On Mon, Jun 2, 2008 at 2:37 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > Odhiambo Washington wrote: >> >> On Sun, Jun 1, 2008 at 1:38 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >> wrote: >>> >>> Odhiambo Washington wrote: >>>> >>>> Hello gurus, >>>> >>>> I have been trying the whole day to get Squid to work as a reverse >>>> proxy/accelerator for OWA and RPC-over-https with no sucess. I believe >>>> I've come to my /etc on this! >>>> I have read the Wiki entries and this thread: >>>> >>>> >>>> http://www.nabble.com/Forwarding-Denied-when-using-dst-cache_peer-in-acl-td15123146.html >>>> >>> Not that the article references two Squid wiki articles. All the configs >>> doing OWA using "dst" ACL were relevant only up to 2.5 and fatally flawed >>> with a required but unstated DNS hack. >>> The wiki presently has updated configs which work with all current Squid. >> >> Thank you for informing me about that. All my thinking was that those >> wiki entries are still relevant. I actually wasn't looking at the >> above thread per se, but only for the comments and the challenges the >> poster faced, but within it there are references to the wiki entries, >> which is what I was following keenly. >> >>>> However, I seem to still miss a critical point. >>>> My Squid (2.7RC) is first and foremost being used as a LAN proxy. This >>>> in itself has posed a challenge to me in terms of specifying who is >>>> allowed to use it as a proxy. >>>> I have an M$ Exchange server which is is self-contained, with >>>> self-signed certificate. >>>> Can I configure Squid as a proxy for the LAN as well as an accelerator >>>> for several backend website(s)? I've found this challenging in terms >>>> of ordering the ACLs. >>> >>> Yes. With some access control tweaking two 'components' can be kept >>> seperate. see below. >> >> That's nice for the ears! >> >>>> I can see from the above thread that Wouter de Jong-2 actually/finally >>>> managed to configure Squid to accelerate OWA as well as do the >>>> RPC-over-HTTP(s) but he does not mention is th squid instance is also >>>> being used as a proxy. >>>> Does someone have a sample config for squid being used as LAN proxy >>>> and accelerator, especially for M$ Exchange OWA and RPCoHTTPS? >>> >>> Should be no need. All the current squid releases support multiple >>> http_port >>> entries. That is the first important part. >>> >>> Near the top of your config above your ALL of your regular proxy port and >>> _access controls. Setup the OWA/RPC acceleration as listed in the wiki. >>> Omitting the controls which do blanket 'deny all'. >> >> Noted, and thank you for that valuable information. Not heading to the >> wiki again. But I have two last hurdles: >> 1. My Exchange OWA is accessible as either >> https://192.168.0.26/exchange or >> https://mxech.msexch.ourdomain.tld/exchange >> 2. (a bit OT) The use of a non-commercial certificate on the Exchange >> server >> >> Q1. How do I tell Squid to access the /exchange bit in the url? > > Does it have to be added in squid? or can squid be left only knowing the > '192.168.0.26'/'mxech.msexch.ourdomain.tld' bits? > I ask this because while squid can do url-rewriting, that method does not > cover all possible uses of the URL, just the request and Host: ones. > If your exchange server can accept the /exchange/* URI that would be much > better. After reading some Microshit articles, I managed to do make the URI simpler, so M$ Exchange can now be accessed simply as https://msexch.msexch.ourdomain.tld/ or https://192.168.0.26. The /exchange is now not necessary as the redirection is now done within IIS (yes, the Windows web server) so I am one step ahead. I am also NOT enforcing SSL on the exchange now, but that is a small switch that I can easily re-enable if this RPCoHTTPS stuff requires it, especially because Outlook needs the https:// URI. However, as we are going to do the SSL offloading on the accelerator, I believe http:// would suffice. > The way to do it without headaches is to get a unique domain/subdomain for > the exchange URL and the exchange server handling the entire path of the > URI. And squid only switching on the domain. This is now done as a result of the change above. >> Q2. Do I have to export the cerificate from the Exchange server to be >> used with Squid in the accel configuration? > > If you require clients to SSL auth, yes you will need whatever certificate > squid presents to them to be your official one. The certificate required in the Squid config MUST be in pem format?? That is where my problem is. When I read about exporting the certificate used in the exchange server, all I was able to get is a .pfx certificate. Not sure if squid will accept this as-is, or should I just blindly try?:-) >> Anyone has an idea how I can surmount these two >> Being so much used to doing everything with Open Source apps, this >> Microsohit Exchange thing is the biggest challenge I've ever faced in >> my SysAdmin life! I must take some leave as soon as I get this >> OWA/PRCoHTTPS thing running. >> I therefore highly appreciate any help I can get towards this goal. >> >> >>> http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess >>> http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp >>> >>> Then following that setup your main proxy port and controls. >> >> Do I require both entries for OWA and RPCoHTTPS or is there a way to >> kind of amalgamate the configurations? My OWA and RPCoHTTPS >> destination is one and the same. > > Um, I would not think so. But I'm a relative newbie when it comes to SSL > certificates. Let me take another stub at this question, so as to be clear: In both config examples, there is the following specification: https_port ip_of_squid:443 cert=/path/to/certificate/ defaultsite=owa_hostname (the OWA example) https_port ip_of_squid:443 cert=/path/to/certificate defaultsite=rpcohttp.url.com (the RPCoHTTPS example) What values do I give for "owa_hostname" and "rpcohttp.url.com" ? My owa_hostname, I believe, is msexch.msexch.ourdomain.tld. I am only not sure what my rpcohttp.url.com should be:-( On the other front: cache_peer ip_of_owa_server parent 443 0 no-query originserver login=PASS ssl sslcert=/path/to/certificate name=owa_hostname (OWA) cache_peer ip_of_exchange_server parent 443 0 no-query originserver login=PASS ssl sslcert=/path/to/certificate name=the_exchange_server (RPCoHTTP) I am seeing a situation where those two entries are going to be the similar/same in my case, bar for owa_hostname and the_exchange_server, both of which I still can't differentiate, given that I only have one Exchange box! In my case, ip_of_owa_server == ip_of_exchange_server I am hoping someone can tell me how to differentiate between owa_hostname and the_exchange_server. Then again, when it comes to the ACLs, there may be some redundancy considering that my server is just one, no? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "Oh My God! They killed init! You Bastards!" --from a /. post