reference the peer by
and should be unique for best config reading
Amos
miss_access allow OWAip
miss_access deny all
oh and OWA as newly defined should be used there too.
Explanation:
- xxx.xxx.xxx.xxx is the IP of the machine with squid running on it.
- yyy.yyy.yyy.yyy is the IP of the Outlook Web Access Server
- "owaserver" is the name of the Outlook Web Access Server in our
company network
I am using squid/2.6.STABLE16 with SSL support on Windows XP Pro.
Can anybody help?
Kind regards,
- Patrick
Chris
