Odhiambo Washington wrote:
On Sun, Jun 1, 2008 at 1:38 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
Odhiambo Washington wrote:
Hello gurus,
I have been trying the whole day to get Squid to work as a reverse
proxy/accelerator for OWA and RPC-over-https with no sucess. I believe
I've come to my /etc on this!
I have read the Wiki entries and this thread:
http://www.nabble.com/Forwarding-Denied-when-using-dst-cache_peer-in-acl-td15123146.html
Not that the article references two Squid wiki articles. All the configs
doing OWA using "dst" ACL were relevant only up to 2.5 and fatally flawed
with a required but unstated DNS hack.
The wiki presently has updated configs which work with all current Squid.
Thank you for informing me about that. All my thinking was that those
wiki entries are still relevant. I actually wasn't looking at the
above thread per se, but only for the comments and the challenges the
poster faced, but within it there are references to the wiki entries,
which is what I was following keenly.
However, I seem to still miss a critical point.
My Squid (2.7RC) is first and foremost being used as a LAN proxy. This
in itself has posed a challenge to me in terms of specifying who is
allowed to use it as a proxy.
I have an M$ Exchange server which is is self-contained, with
self-signed certificate.
Can I configure Squid as a proxy for the LAN as well as an accelerator
for several backend website(s)? I've found this challenging in terms
of ordering the ACLs.
Yes. With some access control tweaking two 'components' can be kept
seperate. see below.
That's nice for the ears!
I can see from the above thread that Wouter de Jong-2 actually/finally
managed to configure Squid to accelerate OWA as well as do the
RPC-over-HTTP(s) but he does not mention is th squid instance is also
being used as a proxy.
Does someone have a sample config for squid being used as LAN proxy
and accelerator, especially for M$ Exchange OWA and RPCoHTTPS?
Should be no need. All the current squid releases support multiple http_port
entries. That is the first important part.
Near the top of your config above your ALL of your regular proxy port and
_access controls. Setup the OWA/RPC acceleration as listed in the wiki.
Omitting the controls which do blanket 'deny all'.
Noted, and thank you for that valuable information. Not heading to the
wiki again. But I have two last hurdles:
1. My Exchange OWA is accessible as either
https://192.168.0.26/exchange or
https://mxech.msexch.ourdomain.tld/exchange
2. (a bit OT) The use of a non-commercial certificate on the Exchange server
Q1. How do I tell Squid to access the /exchange bit in the url?
Does it have to be added in squid? or can squid be left only knowing the
'192.168.0.26'/'mxech.msexch.ourdomain.tld' bits?
I ask this because while squid can do url-rewriting, that method does
not cover all possible uses of the URL, just the request and Host: ones.
If your exchange server can accept the /exchange/* URI that would be
much better.
The way to do it without headaches is to get a unique domain/subdomain
for the exchange URL and the exchange server handling the entire path of
the URI. And squid only switching on the domain.
Q2. Do I have to export the cerificate from the Exchange server to be
used with Squid in the accel configuration?
If you require clients to SSL auth, yes you will need whatever
certificate squid presents to them to be your official one.
Anyone has an idea how I can surmount these two
Being so much used to doing everything with Open Source apps, this
Microsohit Exchange thing is the biggest challenge I've ever faced in
my SysAdmin life! I must take some leave as soon as I get this
OWA/PRCoHTTPS thing running.
I therefore highly appreciate any help I can get towards this goal.
http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess
http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp
Then following that setup your main proxy port and controls.
Do I require both entries for OWA and RPCoHTTPS or is there a way to
kind of amalgamate the configurations? My OWA and RPCoHTTPS
destination is one and the same.
Um, I would not think so. But I'm a relative newbie when it comes to SSL
certificates.
Amos
--
Please use Squid 2.7.STABLE1 or 3.0.STABLE6
