Mario Remy Almeida wrote:
Hi Amos,
One thing I forgot to mentioned
/etc/hosts has this entry
10.200.22.12 mail.airarabia.ae
Output of " host mail.airarabia.ae " from dns is ->
mail.airarabia.ae has address 10.200.9.20
User (browser) reads the host file from individual PCs
cat /etc/hosts | grep "mail.airarabia.ae"
10.200.22.49 mail.airarabia.ae
10.200.22.49 <- squid proxy ip
10.200.22.12 <- OWA ip
This could cause you some problems administering it.
My advice on this is to setup DNS pointing at Squid for the HTTPS domain
name, set squid.conf with the right OWA IP as a peer, and not have the
individual hosts file overrides.
The fact that the public IP for the domain is different to both the
squid IP and the real OWA/Exchange IP is worrying. I trust that you know
what destinations should be.
Amos
Please find the answers below.
//Remy
On Sun, 2009-05-17 at 18:16 +1200, Amos Jeffries wrote:
Mario Remy Almeida wrote:
Hi Amos,
I followed the instruction as per
http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
But I am some how failing to configure https.
My squid.conf
========================================================================
https_port 443 defaultsite=mail.airarabia.ae \
cert=/etc/squid/keys/cert.pem key=/etc/squid/keys/key.pem
Okay two extra things about the port:
1) unless you have the wilcard cert its best to specify the IP:port
combo and generate the cert for those IP:port. That way you can use
other IP for other domains and be sure Squid is sending SSL on the right IP.
changed it to ->
https_port 10.200.22.49:443 defaultsite=mail.airarabia.ae \
cert=/etc/squid/keys/cert.pem key=/etc/squid/keys/key.pem
2) check that the cert/key are correct for the IP:port squid is
listening on.
use this command to generate the ssl certificate
openssl req -x509 -days 365 -newkey rsa:1024 -keyout key.pem -nodes
\-out cert.pem
The keys do need to be signed in some way before they are valid for use.
This looks like a key creation-only command, though with SSL certs I
only know enough to follow the tutorials. Doing that (for all key steps)
I've never had a problem.
Amos
cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS \
front-end-https=on login=PASS name=owaServer
So OWA is listening on port 80?
yes on port 80 no issue
cache_peer_access owaServer allow OWA
acl OWA dstdomain mail.airarabia.ae
http_access allow OWA
miss_access allow OWA
miss_access deny all
Missing:
never_direct allow OWA
Actually I forgot to mention it here
It is specified in squid.conf
that bit is important to prevent Squid even attempting to request a
connection direct to OWA without the peerage settings.
Amos
cache.log
========================================================================
2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
2009/05/17 13:32:13| fwdNegotiateSSL: Error negotiating SSL connection \
on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
Error on the browser
========================================================================
While trying to retrieve the URL: https://mail.airarabia.ae/exchweb/
The following error was encountered:
* Connection to 10.200.22.12 Failed
The system returned:
(71) Protocol error
The remote host or network may be down. Please try the request again.
Please help
//Remy
On Fri, 2009-05-15 at 16:35 +1200, Amos Jeffries wrote:
Mario Remy Almeida wrote:
Hi All,
Need to setup Reverse proxy
I have
Squid 2.7STABLE6
OS Centos
Web server= Microsoft Outlook Web Access
SSL enabled
port 443
My squid config is as below
acl vhosts1_domains dstdomain mail.airarabiauae.com
http_port 443 accel defaultsite=mail.airarabiauae.com vhost
cache_peer 10.200.22.12 parent 443 0 no-query originserver name=vhost1 \
ssl
cache_peer_access vhost1 allow vhosts1_domains
Please someone tell me it that is the right way to configure it.
No. Here is the tutorial:
http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
port 443 is often encrypted. It requires the https_port option instead
of http_port, and the certificate as well.
The peer part may be correct, or further ssl-related options may be
needed. It depends on your peer so I can't say for certain unless you
actually hit a problem.
Amos
Amos
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.7
