Alan Lehman wrote:
I am trying to do the same thing. OWA works, but so far no joy with RPCoHTTP. Do I have to do something in OL to make it accept the certificate? The cert's are purchased from godaddy.com. For each, I appended the bundled gd_intermediate to the domain cert.
Also, in the example config for OWA, I am confused by the following:
acl OWA dstdomain owa_hostname
cache_peer_access owa_hostname allow OWA
Doesn't the 2nd line just grant access from owa_hostname to owa_hostname ??
The two are independent things.
The ACL dstdomain 'owa_hostname' is meant to be replaced by the FQDN of
your public OWA which clients use to get to the service.
The cache_peer_access owa_hostname is meant to be a seperate unique
string 'X' exactly matching the value of the cache_peer name=X option.
I've tweaked the wiki demo config a little to make that clear.
My current config (which works for OWA, but not RPCoHTTP):
extension_methods RPC_IN_DATA RPC_OUT_DATA
https_port public_ip_for_owa:443 cert=/usr/share/ssl/owa/combined.crt key=/usr/share/ssl/owa/owa.key defaultsite=owa.tld.com
https_port public_ip_for_rpc:443 cert=/usr/share/ssl/rpc/combined.crt key=/usr/share/ssl/rpc/rpc.key defaultsite=rpc.tld.com
cache_peer ip_of_exchange parent 80 0 no-query originserver front-end-https=auto login=PASS
You need a second entry for port 443 on the exchange server to handle
the RPC requests.
This is where the name= parameter becomes very important and needs to be
unique for each entry and used in the cache_peer_access lines below.
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl OWA dstdomain owa.tld.com
acl RPC dstdomain rpc.tld.com
http_access allow manager localhost
http_access allow OWA
http_access allow RPC
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access deny all
miss_access allow OWA
miss_access allow RPC
miss_access deny all
cache_peer_access ip_of_exhcange allow OWA
cache_peer_access ip_of_exhcange allow RPC
cache_peer_access ip_of_exhcange deny all
never_direct allow OWA
never_direct allow RPC
Thanks again,
Alan Lehman
-----Original Message-----
From: Odhiambo Washington [mailto:odhiambo@xxxxxxxxx]
Sent: Monday, June 02, 2008 11:41 AM
To: Squid users
Subject: Re: Is it possible to have squid as do Proxy and
OWA/RPCoHTTPS accelerator?
On Mon, Jun 2, 2008 at 7:27 PM, Henrik Nordstrom
<henrik@xxxxxxxxxxxxxxxxxxx> wrote:
On mån, 2008-06-02 at 13:41 +0300, Odhiambo Washington wrote:
(actually, this is supposed to be the only entry for cache_peer I am
goingto have?)
If you only have one server, and that server is only talking http
then
yes there is only a single cache_peer..
Understood.
That has worked. It also requied a PEM passphrase. I hope this is
not
supposed to be another problem. These ssl stuff!
You can configure the password in squid.conf if the PEM key is
encrypted, or easily decrypt it with the openssl rsa command.
Understood as well.
In my case, I don't have a certificate for the external hostname,
which brings me back to the confusing issue regarding the
certificate:
I can make a self-signed certificate for the external hostname. Not
a
problem. However, does this mean I really don't need the internal
certifcate Exchange is using?
Correct.
Pooh! That was so confusing:-)
Suppose:
My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4)
My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of
192.168.0.26)
Given that both OWA and RPCoHTTPS are directed at these...
What values should I use for the following variables (from the
wiki):
(a) owa_hostname?
In https_port defaultsite you should use mail.odhiambo.COM as this is
what the clients are expected to connect to.
(b) ip_of_owa_server?
The ip of your exchange/owa server.
(c) rpcohttp.url.com?
Ignore. That example uses a setup with more Exchange servers, where
OWA
is running on a separarate server from Exchange.
(d) the_exchange_server?
Ignore as above.
>From there, I believe I will only get stuck at the ssl certificates
step, which is where I am still a bit confused.
Since you are not going to use a real certificate then issue yourself
a
self-signed one using OpenSSL.
openssl req -new -x509 -days 10000 -nodes -out
mail.odhiambo.COM_selfsigned.pem -keyout mail.odhiambo.COM_key.pem
Everything is all clear now.
Will find good time to test this out and see how well it goes.
Thank you very much, Amos and Henrik! That was quite some
hand-holding. I really appreciate.
Amos
--
Please use Squid 2.7.STABLE2 or 3.0.STABLE6
