Search squid archive

Re: Reverse and SSL cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Jakob for your reply.
As usual I do not agree with digital certificate. :-)
(in theory and with yours help) My goal is demonstrate wich is possible to use squid for reverse proxy instead of ISA or TMG and write an article on my blog. 

I would get this topology:

Squid as reverse proxy for exchange 2010 owa and activesync.
Exchange 2010 have a certificate released from my internal CA.

I am following this example config:
http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess

On real world:
I must configure or request a new certificate to my internal CA for squid reverse proxy or install the same certificate of exchange? 

tnx
--------------------------------------------------
From: "Jakob Curdes" <jc@xxxxxxxxxxxxxxx>
Sent: Wednesday, March 31, 2010 11:59 PM
To: "Squid Mailing List" <squid-users@xxxxxxxxxxxxxxx>
Cc: "Andrea Gallazzi" <andrea.gallazzi@xxxxxxxx>
Subject: Re:  Reverse and SSL cert




Is the certificate the same of exchange ?
(if yes) The same certificate will installed on squid and on exchange?
How to make the .pem certificate for squid?
You need to tell us more about your setup. Probably you want to terminate a SSL connection on the reverse-proxy and forward the request to an internal server that happens to run SSL. In this case the certificate the the external client will get is the one configured in the https_port directive. For the second SSL connection (presumably to Exchange) you need a second certificate, which is defined in the cache_peer directive. This cert is just used to identify squid the the exchange server. Another problem arises: if we are talking about OWA or RPCvia HTTP access to exchange, you need to make sure that the domain for the requests is the same all the time, i.e. the external client is requesting owa.domain.com which you are forwarding, say, to exchange.company.local. You must make sure that the these two domains map to one in DNS, otherwise the requests will fail. Plus the certificates need to reflect this ... there are commercial certificates where you can enter two different domain names into one cert.Look for "Subject Alternative Names (SAN)" certificates. You can use such a cert on squid and the exchange server.
Remark, not sure if it applies: If using Outlook as RPCvia HTTPS client, you will have trouble with self-signed certs. Outlook does not display a warning but just rejects the connection unless a self-signed cert has been accepted into the certificate store of the operating system e.g. by going through an IE certificate dialogue. 

HTH,
Jakob Curdes
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux