Wouter de Jong wrote:
Hi,
I've setup an Outlook Web Access reverse proxy and RPC-over-HTTPs proxy
with Squid by following these 2 wiki documents :
http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess?highlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29
http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp?highlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29
It works ok ... except the acl that is listed in the example, does not
work for me...
Here's the snippet :
##############################################################
# Define the required extension methods for RPC-over-HTTPs
extension_methods RPC_IN_DATA RPC_OUT_DATA
# Define our cache_peer (the MS Exchange Server)
cache_peer 192.168.128.196 parent 443 0 no-query originserver login=PASS
ssl sslflags=DONT_VERIFY_PEER name=sbs.company.local
# ACL to only allow OWA/OMA/ActiveSync/RPC
acl exchange_urlpath_regex urlpath_regex -i ^/exchange($|/.*)
acl exchange_urlpath_regex urlpath_regex -i ^/exchweb($|/.*)
acl exchange_urlpath_regex urlpath_regex -i ^/public($|/.*)
acl exchange_urlpath_regex urlpath_regex -i ^/iisadmpwd($|/.*)
acl exchange_urlpath_regex urlpath_regex -i ^/rpc($|/.*)
acl exchange_urlpath_regex urlpath_regex -i
^/Microsoft-Server-ActiveSync($|/.*|\?.*)
#acl OWAip dst 192.168.128.196
acl OWAip dst 213.206.xxx.yyy
acl OWA dstdomain exchange.company.com
cache_peer_access sbs.company.local allow OWA
never_direct allow OWAip
# lock down access
http_access deny !exchange_urlpath_regex
http_access allow OWAip
http_access deny all
miss_access allow OWAip
miss_access deny al
##############################################################
192.168.128.196 is internal IP of Exchange server, this is behind an
OpenVPN tunnel.
213.206.xxx.yyy is the IP of the Squid-server, exchange.company.com
points to this address.
And here's my 'problem' :
Whenever I use 192.168.128.196 (the IP of the cache_peer/the
Exchange-server) for acl 'OWAip', I get a Forwarding Denied.
Yes, the client machines will never ask for the internal secret IP of
the OWA.
However, if I use '213.206.xxx.yyy' as OWAip, it works....
Yes, that being the public address for the OWA when going via squid.
ACL debug logging reveals that the 213.206.xxx.yyy is being matched at
the dst, and NOT 192.168.128.196
Am I reading the example wrong, or ..... is this a known issue ?
No, wiki example was wrong.
Client machines to contact and all pages served up by the OWA need to
contain either the public-access IP (213.206.xxx.yyy) or the
public-access domain (exchange.company.com) which both need to point at
squid.
There's another (very tricky) method the wiki may have once mentioned to
give that config muckup. I've fixed it now.
I'm using squid/2.6.STABLE18 from FreeBSD 6.3 Ports.
Hopefully someone can explain if I misinterpret the example (eg. I
fucked up), the example is wrong, or squid is not behaving as it should.
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
