On Wed, 23 Feb 2011 08:45:46 -0800 (PST), gohone wrote:
Hello,
I have a 2007 exchange server and I would like make it available
from the
outside.
So I set up a reverse proxy with squid (version 3.0 STABLE19) and a
self
signed certificate.
client --> squid --> Exchange OWA
https https
The access is working from the outside but I would like the client
needs a
certificate to access to OWA.
If I don't have certificate on the client I have the warning message
about
the identity of the certificate when I try to connect to OWA but I
can
continue if I ignore the ssl error and finally the connection is done
... I
know the error is normal because it's a self signed certificate and
the ca
is not in the trusted list but I would like the access is possible
only if
I have the certificate on the client.
What can I do in "squid" to resolve this issue ?
You can present a real non- self-signed certificate to the visitors via
http_port.
The *internal* link between Squid and OWA is the place where
self-signed certificates can be used without general public access being
involved.
The warnings are ignored on that link via the sslflags=DONT_VERIFY_PEER
option to cache_peer.
Apparently some ACls exists like "user_cert" but I don't know if it's
the
solution and I don't see examples about the syntax.
ACLs are for checking and validation, not for sending.
Below My config in Squid.
visible_hostname exchange_outside
debug_options ALL,1
extension_methods RPC_IN_DATA RPC_OUT_DATA
https_port 443 accel cert=/path/exchg.pem key=/path/exchg.pem \
defaultsite=exchange_outside vhost
cache_peer "ip_exchange" parent 4433 0 no-query originserver \
no-digest login=PASS ssl front-end-https=on sslcert=/chemin du
certificat/owa.pem sslkey=/path/owa.pem sslcafile=/path/ca.crt
name=exchange_hostname
acl all src 0.0.0.0/0.0.0.0
"all" is defined internally by Squid-3.
You will be getting warnings about the "all" ACL definition. Remove the
above line to resolve those.
Amos
