Search squid archive

Re: URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21.02.2012 04:59, Fried Wil wrote:
Hello Guys,

I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
usage ... (rpc not compatible with apache2). I would like to redirect
the "/" to "/owa". How can i do that ? thx guys


Um. I've started with a bit of a side-track some major simplifications inline with your config. The answer to your question is at the end.


This is my configuration of squid.conf just for OWA Access.

$
https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
key=/etc/squid3/server.key defaultsite=webmail.domain.foo

NOTE: it is important to be aware that in 3.1 and older if you omit "vhost" flag but set "defaultsite=". Has the effect or re-writing *all* inbound request URI with the domain name specified as defaultsite= value. The importance of this will become clearer later...



cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl url_allow url_regex -i ^https://webmail.domain.foo/.*$

Hint #1: "^https://webmail.domain.foo/.*$"; overlaps and matches same URL as all the following patterns.


Remove the patterns from here...

acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
acl url_allow url_regex -i
^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/autodiscover.*$

... down to here.

Hint #2: "url_regex -i ^https://webmail.domain.foo/.*$"; canbe further reduced to a simple pair of ACL:

  acl HTTPS proto HTTPS
  acl foo dstdomain webmail.domain.foo


acl OWA dstdomain webmail.domain.foo

Hint #3: note how the new "foo" ACL and "OWA" ACL are identical. You can drop the suggested "foo" ACL and use "OWA".


Result: You can replace all uses of "url_allow" in *_access lines with the pair "HTTPS OWA".


acl OWA-SITE urlpath_regex

(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/

cache_peer_access exchangeServer allow OWA

Hint #4: remembering that http_port defaultsite= has already made the URI domain name "webmail.domain.foo" you will notice how the "OWA" ACL will always match. This by itself means no other "cache_peer_access exchangeServer" lines will be tested.


cache_peer_access exchangeServer deny all

Hint #5: now that you have configured "exchangeServer deny all" the rest of the "cache_peer_access exchangeServer" lines are meaningless.

never_direct allow OWA

cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer deny all
never_direct allow OWA-SITE

cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all
never_direct allow OWA-DIRS

I wanna just to redirect the https://webmail.domain.foo/ to
https://EXCHANGE_SERVER/owa/

I saw "url_rewrite_program" but it doesn't works :(


Please explain "doesn't work". Details are critical.

Firstly, you need to get straight whether you are redirecting or re-writing. They are very different things, with very different effects on Exchange.


- URL *re-write*, may or may not work. Exchange is *very* sensitive to even minor changes in the URI it is asked for. Re-writing can break Exchange service from one release to the next or from one windows update cycle to the next. Re-write has its occasional uses, but Exchange is not one of them. url_rewrite_program can do both types of URI alteration. Although you only need it for the re-write.


- Proper HTTP *redirect* using 3xx status messages should work fine. But Squid needs to be configured to handle both the before and after URL when received from the client. Exchange only needs to handle the "after" URI.


To simply do a global / to /owa/ *redirect* you can do this very simple:

 acl redirectOWA urlpath_regex ^/$
 deny_info 303:https://EXCHANGE_SERVER/owa/ redirectOWA
 http_access deny HTTPS OWA redirectOWA

Place this at the top of the reverse-proxy http_access lines and the clients will be redirected to load that given URL before they are sent anywhere near Exchange.

NOTE: The domain "EXCHANGE_SERVER" needs to point at your Squid https_port address if you want the OWA requests to continue to operate through Squid. BUT, I think you are actually wanting to redirect with:

 deny_info 303:https://webmail.domain.foo/owa/ redirectOWA


HTH
Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux