Forwarding Denied when using dst cache_peer in acl

"Wouter de Jong" <maddog2k@xxxxxxxxxxxx> · Sun, 27 Jan 2008 20:41:26 +0100

Hi,

I've setup an Outlook Web Access reverse proxy and RPC-over-HTTPs proxy with 
Squid by following these 2 wiki documents :

http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess?highlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29
http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp?highlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29

It works ok ... except the acl that is listed in the example, does not work 
for me...

Here's the snippet :

##############################################################
# Define the required extension methods for RPC-over-HTTPs
extension_methods RPC_IN_DATA RPC_OUT_DATA

# Define our cache_peer (the MS Exchange Server)
cache_peer 192.168.128.196 parent 443 0 no-query originserver login=PASS ssl 
sslflags=DONT_VERIFY_PEER name=sbs.company.local

# ACL to only allow OWA/OMA/ActiveSync/RPC
acl exchange_urlpath_regex urlpath_regex -i ^/exchange($|/.*)
acl exchange_urlpath_regex urlpath_regex -i ^/exchweb($|/.*)
acl exchange_urlpath_regex urlpath_regex -i ^/public($|/.*)
acl exchange_urlpath_regex urlpath_regex -i ^/iisadmpwd($|/.*)
acl exchange_urlpath_regex urlpath_regex -i ^/rpc($|/.*)
acl exchange_urlpath_regex urlpath_regex -i 
^/Microsoft-Server-ActiveSync($|/.*|\?.*)

#acl OWAip dst 192.168.128.196
acl OWAip dst 213.206.xxx.yyy
acl OWA dstdomain exchange.company.com
cache_peer_access sbs.company.local allow OWA
never_direct allow OWAip

# lock down access
http_access deny !exchange_urlpath_regex
http_access allow OWAip
http_access deny all
miss_access allow OWAip
miss_access deny al
##############################################################

192.168.128.196 is internal IP of Exchange server, this is behind an OpenVPN 
tunnel.
213.206.xxx.yyy is the IP of the Squid-server, exchange.company.com points 
to this address.

And here's my 'problem' :

Whenever I use 192.168.128.196 (the IP of the cache_peer/the 
Exchange-server) for acl 'OWAip', I get a Forwarding Denied.
However, if I use '213.206.xxx.yyy' as OWAip, it works....

ACL debug logging reveals that the 213.206.xxx.yyy is being matched at the 
dst, and NOT 192.168.128.196

Am I reading the example wrong, or ..... is this a known issue ?

I'm using squid/2.6.STABLE18 from FreeBSD 6.3 Ports.

Hopefully someone can explain if I misinterpret the example (eg. I fucked 
up), the example is wrong, or squid is not behaving as it should.

Many thanks in advance !

Regards,

Wouter de Jong
The Netherlands 