hdyugoplastika hdyugoplastika wrote:
Hi at all I have a problem with authentication RPC over HTTPS with squid-2.7STABLE6-1 (rpm downloaded from squid-cache.org). I have squid server(version 2.5STABLE14-1 + owa patch) where RPC over HTTPS authetication works fine. With both version now problem via OWA. These are the log: access.log 10.223.0.71 - - [10/Aug/2009:11:03:56 +0200] "RPC_IN_DATA https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002 HTTP/1.1" 401 509 TCP_MISS:SOURCEHASH_PARENT 10.223.0.71 - - [10/Aug/2009:11:03:56 +0200] "RPC_OUT_DATA https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002 HTTP/1.1" 401 509 TCP_MISS:SOURCEHASH_PARENT cache.log(I insert just, for me, rilevant) 2009/08/10 11:03:52| httpAppendBody: Request not yet fully sent "RPC_IN_DATA https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002"; 2009/08/10 11:03:52| fwdComplete: https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002 2009/08/10 11:03:52| fwdReforward: https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002? 2009/08/10 11:03:52| fwdReforward: No, ENTRY_FWD_HDR_WAIT isn't set 2009/08/10 11:03:52| fwdComplete: not re-forwarding status 401 and useful(?) exchange log: 2009-08-10 09:00:07 W3SVC1 MI1EXPROM1 10.223.247.61 GET /exchweb/bin/auth/owalogon.asp url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245 HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 0 2009-08-10 09:00:38 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 46 2009-08-10 09:00:38 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 448 124 2009-08-10 09:02:08 W3SVC1 MI1EXPROM1 10.223.247.61 GET /exchweb/bin/auth/owalogon.asp url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245 HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 15 2009-08-10 09:03:52 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 344 0 2009-08-10 09:03:52 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 0 2009-08-10 09:03:56 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 344 0 2009-08-10 09:03:56 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 0 2009-08-10 09:04:07 W3SVC1 MI1EXPROM1 10.223.247.61 GET /exchweb/bin/auth/owalogon.asp url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245 HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 0 Below the configuration: squid 2.5STABLE14-1 + owa patch http_port 80 extension_methods RPC_IN_DATA RPC_OUT_DATA https_port 10.223.243.26:443 cert=/etc/squid/cert/wm.XXXxxxxx.it.cert key=/etc/squid/cert/wm.XXXxxxxx.it.private.key cafile=/etc/squid/cert/cafile.cert ssl_unclean_shutdown on cache_peer mail.XXXxxxxx.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=on hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY emulate_httpd_log on log_ip_on_direct on debug_options ALL,1,83,2 hosts_file /etc/hosts redirect_rewrites_host_header on refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 shutdown_lifetime 0 seconds acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl xxxxx src 192.168.55.0/24 acl easy_bb src xxx.xxx.64.0/19 acl easy_bb src xxx.xxx.224.0/19 acl easy_bb src xxx.xxx.16.0/20 acl easy_bb src xxx.xxx.81.0/24 acl easy_bb src xxx.xxx.87.0/24 acl easy_bb src xxx.xxx.26.0/24 acl easy_bb src xxx.xxx.144.0/20 acl easy_bb src xxx.xxx.240.0/20 acl destination dst 10.223.243.24/32 acl access_mail urlpath_regex -i "/etc/squid/users/access_mail.txt" acl access_url url_regex -i "/etc/squid/url_valid.txt" acl acl_pfa dstdomain webmail.XXXxxxxx.it http_access deny easy_bb http_access allow xxxxx http_access allow access_mail http_access allow access_url http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_peer_access mail.XXXxxxxx.it allow acl_pfa cache_peer_access mail.XXXxxxxx.it deny all tcp_outgoing_address 10.223.247.203 xxxxx tcp_outgoing_address 10.223.247.201 cache_mgr net@xxxxxxxx cache_effective_user squid cache_effective_group squid visible_hostname webmail.XXXxxxxx.it httpd_accel_host virtual httpd_accel_port 443 httpd_accel_single_host on httpd_accel_with_proxy off httpd_accel_uses_host_header on err_html_text . deny_info ERR_xxxxxXXX all deny_info ERR_xxxxxXXX access_mail never_direct allow all strip_query_terms off coredump_dir /var/spool/squid max_filedesc 4096 Configuratio squid.conf-2.7STABLE6-1 acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl xxxxx src 192.168.55.0/24 acl xxxxx src 10.221.121.0/24 acl easy_bb src xxx.xxx.64.0/19 acl easy_bb src xxx.xxx.224.0/19 acl easy_bb src xxx.xxx.16.0/20 acl easy_bb src xxx.xxx.81.0/24 acl easy_bb src xxx.xxx.87.0/24 acl easy_bb src xxx.xxx.26.0/24 acl easy_bb src xxx.xxx.144.0/20 acl easy_bb src xxx.xxx.240.0/20 acl access_mail urlpath_regex -i "/etc/squid/users/access_mail.txt" acl access_url url_regex -i "/etc/squid/url_valid.txt" acl acl_pfa dstdomain webmail.XXXxxxxx.it http_access deny easy_bb http_access allow xxxxx http_access allow access_mail http_access allow access_url http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all ssl_unclean_shutdown on http_port 80 accel vhost https_port 10.223.247.201:443 accel vhost cert=/etc/squid/cert/wm.XXXxxxxx.it.cert key=/etc/squid/cert/wm.XXXxxxxx.it.private.key cafile=/etc/squid/cert/cafile.cert cache_peer mi1exprom1.nf.xxxxxXXX.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=auto sourcehash round-robin originserver name=MI11
Do not use round-robin on these peers!
cache_peer_access MI11 allow acl_pfa cache_peer_access MI11 deny all hierarchy_stoplist cgi-bin ? logformat combined2 %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %
You are also adding and removing a whole lot of settings to this one since the working config.
I'd recommend going back t the original, removing the http_accel_* bits and making the http_port/https_post and any other changes actually needed to load the config. Then checking that that works before going on to adjust the other settings.
This is clearly not the whole config because some important things like Safe_ports definition are missing even from the working one.
Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
