Search squid archive

RE: Reverse proxy for Outlook 2010 anywhere with NTLM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Amos,

i am using latest version 3.2.7 for CentOS.

I did following:

https_port 443 accel  cert=/etc/squid/certs/codimensions/codimensions.crt
key=/etc/squid/certs/codimensions/codimensions.key
defaultsite=codimensions.com vhost
http_port 80 accel defaultsite=continuitytrain.com vhost

acl CODIM dstdomain .continuitytrain.com
acl CONTRAIN dstdomain .codimensions.com

#always_direct allow CONTRAIN
#always_direct allow CODIM
never_direct allow CODIM
never_direct allow CONTRAIN
http_access allow CODIM
http_access allow CONTRAIN
http_access deny all

cache_peer_access exchange allow CODIM
cache_peer_access sharepoint allow CODIM
cache_peer_access crm1 allow CODIM
cache_peer_access crm2 allow CODIM
cache_peer_access ts allow CODIM
cache_peer_access meet allow CODIM
cache_peer_access apache allow CODIM
cache_peer_access apache allow CONTRAIN
cache_peer_access exchange  deny all
cache_peer_access sharepoint  deny all
cache_peer_access crm1  deny all
cache_peer_access crm2  deny all
cache_peer_access ts  deny all
cache_peer_access meet  deny all
cache_peer_access apache deny all
# eof



Now i can't reach www.continuitytrain.com or other virtual hosts that were
specified in last config (ts.codimensions.com ,
portal.codimensions.com....).



Thanks,
Damir

-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] 
Sent: Monday, March 04, 2013 4:32 AM
To: squid-users@xxxxxxxxxxxxxxx
Subject: Re:  Reverse proxy for Outlook 2010 anywhere with NTLM

On 4/03/2013 9:08 a.m., Damir Reic wrote:
> I am trying to use squid as outlook reverse proxy but popup on outlook 
> is apearing all the time and i don't know how to solve the problem.  
> Also for some unknown reason with this config squid won't start at 
> boot time and when i start it manually it take long time to start. I am
using squid 3.1.19 .
> Rest of stuff that i configured over squid works fine.
>
> Is my config good for reverse proxying multiple servers? Kinda strange 
> that i can't specify multiple FQDNS inside ACL?

Yes very strange. Separate them with a single space in dstdomain type ACLs
and listing multiple FQDN should be working perfectly.

> #debug_options ALL,3
> logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st 
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

I am assuming that you have an old Squid version. If you are on the current
supported releases please remove the log format re-definition.

> pid_filename /var/run/squidext.pid
> httpd_suppress_version_string on
> cache_mgr nomail_address_given
> #visible_hostname webmail.codimensions.com via off forwarded_for 
> transparent ssl_unclean_shutdown on # Internet connectors https_port 
> 443 accel  cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=webmail.codimensions.com vhost https_port 443 accel  
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=portal.codimensions.com vhost https_port 443 accel  
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=crm.codimensions.com vhost https_port 444 accel  
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=crm.codimensions.com vhost https_port 443 accel  
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=autodiscover.codimensions.com vhost https_port 443 accel  
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=meet.codimensions.com vhost https_port 443 accel  
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=ts.codimensions.com vhost

Um. No.

You can only open a listening socket once across all applications on a
machine. Your config above is trying to open *:443 several times. This will
be rejected by the OS.

Also, vhost does not work well when the port is configured with a single
static SSL certificate. Since the client requested FQDN is probably not the
one the certificate was created for. This is a sure way to flood your users
with certificate error popups.


For virtual hosted HTTPS sites you require at minimum the squid-3.2 series
and the dynamic SSL certificate generator - to create certificates taylored
to the virtual host each client request is using. 
With this feature you only need one port 443 opened.

> http_port 80 accel defaultsite=www.codimensions.com vhost http_port 80 
> accel defaultsite=www.continuitytrain.com vhost http_port 80 accel 
> defaultsite=continuitytrain.com vhost http_port 80 accel 
> defaultsite=codimensions.com vhost

Same problem. Only without the SSL hassles.
This would suffice:
   http_port 80 accel vhost defaultsite=codimensions.com

NP: defaultsite= is the FQDN to use on any requests which arrive without
specifying a Host: header containing the virtual host FQDN.


> # destination server
> cache_peer 10.10.20.33 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt  proxy-only
> no-query no-digest front-end-https=on originserver   login=PASS
> connection-auth=on name=exchange forceddomain=webmail.codimensions.com
> cache_peer 10.10.20.53 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=crm1
> cache_peer 10.10.20.53 parent 444 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=crm2
> cache_peer 10.10.20.37 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
> name=sharepoint
> cache_peer 10.10.20.41 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
> name=ts
> cache_peer 10.10.20.34 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=meet
> cache_peer 10.10.20.90 parent 80 0 no-query originserver name=apache
> acl CODOMmail dstdomain webmail.codimensions.com
> autodiscover.codimensions.com
> acl CODOMportal dstdomain portal.codimensions.com
> acl CODOMcrm dstdomain crm.codimensions.com
> acl CODOMts dstdomain ts.codimensions.com
> acl CODOMmeet dstdomain meet.codimensions.com
> acl CODOMapache1 dstdomain www.codimensions.com
> acl CODOMapache2 dstdomain www.continuitytrain.com
> acl CODOMapache3 dstdomain .continuitytrain.com
> acl CODOMapache4 dstdomain .codimensions.com

Are you perhapse suffering from the problem that when you write:
   acl CODOMapache dstdomain www.codimensions.com .codimensions.com

... it complains about duplicate or sub- domains?

That is because the '.' at the start of the second one means match all 
subdomains of codimensions.com. Which includes www.codimensions.com. So 
mentioning www.* form is useless and the different ways of matching one 
domain screws up the ACL calculations and can cause inconsistent 
pass/fail behaviour. Just remove the useless www.* form of the domain 
from your config.

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux