On 09.05.2012 10:42, Ruiyuan Jiang wrote:
Hi, all
I am new to Squid. I am trying to setup squid as a reverse proxy to
for MS Exchange outlook client access. I compiled squid myself
(v3.1.19, Solaris 10, SPARC). I followed the configuration example on
the squid web page "ConfigExamples/Reverse/ExchangeRpc".
# cat squid.conf
<snip>
# Squid normally listens to port 3128
https_port 156.146.1.133:443 accel
cert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt
defaultsite=webmail.fnpc.com
cache_peer 10.105.10.20 parent 443 0 no-query originserver login=PASS
ssl sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt
name=exchangeServer
acl EXCH dstdomain .fnpc.com
cache_peer_access exchangeServer allow EXCH
cache_peer_access exchangeServer deny all
never_direct all EXCH
http_access allow EXCH
http_acces deny all
^^ typo "ss"
miss_access allow EXCH
miss_access deny all
<snip>
The cerficate file webmail_fnpc_com.crt is a valid certificate that I
got from a CA. Do I need to install two certificates on the server,
one for client which I would guess the official certificate
(webmail_fnpc_com.crt)? Can I present the same certificate to the
internal exchange server? That is what I did to all my Apache reverse
proxy servers for Exchange server.
The basics of it are that Squid is what interacts with the client. So
the public cert needs to be presented there on https_port.
What Exchange uses depends on what type of interactions happen there.
It is probably safest to have self-signed certs with the self-signing CA
trusted by Squid (on cache_peer) so it can verify Exchange, but this
only works if the clients are not interacting directly to Exchange via
other channels.
NP: Squid requires PEM format certificate files.
When I ran 'squid -X', I got the
below message stating 1. unrecognized: 'https_port', 2. FATAL:
Bungled
squid.conf line 64: cache_peer 156.146.16.198 parent 443 0 no-query
originserver login=PASS ssl
sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt
name=exchangeServer
When you built squid you omitted --enable-ssl. Ensure you have openssl
development library to build against and rebuild your squid. It should
accept the SSL related config after that.
<snip>
2012/05/08 17:22:11.373| parse_peer: token='ssl'
...
FATAL: Bungled squid.conf line 64: cache_peer 156.146.16.198 parent
443 0 no-query originserver login=PASS ssl
sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt
name=exchangeServer
Squid Cache (Version 3.1.19): Terminated abnormally.
Amos
