On 4/03/2013 9:08 a.m., Damir Reic wrote:
I am trying to use squid as outlook reverse proxy but popup on outlook is
apearing all the time and i don't know how to solve the problem. Also for
some unknown reason with this config squid won't start at boot time and when
i start it manually it take long time to start. I am using squid 3.1.19 .
Rest of stuff that i configured over squid works fine.
Is my config good for reverse proxying multiple servers? Kinda strange that
i can't specify multiple FQDNS inside ACL?
Yes very strange. Separate them with a single space in dstdomain type
ACLs and listing multiple FQDN should be working perfectly.
#debug_options ALL,3
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
I am assuming that you have an old Squid version. If you are on the
current supported releases please remove the log format re-definition.
pid_filename /var/run/squidext.pid
httpd_suppress_version_string on
cache_mgr nomail_address_given
#visible_hostname webmail.codimensions.com
via off
forwarded_for transparent
ssl_unclean_shutdown on
# Internet connectors
https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
key=/etc/squid/certs/codimensions/codimensions.key
defaultsite=webmail.codimensions.com vhost
https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
key=/etc/squid/certs/codimensions/codimensions.key
defaultsite=portal.codimensions.com vhost
https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
key=/etc/squid/certs/codimensions/codimensions.key
defaultsite=crm.codimensions.com vhost
https_port 444 accel cert=/etc/squid/certs/codimensions/codimensions.crt
key=/etc/squid/certs/codimensions/codimensions.key
defaultsite=crm.codimensions.com vhost
https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
key=/etc/squid/certs/codimensions/codimensions.key
defaultsite=autodiscover.codimensions.com vhost
https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
key=/etc/squid/certs/codimensions/codimensions.key
defaultsite=meet.codimensions.com vhost
https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
key=/etc/squid/certs/codimensions/codimensions.key
defaultsite=ts.codimensions.com vhost
Um. No.
You can only open a listening socket once across all applications on a
machine. Your config above is trying to open *:443 several times. This
will be rejected by the OS.
Also, vhost does not work well when the port is configured with a single
static SSL certificate. Since the client requested FQDN is probably not
the one the certificate was created for. This is a sure way to flood
your users with certificate error popups.
For virtual hosted HTTPS sites you require at minimum the squid-3.2
series and the dynamic SSL certificate generator - to create
certificates taylored to the virtual host each client request is using.
With this feature you only need one port 443 opened.
http_port 80 accel defaultsite=www.codimensions.com vhost
http_port 80 accel defaultsite=www.continuitytrain.com vhost
http_port 80 accel defaultsite=continuitytrain.com vhost
http_port 80 accel defaultsite=codimensions.com vhost
Same problem. Only without the SSL hassles.
This would suffice:
http_port 80 accel vhost defaultsite=codimensions.com
NP: defaultsite= is the FQDN to use on any requests which arrive without
specifying a Host: header containing the virtual host FQDN.
# destination server
cache_peer 10.10.20.33 parent 443 0 ssl ssldomain=webmail.codimensions.com
sslcafile=/etc/squid/certs/codimensions/codimensions.crt proxy-only
no-query no-digest front-end-https=on originserver login=PASS
connection-auth=on name=exchange forceddomain=webmail.codimensions.com
cache_peer 10.10.20.53 parent 443 0 ssl ssldomain=webmail.codimensions.com
sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=crm1
cache_peer 10.10.20.53 parent 444 0 ssl ssldomain=webmail.codimensions.com
sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=crm2
cache_peer 10.10.20.37 parent 443 0 ssl ssldomain=webmail.codimensions.com
sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
name=sharepoint
cache_peer 10.10.20.41 parent 443 0 ssl ssldomain=webmail.codimensions.com
sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
name=ts
cache_peer 10.10.20.34 parent 443 0 ssl ssldomain=webmail.codimensions.com
sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=meet
cache_peer 10.10.20.90 parent 80 0 no-query originserver name=apache
acl CODOMmail dstdomain webmail.codimensions.com
autodiscover.codimensions.com
acl CODOMportal dstdomain portal.codimensions.com
acl CODOMcrm dstdomain crm.codimensions.com
acl CODOMts dstdomain ts.codimensions.com
acl CODOMmeet dstdomain meet.codimensions.com
acl CODOMapache1 dstdomain www.codimensions.com
acl CODOMapache2 dstdomain www.continuitytrain.com
acl CODOMapache3 dstdomain .continuitytrain.com
acl CODOMapache4 dstdomain .codimensions.com
Are you perhapse suffering from the problem that when you write:
acl CODOMapache dstdomain www.codimensions.com .codimensions.com
... it complains about duplicate or sub- domains?
That is because the '.' at the start of the second one means match all
subdomains of codimensions.com. Which includes www.codimensions.com. So
mentioning www.* form is useless and the different ways of matching one
domain screws up the ACL calculations and can cause inconsistent
pass/fail behaviour. Just remove the useless www.* form of the domain
from your config.
Amos
