On 12/03/2015 11:15 a.m., Alex Samad wrote: > I have to admit this was built from a lot of googling for a working config. > > > On 11 March 2015 at 19:09, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> On 11/03/2015 7:16 p.m., Alex Samad wrote: > [snip] >>> # List of acceptable URLs to send to the Exchange server >>> acl exch_url url_regex -i <o>/exchange >>> acl exch_url url_regex -i <o>/exchweb >>> acl exch_url url_regex -i <o>/public >>> acl exch_url url_regex -i <o>/owa >>> acl exch_url url_regex -i <o>/ecp >>> acl exch_url url_regex -i <o>/microsoft-server-activesync >>> acl exch_url url_regex -i <o>/rpc >>> acl exch_url url_regex -i <o>/rpcwithcert >>> acl exch_url url_regex -i <o>/exadmin >>> acl exch_url url_regex -i <o>/oab >> >> I suggest you replace the above with ACLs: >> >> acl exch_domain dstdomain <o> >> acl exch_path urlpath_regex -i /exch(ange|web) >> acl exch_path urlpath_regex -i /public >> acl exch_path urlpath_regex -i /owa >> ... > I presume you ... means the other paths Yes. > > and this is for speed ? Yes, and safety preventing matching against other non-path parts of the URL. I forgot to start the paths with "^" characters in the above to make sure they match only at the beginning of the path. > >> > [snip] > >>> # Logging Configuration >>> redirect_rewrites_host_header off >> >> Thats begging for abuse of the security hole it opens. If you can >> operate without that setting please do so. > I believe (and its been a while, that it was need for exchange), I can > find some time and retest. > >> NOTE: its not optional. You have disabled most of the HTTP features >> which use the Squid hostname, but not all of them can be. >> For example "via off" contradicts this comment, by NOT adding Squid to >> the relay path (Via header). >> >> >>> visible_hostname <o> >>> deny_info TCP_RESET all >>> >>> # ACL - required to allow >>> #acl all src ALL >>> >>> # Allow everyone through, internal and external connections >>> http_access allow all >>> miss_access allow all >>> >>> icp_port 0 >>> snmp_port 0 >>> >>> via off > so you would suggest > visibile <o> > and no via off ? Yes if you can. It is more HTTP compliant and helps detect some potential nasty attacks. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
