Re: Reverse Proxy

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Mario Remy Almeida wrote:
> Hi Amos,
>
> I followed the instruction as per
> http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
>
> But I am some how failing to configure https.
>
> My squid.conf
> ========================================================================
> https_port 443 defaultsite=mail.airarabia.ae \
> cert=/etc/squid/keys/cert.pem  key=/etc/squid/keys/key.pem

Okay two extra things about the port:
 1) unless you have the wilcard cert its best to specify the IP:port 
combo and generate the cert for those IP:port. That way you can use 
other IP for other domains and be sure Squid is sending SSL on the right IP.

 2) check that the cert/key are correct for the IP:port squid is 
listening on.


> cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS \
> front-end-https=on login=PASS name=owaServer

So OWA is listening on port 80?

> cache_peer_access owaServer allow OWA
> acl OWA dstdomain mail.airarabia.ae
> http_access allow OWA
> miss_access allow OWA
> miss_access deny all

Missing:
  never_direct allow OWA

that bit is important to prevent Squid even attempting to request a 
connection direct to OWA without the peerage settings.

Amos

> cache.log
> ========================================================================
> 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
> 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
> 2009/05/17 13:32:13| fwdNegotiateSSL: Error negotiating SSL connection \
> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
>
> Error on the browser
> ========================================================================
> While trying to retrieve the URL: https://mail.airarabia.ae/exchweb/
>
> The following error was encountered:
>
>       * Connection to 10.200.22.12 Failed
>
> The system returned:
>
> (71) Protocol error
>
> The remote host or network may be down. Please try the request again.
>
>
> Please help
>
> //Remy
>
>
> On Fri, 2009-05-15 at 16:35 +1200, Amos Jeffries wrote:
> > Mario Remy Almeida wrote:
> > > Hi All,
> > >
> > > Need to setup Reverse proxy
> > >
> > > I have
> > >
> > > Squid 2.7STABLE6
> > > OS Centos
> > >
> > > Web server= Microsoft Outlook Web Access
> > > SSL enabled
> > > port 443
> > >
> > >
> > > My squid config is as below
> > >
> > > acl vhosts1_domains dstdomain mail.airarabiauae.com
> > > http_port 443 accel defaultsite=mail.airarabiauae.com vhost
> > > cache_peer 10.200.22.12 parent 443 0 no-query originserver name=vhost1 \
> > > ssl
> > > cache_peer_access vhost1 allow vhosts1_domains
> > >
> > > Please someone tell me it that is the right way to configure it.
> > No. Here is the tutorial:
> >
> > http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
> >
> > port 443 is often encrypted. It requires the https_port option instead 
> > of http_port, and the certificate as well.
> >
> > The peer part may be correct, or further ssl-related options may be 
> > needed. It depends on your peer so I can't say for certain unless you 
> > actually hit a problem.
> >
> >
> > Amos

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
  Current Beta Squid 3.1.0.7