Hi Amos, Thanks for your very good explaination. I wanna to specify all i want to need : https://webmail.domain.foo/ --> https://EXCHANGE_IP/owa/ https://webmail.domain.foo/owa/ --> https://EXCHANGE_IP/owa/ https://webmail.domain.foo/rpc/ --> https://EXCHANGE_IP/rpc/ https://webmail.domain.foo/Microsoft-Active-Sync/ -->https://EXCHANGE_IP/Microsoft-Active-Sync/ https://webmail.domain.foo/EWS/ --> https://EXCHANGE_IP/EWS/ The 302 redirection is needed only for the / . I'have test your configuration Amos, and it's the same .. 1329818099.937 0 CLIENT_IP TCP_MISS/503 3243 GET https://webmail.domain.foo/ - NONE/- text/html but for /owa/ .. 1329818128.646 2 CLIENT_IP TCP_MISS/302 435 GET https://webmail.domain.foo/owa/ - FIRST_UP_PARENT/exchangeServer - 1329818128.685 3 CLIENT_IP TCP_MISS/200 1491 GET https://webmail.domain.foo/owa/auth/logon.aspx? - FIRST_UP_PARENT/exchangeServer text/html This is my new squid.conf configuration : ############BEGIN############## https_port webmail.lexsi.com:443 accel cert=/etc/squid3/webmail.domain.foo.crt key=/etc/squid3/server.key defaultsite=webmail.domain.foo vhost cache_peer EXCHANGE_IP parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/squid3/EXCHANGE_IP.pem sslflags=DONT_VERIFY_PEER name=exchangeServer acl HTTPSOWA url_regex -i ^https://webmail.domain.foo/.*$ acl HTTPS proto HTTPS acl lexsi dstdomain webmail.domain.foo acl OWA dstdomain webmail.domain.foo acl OWA-SITE urlpath_regex (\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/) acl OWA-DIRS url_regex ^https://EXCHANGE_IP/owa/ cache_peer_access exchangeServer allow OWA cache_peer_access exchangeServer allow OWA-SITE cache_peer_access exchangeServer allow OWA-DIRS cache_peer_access exchangeServer deny all acl redirectOWA urlpath_regex ^/$ deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA http_access deny HTTPSOWA redirectOWA http_access allow all (for tests ^^) ############END############## Thx in advance guys On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote: > On 21.02.2012 04:59, Fried Wil wrote: > >Hello Guys, > > > >I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange > >usage ... (rpc not compatible with apache2). I would like to > >redirect > >the "/" to "/owa". How can i do that ? thx guys > > > > Um. I've started with a bit of a side-track some major > simplifications inline with your config. The answer to your question > is at the end. > > > >This is my configuration of squid.conf just for OWA Access. > > > >$ > >https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt > >key=/etc/squid3/server.key defaultsite=webmail.domain.foo > > NOTE: it is important to be aware that in 3.1 and older if you omit > "vhost" flag but set "defaultsite=". Has the effect or re-writing > *all* inbound request URI with the domain name specified as > defaultsite= value. The importance of this will become clearer > later... > > > > > >cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver > >login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem > >sslflags=DONT_VERIFY_PEER name=exchangeServer > > > >acl url_allow url_regex -i ^https://webmail.domain.foo/.*$ > > Hint #1: "^https://webmail.domain.foo/.*$"; overlaps and matches same > URL as all the following patterns. > > > Remove the patterns from here... > > >acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$ > >acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$ > >acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$ > >acl url_allow url_regex -i > >^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$ > >acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$ > >acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$ > >acl url_allow url_regex -i > >^https://webmail.domain.foo/autodiscover.*$ > > ... down to here. > > Hint #2: "url_regex -i ^https://webmail.domain.foo/.*$"; canbe > further reduced to a simple pair of ACL: > > acl HTTPS proto HTTPS > acl foo dstdomain webmail.domain.foo > > > > >acl OWA dstdomain webmail.domain.foo > > Hint #3: note how the new "foo" ACL and "OWA" ACL are identical. You > can drop the suggested "foo" ACL and use "OWA". > > > Result: You can replace all uses of "url_allow" in *_access lines > with the pair "HTTPS OWA". > > > >acl OWA-SITE urlpath_regex > > > >(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/) > >acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/ > > > >cache_peer_access exchangeServer allow OWA > > Hint #4: remembering that http_port defaultsite= has already made > the URI domain name "webmail.domain.foo" you will notice how the > "OWA" ACL will always match. > This by itself means no other "cache_peer_access exchangeServer" > lines will be tested. > > > >cache_peer_access exchangeServer deny all > > Hint #5: now that you have configured "exchangeServer deny all" the > rest of the "cache_peer_access exchangeServer" lines are > meaningless. > > >never_direct allow OWA > > > >cache_peer_access exchangeServer allow OWA-SITE > >cache_peer_access exchangeServer deny all > >never_direct allow OWA-SITE > > > >cache_peer_access exchangeServer allow OWA-DIRS > >cache_peer_access exchangeServer deny all > >never_direct allow OWA-DIRS > > > >I wanna just to redirect the https://webmail.domain.foo/ to > >https://EXCHANGE_SERVER/owa/ > > > >I saw "url_rewrite_program" but it doesn't works :( > > > Please explain "doesn't work". Details are critical. > > Firstly, you need to get straight whether you are redirecting or > re-writing. They are very different things, with very different > effects on Exchange. > > > - URL *re-write*, may or may not work. Exchange is *very* sensitive > to even minor changes in the URI it is asked for. Re-writing can > break Exchange service from one release to the next or from one > windows update cycle to the next. Re-write has its occasional uses, > but Exchange is not one of them. url_rewrite_program can do both > types of URI alteration. Although you only need it for the re-write. > > > - Proper HTTP *redirect* using 3xx status messages should work fine. > But Squid needs to be configured to handle both the before and after > URL when received from the client. Exchange only needs to handle the > "after" URI. > > > To simply do a global / to /owa/ *redirect* you can do this very > simple: > > acl redirectOWA urlpath_regex ^/$ > deny_info 303:https://EXCHANGE_SERVER/owa/ redirectOWA > http_access deny HTTPS OWA redirectOWA > > Place this at the top of the reverse-proxy http_access lines and the > clients will be redirected to load that given URL before they are > sent anywhere near Exchange. > > NOTE: The domain "EXCHANGE_SERVER" needs to point at your Squid > https_port address if you want the OWA requests to continue to > operate through Squid. BUT, I think you are actually wanting to > redirect with: > > deny_info 303:https://webmail.domain.foo/owa/ redirectOWA > > > HTH > Amos >
