Hi Amos I have "cleared" the configuration: acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl xxxxx src 192.168.55.0/24 acl xxxxx src 10.221.121.0/24 acl xxxxx src 10.223.0.71/32 http_access allow xxxxx http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all ssl_unclean_shutdown on http_port 80 transparent https_port 10.223.247.201:443 accel vhost cert=/etc/squid/cert/wm.XXXxxxxx.it.cert key=/etc/squid/cert/wm.XXXxxxxx.it.private.key cafile=/etc/squid/cert/cafile.cert cache_peer mi1exprom1.nf.xxxxxXXX.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=auto originserver name=MI11 cache_peer_access MI11 allow all hierarchy_stoplist cgi-bin ? logformat combined2 %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs % Date: Tue, 11 Aug 2009 00:24:54 +1200 > From: squid3@xxxxxxxxxxxxx > To: hdyugoplastika@xxxxxxxxxxx > CC: squid-users@xxxxxxxxxxxxxxx > Subject: Re: [suiqd-2.7STABLE6-1]Problem RPC via HTTPS > > hdyugoplastika hdyugoplastika wrote: >> Hi at all >> I have a problem with authentication RPC over HTTPS with >> squid-2.7STABLE6-1 (rpm downloaded from squid-cache.org). >> I have squid server(version 2.5STABLE14-1 + owa patch) where RPC over HTTPS >> authetication works fine. With both version now problem via OWA. >> These are the log: >> >> access.log >> 10.223.0.71 - - [10/Aug/2009:11:03:56 +0200] "RPC_IN_DATA https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002 HTTP/1.1" 401 509 TCP_MISS:SOURCEHASH_PARENT >> 10.223.0.71 - - [10/Aug/2009:11:03:56 +0200] "RPC_OUT_DATA https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002 HTTP/1.1" 401 509 TCP_MISS:SOURCEHASH_PARENT >> >> >> cache.log(I insert just, for me, rilevant) >> 2009/08/10 11:03:52| httpAppendBody: Request not yet fully sent "RPC_IN_DATA >> https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002"; >> 2009/08/10 11:03:52| fwdComplete: >> https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002 >> 2009/08/10 11:03:52| fwdReforward: >> https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002? >> 2009/08/10 11:03:52| fwdReforward: No, ENTRY_FWD_HDR_WAIT isn't set >> 2009/08/10 11:03:52| fwdComplete: not re-forwarding status 401 >> >> and useful(?) exchange log: >> 2009-08-10 09:00:07 W3SVC1 MI1EXPROM1 10.223.247.61 GET >> /exchweb/bin/auth/owalogon.asp >> url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245 >> HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 0 >> 2009-08-10 09:00:38 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA >> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 >> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 46 >> 2009-08-10 09:00:38 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA >> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 >> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 448 124 >> 2009-08-10 09:02:08 W3SVC1 MI1EXPROM1 10.223.247.61 GET >> /exchweb/bin/auth/owalogon.asp >> url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245 >> HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 15 >> 2009-08-10 09:03:52 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA >> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 >> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 344 0 >> 2009-08-10 09:03:52 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA >> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 >> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 0 >> 2009-08-10 09:03:56 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA >> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 >> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 344 0 >> 2009-08-10 09:03:56 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA >> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0 >> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 0 >> 2009-08-10 09:04:07 W3SVC1 MI1EXPROM1 10.223.247.61 GET >> /exchweb/bin/auth/owalogon.asp >> url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245 >> HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 0 >> >> Below the configuration: >> squid 2.5STABLE14-1 + owa patch >> >> http_port 80 >> extension_methods RPC_IN_DATA RPC_OUT_DATA >> https_port 10.223.243.26:443 cert=/etc/squid/cert/wm.XXXxxxxx.it.cert >> key=/etc/squid/cert/wm.XXXxxxxx.it.private.key >> cafile=/etc/squid/cert/cafile.cert >> ssl_unclean_shutdown on >> cache_peer mail.XXXxxxxx.it parent 443 0 ssl >> sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only >> no-query no-digest front-end-https=on >> hierarchy_stoplist cgi-bin ? >> acl QUERY urlpath_regex cgi-bin \? >> no_cache deny QUERY >> emulate_httpd_log on >> log_ip_on_direct on >> debug_options ALL,1,83,2 >> hosts_file /etc/hosts >> redirect_rewrites_host_header on >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern . 0 20% 4320 >> shutdown_lifetime 0 seconds >> acl all src 0.0.0.0/0.0.0.0 >> acl manager proto cache_object >> acl localhost src 127.0.0.1/255.255.255.255 >> acl to_localhost dst 127.0.0.0/8 >> acl SSL_ports port 443 >> acl CONNECT method CONNECT >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> acl xxxxx src 192.168.55.0/24 >> acl easy_bb src xxx.xxx.64.0/19 >> acl easy_bb src xxx.xxx.224.0/19 >> acl easy_bb src xxx.xxx.16.0/20 >> acl easy_bb src xxx.xxx.81.0/24 >> acl easy_bb src xxx.xxx.87.0/24 >> acl easy_bb src xxx.xxx.26.0/24 >> acl easy_bb src xxx.xxx.144.0/20 >> acl easy_bb src xxx.xxx.240.0/20 >> acl destination dst 10.223.243.24/32 >> acl access_mail urlpath_regex -i "/etc/squid/users/access_mail.txt" >> acl access_url url_regex -i "/etc/squid/url_valid.txt" >> acl acl_pfa dstdomain webmail.XXXxxxxx.it >> http_access deny easy_bb >> http_access allow xxxxx >> http_access allow access_mail >> http_access allow access_url >> http_access allow localhost >> http_access deny all >> http_reply_access allow all >> icp_access allow all >> cache_peer_access mail.XXXxxxxx.it allow acl_pfa >> cache_peer_access mail.XXXxxxxx.it deny all >> tcp_outgoing_address 10.223.247.203 xxxxx >> tcp_outgoing_address 10.223.247.201 >> cache_mgr net@xxxxxxxx >> cache_effective_user squid >> cache_effective_group squid >> visible_hostname webmail.XXXxxxxx.it >> httpd_accel_host virtual >> httpd_accel_port 443 >> httpd_accel_single_host on >> httpd_accel_with_proxy off >> httpd_accel_uses_host_header on >> err_html_text . >> deny_info ERR_xxxxxXXX all >> deny_info ERR_xxxxxXXX access_mail >> never_direct allow all >> strip_query_terms off >> coredump_dir /var/spool/squid >> max_filedesc 4096 >> >> >> Configuratio >> squid.conf-2.7STABLE6-1 >> acl all src all >> acl manager proto cache_object >> acl localhost src 127.0.0.1/32 >> acl to_localhost dst 127.0.0.0/8 >> acl SSL_ports port 443 >> acl CONNECT method CONNECT >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> acl QUERY urlpath_regex cgi-bin \? >> no_cache deny QUERY >> acl xxxxx src 192.168.55.0/24 >> acl xxxxx src 10.221.121.0/24 >> acl easy_bb src xxx.xxx.64.0/19 >> acl easy_bb src xxx.xxx.224.0/19 >> acl easy_bb src xxx.xxx.16.0/20 >> acl easy_bb src xxx.xxx.81.0/24 >> acl easy_bb src xxx.xxx.87.0/24 >> acl easy_bb src xxx.xxx.26.0/24 >> acl easy_bb src xxx.xxx.144.0/20 >> acl easy_bb src xxx.xxx.240.0/20 >> acl access_mail urlpath_regex -i "/etc/squid/users/access_mail.txt" >> acl access_url url_regex -i "/etc/squid/url_valid.txt" >> acl acl_pfa dstdomain webmail.XXXxxxxx.it >> http_access deny easy_bb >> http_access allow xxxxx >> http_access allow access_mail >> http_access allow access_url >> http_access allow localhost >> http_access deny all >> http_reply_access allow all >> icp_access allow all >> ssl_unclean_shutdown on >> http_port 80 accel vhost >> https_port 10.223.247.201:443 accel vhost >> cert=/etc/squid/cert/wm.XXXxxxxx.it.cert >> key=/etc/squid/cert/wm.XXXxxxxx.it.private.key >> cafile=/etc/squid/cert/cafile.cert >> cache_peer mi1exprom1.nf.xxxxxXXX.it parent 443 0 ssl >> sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only >> no-query no-digest front-end-https=auto sourcehash round-robin originserver >> name=MI11 > > Do not use round-robin on these peers! > >> cache_peer_access MI11 allow acl_pfa >> cache_peer_access MI11 deny all >> hierarchy_stoplist cgi-bin ? >> logformat combined2 %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs % > > > You are also adding and removing a whole lot of settings to this one > since the working config. > > I'd recommend going back t the original, removing the http_accel_* bits > and making the http_port/https_post and any other changes actually > needed to load the config. Then checking that that works before going on > to adjust the other settings. > > This is clearly not the whole config because some important things like > Safe_ports definition are missing even from the working one. > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 > Current Beta Squid 3.1.0.13 _________________________________________________________________ Drag n’ drop—Get easy photo sharing with Windows Live™ Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx
