Search squid archive

Re: squid reverse proxy infront of exchange 2010

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2015-12-09 11:29 pm, Alex Samad wrote:
Hi

config
https_port 22.4.2.5:443 accel
cert=/etc/httpd/conf.d/office.abc.com.crt
key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com
options=NO_SSLv2,NO_SSLv3
dhparams=/etc/squid/squid-office-dhparams.pem
cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
sslcert=/etc/httpd/conf.d/office.abc.com.crt
sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer
cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
originserver login=PASS front-end-https=on ssl
sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt
sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer
acl exch_domain dstdomain office.abc.com
acl exch_path urlpath_regex -i /exch(ange|web)
acl exch_path urlpath_regex -i /public
acl exch_path urlpath_regex -i /owa
acl exch_path urlpath_regex -i /ecp
acl exch_path urlpath_regex -i /microsoft-server-activesync
acl exch_path urlpath_regex -i /rpc
acl exch_path urlpath_regex -i /rpcwithcert
acl exch_path urlpath_regex -i /exadmin
acl exch_path urlpath_regex -i /ews
acl exch_path urlpath_regex -i /oab
acl exch_path urlpath_regex -i /autodiscover
cache_peer_access exchangeServer allow exch_domain exch_path
cache_peer_access webServer deny exch_domain exch_path
never_direct allow exch_domain exch_path
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
access_log stdio:/var/log/squid/office-access.log squid
cache_log /var/log/squid/office-cache.log
cache_store_log stdio:/var/log/squid/office-cache_store.log
pid_filename /var/run/squid-office.pid
visible_hostname office.abc.com
deny_info TCP_RESET all
http_access allow all
miss_access allow all
icp_port 0
snmp_port 0



cache.log
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors available
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache...
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0, FD 6
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain
yieldbroker.com from /etc/resolv.conf
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
10.32.20.100 from /etc/resolv.conf
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
10.32.20.102 from /etc/resolv.conf
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
stdio:/var/log/squid/office-access.log
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled;
rebuild/rewrite every 3600/3600 sec
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
stdio:/var/log/squid/office-cache_store.log
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB,
estimated 2520 objects
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem  size: 32768 KB
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir selection Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and icons.
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled.
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 127.0.0.1/443/0 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 10.32.69.11/443/0 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off.
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy
HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11
flags=9
Jan 01 10:33:35 1970/12/10 16:15:43 kid1| storeLateRelease: released 0 objects


cache log
Dec 10 16:16:23 2015.225 RELEASE -1 FFFFFFFF
BE6736C8CD1A74A54575AF9880395D04   ?         ?         ?         ? ?/?
?/? ? ?
Dec 10 16:16:34 2015.287 RELEASE -1 FFFFFFFF
78C390A2D412F8E601035A2C1FD771C8   ?         ?         ?         ? ?/?
?/? ? ?
Dec 10 16:16:34 2015.296 RELEASE -1 FFFFFFFF
A7D8B3751858C54225D29408B56FE42D   ?         ?         ?         ? ?/?
?/? ? ?
Dec 10 16:16:37 2015.863 RELEASE -1 FFFFFFFF
35992070307CD15EE743F71344E1C1AE   ?         ?         ?         ? ?/?
?/? ? ?
Dec 10 16:16:37 2015.873 RELEASE -1 FFFFFFFF
17EFD3BCAF4265B7CF7803AD0289DD7E   ?         ?         ?         ? ?/?
?/? ? ?
Dec 10 16:16:49 2015.228 RELEASE -1 FFFFFFFF
2666EC9714425D57FDC4CD15965D350B   ?         ?         ?         ? ?/?
?/? ? ?



access.logs
Dec 10 16:17:09 2015.706     13 192.168.56.1 TCP_MISS/200 6578 POST
https://office.abc.com/ews/exchange.asmx - FIRSTUP_PARENT/10.32.69.11
text/xml
Dec 10 16:19:36 2015.447 206818 192.168.56.1 TCP_MISS/200 16532
RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 application/rpc
Dec 10 16:19:36 2015.449 206862 192.168.56.1 TCP_MISS_ABORTED/502 4493
RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 text/html
Dec 10 16:19:36 2015.453 207197 192.168.56.1 TCP_MISS_ABORTED/000 0
RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 -
Dec 10 16:19:36 2015.453 207087 192.168.56.1 TCP_MISS_ABORTED/200
48056 RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 application/rpc
Dec 10 16:20:07 2015.305  24688 192.168.56.1 TCP_MISS_ABORTED/000 0
RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 -
Dec 10 16:20:07 2015.306  24654 192.168.56.1 TCP_MISS_ABORTED/200 2004
RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 application/rpc


This is when I try and send an email with an attachment. An email with
no attached goes through no problem...


this config works with 3.1, not with 3.5 ..

still on .11 as I can't find centos 6 compile of .12

I think there is some issue with rpc sending or receiving ..

On 8 December 2015 at 19:34, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 8/12/2015 7:35 p.m., Alex Samad wrote:
Hi

Any suggestions on how to debug this... I wouldn't mind rolling
forward to 3.5 again


Some ideas inline. The main ones are:

* re-enable cache.log. It is not optional.

* try an upgrade to 3.5.12. There were some regressions in the .10/.11
releases that can lead to really weird behaviour.


On 2 December 2015 at 20:39, Alex Samad wrote:
Just to add to this I have a lot of these in the log file

TCP_MISS_ABORTED/000 0 RPC_IN_DATA
TCP_MISS_ABORTED/200 4322 RPC_OUT_DATA
TCP_MISS_ABORTED/000 0 RPC_IN_DATA https:



On 2 December 2015 at 17:24, Alex Samad wrote:
Hi

recently upgraded to squid-3.5.11-1.el6.x86_64 from the centos 6.7 squid 3.1


I am now having problems with people who use active sync via this
connection . seems like emails with attachments aren't making it
through .

cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
originserver login=PASS front-end-https=on ssl
sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.yx.com.crt
sslkey=/etc/httpd/conf.d/office.yx.com.key name=exchangeServer

You could try changing these from login=PASS to login=PASSTHRU



cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
sslcert=/etc/httpd/conf.d/office.yx.com.crt
sslkey=/etc/httpd/conf.d/office.yx.com.key name=webServer
c

# List of acceptable URLs to send to the Exchange server
acl exch_url url_regex -i office.yieldbroker.com/exchange
acl exch_url url_regex -i office.yieldbroker.com/exchweb
acl exch_url url_regex -i office.yieldbroker.com/public
acl exch_url url_regex -i office.yieldbroker.com/owa
acl exch_url url_regex -i office.yieldbroker.com/ecp
acl exch_url url_regex -i office.yieldbroker.com/microsoft-server-activesync
acl exch_url url_regex -i office.yieldbroker.com/rpc
acl exch_url url_regex -i office.yieldbroker.com/rpcwithcert
acl exch_url url_regex -i office.yieldbroker.com/exadmin
acl exch_url url_regex -i office.yieldbroker.com/oab
# added after
acl exch_url url_regex -i office.yieldbroker.com/ews
# Not configured on exchange 2010
#acl exch_url url_regex -i office.yieldbroker.com/autodiscover

# Send the Exchange URLs to the Exchange server
cache_peer_access exchangeServer allow exch_url

# Send everything else to the Apache
cache_peer_access webServer deny exch_url

# This is to protect Squid
never_direct allow exch_url

# Logging Configuration
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
cache_log none

You should re-enable cache.log and fix any of the issues that are logged
there.


cache_store_log none

access_log stdio:/var/log/squid/office-access.log squid
#access_log none
cache_log /var/log/squid/office-cache.log
#cache_log none
pid_filename /var/run/squid-office.pid


# Set the hostname so that we can see Squid in the path (Optional)
visible_hostname yieldbroker.com
deny_info TCP_RESET all

This could lead to strange behaviour. Particularly since "deny all" is
not being used in your http_access rules ...



# Allow everyone through, internal and external connections
http_access allow all
miss_access allow all

icp_port 0
snmp_port 0

via off


The previous setup had worked for at least 18 months.

Alex

On our Reverse proxy I ran into an issue uploading attachments to Exchange back end, a while back, turned out the solution was to lock it down so that the proxy only used ssl version 3 to connect to the Exchange server. This however did recently break after a windows update in Novemeber. Further investigation led to the particular cipher that was in use. After discovering this I was able to use the same cipher with TLSv1.0

Currently I am using TLSv1.0 with RC4-SHA cipher to talk to the Exchange server.

cache_peer 10.20.10.161 parent 443 0 ssl no-query proxy-only no-digest originserver \ name=owa2010_parent sslcapath=/usr/local/share/certs sslflags=DONT_VERIFY_PEER \ login=PASSTHRU front-end-https=on connection-auth=on sslcipher=RC4-SHA sslversion=4

I am not however locking down the incoming connections to this setting, I am using the following for the https_port setting. This does pass PCI scans, in case anyone is wondering about the choice of cipher options, and you will notice the RC4 used to send traffic between the Proxy and Exchange is disabled as that doesn't meet current requirements.

https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \
 cert=/certs/wildcard.certificate.crt \
 key=/certs/wildcard.certificate.key \
options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
 dhparams=/usr/local/etc/squid/dh.param \
 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \
 vhost


--
Thanks,
   Dean E. Weimer
   http://www.dweimer.net/
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux