On 17/08/2012 7:46 p.m., dladla wrote:
I recently decided to build a new virtual server to replace our ageing squid reverse proxy server. The old one was running Oracle Enterprise Linux 5 with squid 3.0.STABLE26. I built the new one with Centos 6 and initially I used the standard version of squid installed with yum, ie 3.1.10. When I had problems with that I built 3.2.1 but that had the same problem. The issue is that login=PASS is not working properly with Exchange 2010. Although normal user logins to OWA work ok, and ActiveSync works ok, the Soap interface (which is used by the Blackberry Bis server) doesn't authenticate, and the Exchange server just keeps returning 401 not authorized. My config file is: visible_hostname gw01 ##extension_methods RPC_IN_DATA RPC_OUT_DATA pid_filename /var/run/squid_owa.pid cache_effective_user squid cache_effective_group squid access_log /var/log/squid/access_owa.log squid cache_log /var/log/squid/cache_owa.log cache_store_log /var/log/squid/store_owa.log acl http url_regex -i ^http:// acl owa dstdomain owa.company.com http_port 82 accel defaultsite=owa.company.com https_port 444 accel cert=/usr/local/ssl/company.com.cert key=/usr/local/ssl/company.com.key defaultsite=owa.company.com http_access allow http http_access allow owa http_access deny all url_rewrite_program /usr/local/sbin/squid_owa_url_rewrite cache_peer 192.168.0.91 parent 443 0 login=PASS connection-auth=on front-end-https no-query originserver proxy-only ssl sslflag=DONT_VERIFY_PEER name=owa.company.com cache_peer_access owa.company.com allow owa cache_peer_access owa.company.com deny all The rewrite program just redirects http to https and adds /owa onto the end of the URL if necessary. After turning on some debugging and poring through log files I saw this request being sent to the Exchange server: POST /EWS/Exchange.asmx HTTP/1.1 Accept: text/xml, text/html, */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Content-Type: text/xml; charset=UTF-8 SOAPAction: http://schemas.microsoft.com/exchange/services/2006/messages/GetFolder Host: owa.company.com Content-Length: 501 Via: 1.1 gw01 (squid/3.2.1) Surrogate-Capability: gw01="Surrogate/1.0" X-Forwarded-For: 178.239.83.1 Authorization: Basic UEFTUw== Cache-Control: max-age=259200 Connection: keep-alive Front-End-Https: On So the newer versions of squid are sending the literal Authorization string "PASS" encoded as base64! The old version sends the correct authentication information. I guess this is a bug?
For the record: http://bugs.squid-cache.org/show_bug.cgi?id=3625Amos Amos
