Re: Reverse Proxy

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Mario Remy Almeida wrote:
> My squid.conf
>
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> acl localnet src 10.200.2.0/24
> acl OWA dstdomain webmail.airarabia.ae
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow OWA all
> http_access allow localnet
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> icp_access allow localnet
> icp_access deny all
> miss_access allow OWA
> miss_access deny all
> http_port 10.200.22.49:80 defaultsite=webmail.airarabia.ae
> https_port 10.200.22.49:443 defaultsite=webmail.airarabia.ae 
> cert=/etc/squid/keys/proxycert.pem  key=/etc/squid/keys/proxykey.pem
> cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS 
> front-end-https=on login=PASS name=owaServer
> cache_peer proxy1.emirates.net.ae parent 8080 0 no-query default
> cache_peer_access owaServer allow OWA
> hierarchy_stoplist cgi-bin ?
> cache_dir aufs /cache 29000 16 256
> logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
> logformat mysql_columns %ts.%03tu %6tr %>a %Ss %03Hs %<st %rm %ru %un 
> %Sh %<A %mt
> access_log /var/log/squid/access.log squid
> access_log daemon:/usr/lib64/squid/db.cf mysql_columns
> logfile_daemon /usr/lib64/squid/logmysqldb_daemon
> pid_filename /var/run/squid.pid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
> upgrade_http0.9 deny shoutcast
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> prefer_direct off
> never_direct allow OWA
> coredump_dir /var/spool/squid
>
>
> OUTPUT of "host webmail.airarabia.ae" taking from DNS
> webmail.airarabia.ae has address 10.200.22.12
>
>
> clients browser
> proxy set to 10.200.22.49 port 80
> NO by-pass
>
> Now confused with DNS what should be the DNS entires.
>
> the clients will not by-pass.
>
> should the DNS entry point to the OWA IP or to Squid Proxy?
>
>
> Please help as I am confused.

Oh, I see...

You need this:

10.200.22.49    -> SquidProxy
10.200.22.12    -> OWA
10.200.2.22     -> DNS Server

DNS Entires,
 webmail.airarabia.com pointing to 10.200.22.49      (HTTP, HTTPS stuff)
 mail.airarabia.com pointing to 10.200.22.12        (SMTP stuff)

On Squid Proxy Server,

/etc/resolv.conf:
   nameserver 10.200.2.22

/etc/hosts:
  127.0.0.1  localhost

squid.conf as above but:

 http_port 10.200.22.49:80 accel defaultsite=webmail.airarabia.ae
 https_port 10.200.22.49:443 accel defaultsite=webmail.airarabia.ae \
    cert=/etc/squid/keys/proxycert.pem  key=/etc/squid/keys/proxykey.pem

 cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS \
    front-end-https=on name=owaServer
 cache_peer_access owaServer allow OWA

 cache_peer proxy1.emirates.net.ae parent 8080 0 no-query default
 cache_peer_access proxy1.emirates.net.ae allow !OWA



NOTE the 'accel' option on ports and "!OWA" on default parent peer access.

Amos


> //Remy
>
> On Sun, 2009-05-17 at 19:33 +1200, Amos Jeffries wrote:
> > Mario Remy Almeida wrote:
> > > Hi Amos,
> > > 
> > > One thing I forgot to mentioned
> > > 
> > > /etc/hosts has this entry
> > > 10.200.22.12	mail.airarabia.ae
> > > 
> > > Output of " host mail.airarabia.ae " from dns is -> 
> > > mail.airarabia.ae has address 10.200.9.20
> > > 
> > > 
> > > User (browser) reads the host file from individual PCs
> > > cat /etc/hosts | grep "mail.airarabia.ae"
> > > 10.200.22.49	mail.airarabia.ae
> > > 
> > > 
> > > 10.200.22.49 <- squid proxy ip
> > > 10.200.22.12 <- OWA ip
> >
> > This could cause you some problems administering it.
> >
> > My advice on this is to setup DNS pointing at Squid for the HTTPS domain 
> > name, set squid.conf with the right OWA IP as a peer, and not have the 
> > individual hosts file overrides.
> >
> > The fact that the public IP for the domain is different to both the 
> > squid IP and the real OWA/Exchange IP is worrying. I trust that you know 
> > what destinations should be.
> >
> > Amos
> >
> > > 
> > > Please find the answers below.
> > > 
> > > //Remy
> > > 
> > > On Sun, 2009-05-17 at 18:16 +1200, Amos Jeffries wrote:
> > >> Mario Remy Almeida wrote:
> > >>> Hi Amos,
> > >>>
> > >>> I followed the instruction as per
> > >>> http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
> > >>>
> > >>> But I am some how failing to configure https.
> > >>>
> > >>> My squid.conf
> > >>> ========================================================================
> > >>> https_port 443 defaultsite=mail.airarabia.ae \
> > >>> cert=/etc/squid/keys/cert.pem  key=/etc/squid/keys/key.pem
> > >> Okay two extra things about the port:
> > >>   1) unless you have the wilcard cert its best to specify the IP:port 
> > >> combo and generate the cert for those IP:port. That way you can use 
> > >> other IP for other domains and be sure Squid is sending SSL on the right IP.
> > > changed it to ->
> > > https_port 10.200.22.49:443 defaultsite=mail.airarabia.ae \
> > > cert=/etc/squid/keys/cert.pem  key=/etc/squid/keys/key.pem
> > > 
> > >>   2) check that the cert/key are correct for the IP:port squid is 
> > >> listening on.
> > > 
> > > use this command to generate the ssl certificate
> > > 
> > > openssl req -x509 -days 365 -newkey rsa:1024 -keyout key.pem -nodes
> > > \-out cert.pem
> > > 
> >
> > The keys do need to be signed in some way before they are valid for use.
> > This looks like a key creation-only command, though with SSL certs I 
> > only know enough to follow the tutorials. Doing that (for all key steps) 
> > I've never had a problem.
> >
> > Amos
> >
> > > 
> > >>
> > >>> cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS \
> > >>> front-end-https=on login=PASS name=owaServer
> > >> So OWA is listening on port 80?
> > > yes on port 80 no issue
> > > 
> > >>> cache_peer_access owaServer allow OWA
> > >>> acl OWA dstdomain mail.airarabia.ae
> > >>> http_access allow OWA
> > >>> miss_access allow OWA
> > >>> miss_access deny all
> > >> Missing:
> > >>    never_direct allow OWA
> > > Actually I forgot to mention it here
> > > It is specified in squid.conf
> > > 
> > >> that bit is important to prevent Squid even attempting to request a 
> > >> connection direct to OWA without the peerage settings.
> > >>
> > >> Amos
> > >>
> > >>> cache.log
> > >>> ========================================================================
> > >>> 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
> > >>> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
> > >>> 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
> > >>> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
> > >>> 2009/05/17 13:32:13| fwdNegotiateSSL: Error negotiating SSL connection \
> > >>> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
> > >>>
> > >>> Error on the browser
> > >>> ========================================================================
> > >>> While trying to retrieve the URL: https://mail.airarabia.ae/exchweb/
> > >>>
> > >>> The following error was encountered:
> > >>>
> > >>>       * Connection to 10.200.22.12 Failed
> > >>>
> > >>> The system returned:
> > >>>
> > >>> (71) Protocol error
> > >>>
> > >>> The remote host or network may be down. Please try the request again.
> > >>>
> > >>>
> > >>> Please help
> > >>>
> > >>> //Remy
> > >>>
> > >>>
> > >>> On Fri, 2009-05-15 at 16:35 +1200, Amos Jeffries wrote:
> > >>>> Mario Remy Almeida wrote:
> > >>>>> Hi All,
> > >>>>>
> > >>>>> Need to setup Reverse proxy
> > >>>>>
> > >>>>> I have
> > >>>>>
> > >>>>> Squid 2.7STABLE6
> > >>>>> OS Centos
> > >>>>>
> > >>>>> Web server= Microsoft Outlook Web Access
> > >>>>> SSL enabled
> > >>>>> port 443
> > >>>>>
> > >>>>>
> > >>>>> My squid config is as below
> > >>>>>
> > >>>>> acl vhosts1_domains dstdomain mail.airarabiauae.com
> > >>>>> http_port 443 accel defaultsite=mail.airarabiauae.com vhost
> > >>>>> cache_peer 10.200.22.12 parent 443 0 no-query originserver name=vhost1 \
> > >>>>> ssl
> > >>>>> cache_peer_access vhost1 allow vhosts1_domains
> > >>>>>
> > >>>>> Please someone tell me it that is the right way to configure it.
> > >>>>>
> > >>>> No. Here is the tutorial:
> > >>>>
> > >>>> http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
> > >>>>
> > >>>> port 443 is often encrypted. It requires the https_port option instead 
> > >>>> of http_port, and the certificate as well.
> > >>>>
> > >>>> The peer part may be correct, or further ssl-related options may be 
> > >>>> needed. It depends on your peer so I can't say for certain unless you 
> > >>>> actually hit a problem.
> > >>>>
> > >>>>

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
  Current Beta Squid 3.1.0.7