On Wed, 3 Feb 2010 15:26:30 +0100, Arnoud Tijssen <ATijssen@xxxxxx> wrote: > Hi, > > I`v setup my squid3 (STABLE 23 with openssl support) box to proxy requests > to an upstream OWA server from one of our clients. > The idea is that our client uses our proxyserver to synchronize with their > own exchange environment. > The client`s owaserver is to be found at let`s say > http://owaserver/exchange > > > This is my squid.conf; > > # Define the required extension methods for RPC-over-HTTPs > extension_methods RPC_IN_DATA RPC_OUT_DATA > > # Define our cache_peer (the MS Exchange Server) > cache_peer <owaserver> parent 80 0 no-query originserver login=PASS ssl > sslflags=DONT_VERIFY_PEER name=owaserver > > # ACL to only allow OWA/OMA/ActiveSync/RPC > acl exchange_urlpath_regex urlpath_regex -i > ^http://<owaserver>/exchange($|/.*) > acl exchange_urlpath_regex urlpath_regex -i > ^http://<owaserver>/exchweb($|/.*) > acl exchange_urlpath_regex urlpath_regex -i > ^http://<owaserver>/public($|/.*) > acl exchange_urlpath_regex urlpath_regex -i > ^http://<owaserver>/iisadmpwd($|/.*) > acl exchange_urlpath_regex urlpath_regex -i ^http://<owaserver>/rpc($|/.*) > acl exchange_urlpath_regex urlpath_regex -i > ^http://<owaserver>/Microsoft-Server-ActiveSync($|/.*|\?.*) > First problem: "urlpath_regex" is a _path_ regex. The "http://<domain>" will screw up the match. The way to do this is: acl OWAdomain dstdomain <owaserver> acl exchange_urlpath_regex urlpath_regex -i ^/(exchange|exchweb|public|iisadmpwd|rpc)($|/.*) acl exchange_urlpath_regex urlpath_regex -i ^/Microsoft-Server-ActiveSync($|/.*|\?.*) never_direct allow OWAdomain cache_peer_access owaserver allow OWAdomain > acl OWA-IP dst <owaserver> > acl OWA dstdomain <ip squid box> > cache_peer_access owaserver allow OWA > never_direct allow OWA That seems a bit confused. 'If people are connecting to the raw-IP of the Squid box, let them through, passing the raw-IP URL to another box where it is invalid." ?? > > # Deny Access to other then Exchange > http_access deny !exchange_urlpath_regex > http_access allow OWA-IP > http_access deny all > miss_access allow OWA-IP > miss_access deny all > > > When I comment the last 5 lines out, the synchronization works like a > charm, but when I activate the http_access acls I get a TCP_DENIED. > > The idea is to restrict my clients to solely be able to synchronize their > email via Activesync and nothing else. The above criteria by itself is met by: http_access allow OWAdomain exchange_urlpath_regex http_access deny all > Furthermore, other clients should be able to use the proxyserver for > internet browsing using standard acl`s So clients who are not yours? I'm a little confused, but I'll give it a try anyway.. If I understand right you have two groups of clients, some to do the OWA things and some just regular? That looks like this: acl clientsA src 192.0.2.0/24 # permit A group to do OWA http_access allow clientsA OWAdomain exchange_urlpath_regex # but nobody else is allowed to do OWA... http_access deny OWAdomain # 'A' group are also not allowed to do any non-OWA stuff. http_access deny clientsA ... follow that with normal proxy access controls for anybody not in the 'A' group subnet. Amos
