Hi So I have taken this config done some slight customization for my site and it appears to be working Thanks for this .. On 10 December 2015 at 23:44, dweimer <dweimer@xxxxxxxxxxx> wrote: > On 2015-12-09 11:29 pm, Alex Samad wrote: >> >> Hi >> >> config >> https_port 22.4.2.5:443 accel >> cert=/etc/httpd/conf.d/office.abc.com.crt >> key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com >> options=NO_SSLv2,NO_SSLv3 >> dhparams=/etc/squid/squid-office-dhparams.pem >> >> cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA >> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest >> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER >> sslcert=/etc/httpd/conf.d/office.abc.com.crt >> sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer >> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest >> originserver login=PASS front-end-https=on ssl >> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt >> sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer >> acl exch_domain dstdomain office.abc.com >> acl exch_path urlpath_regex -i /exch(ange|web) >> acl exch_path urlpath_regex -i /public >> acl exch_path urlpath_regex -i /owa >> acl exch_path urlpath_regex -i /ecp >> acl exch_path urlpath_regex -i /microsoft-server-activesync >> acl exch_path urlpath_regex -i /rpc >> acl exch_path urlpath_regex -i /rpcwithcert >> acl exch_path urlpath_regex -i /exadmin >> acl exch_path urlpath_regex -i /ews >> acl exch_path urlpath_regex -i /oab >> acl exch_path urlpath_regex -i /autodiscover >> cache_peer_access exchangeServer allow exch_domain exch_path >> cache_peer_access webServer deny exch_domain exch_path >> never_direct allow exch_domain exch_path >> cache_mem 32 MB >> maximum_object_size_in_memory 128 KB >> access_log stdio:/var/log/squid/office-access.log squid >> cache_log /var/log/squid/office-cache.log >> cache_store_log stdio:/var/log/squid/office-cache_store.log >> pid_filename /var/run/squid-office.pid >> visible_hostname office.abc.com >> deny_info TCP_RESET all >> http_access allow all >> miss_access allow all >> icp_port 0 >> snmp_port 0 >> >> >> >> cache.log >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors >> available >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache... >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0, >> FD 6 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain >> yieldbroker.com from /etc/resolv.conf >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver >> 10.32.20.100 from /etc/resolv.conf >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver >> 10.32.20.102 from /etc/resolv.conf >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log >> stdio:/var/log/squid/office-access.log >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled; >> rebuild/rewrite every 3600/3600 sec >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log >> stdio:/var/log/squid/office-cache_store.log >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB, >> estimated 2520 objects >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem size: 32768 KB >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir >> selection >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and >> icons. >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled. >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent >> 127.0.0.1/443/0 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent >> 10.32.69.11/443/0 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off. >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy >> HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11 >> flags=9 >> Jan 01 10:33:35 1970/12/10 16:15:43 kid1| storeLateRelease: released 0 >> objects >> >> >> cache log >> Dec 10 16:16:23 2015.225 RELEASE -1 FFFFFFFF >> BE6736C8CD1A74A54575AF9880395D04 ? ? ? ? ?/? >> ?/? ? ? >> Dec 10 16:16:34 2015.287 RELEASE -1 FFFFFFFF >> 78C390A2D412F8E601035A2C1FD771C8 ? ? ? ? ?/? >> ?/? ? ? >> Dec 10 16:16:34 2015.296 RELEASE -1 FFFFFFFF >> A7D8B3751858C54225D29408B56FE42D ? ? ? ? ?/? >> ?/? ? ? >> Dec 10 16:16:37 2015.863 RELEASE -1 FFFFFFFF >> 35992070307CD15EE743F71344E1C1AE ? ? ? ? ?/? >> ?/? ? ? >> Dec 10 16:16:37 2015.873 RELEASE -1 FFFFFFFF >> 17EFD3BCAF4265B7CF7803AD0289DD7E ? ? ? ? ?/? >> ?/? ? ? >> Dec 10 16:16:49 2015.228 RELEASE -1 FFFFFFFF >> 2666EC9714425D57FDC4CD15965D350B ? ? ? ? ?/? >> ?/? ? ? >> >> >> >> access.logs >> Dec 10 16:17:09 2015.706 13 192.168.56.1 TCP_MISS/200 6578 POST >> https://office.abc.com/ews/exchange.asmx - FIRSTUP_PARENT/10.32.69.11 >> text/xml >> Dec 10 16:19:36 2015.447 206818 192.168.56.1 TCP_MISS/200 16532 >> RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? - >> FIRSTUP_PARENT/10.32.69.11 application/rpc >> Dec 10 16:19:36 2015.449 206862 192.168.56.1 TCP_MISS_ABORTED/502 4493 >> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? - >> FIRSTUP_PARENT/10.32.69.11 text/html >> Dec 10 16:19:36 2015.453 207197 192.168.56.1 TCP_MISS_ABORTED/000 0 >> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? - >> FIRSTUP_PARENT/10.32.69.11 - >> Dec 10 16:19:36 2015.453 207087 192.168.56.1 TCP_MISS_ABORTED/200 >> 48056 RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? - >> FIRSTUP_PARENT/10.32.69.11 application/rpc >> Dec 10 16:20:07 2015.305 24688 192.168.56.1 TCP_MISS_ABORTED/000 0 >> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? - >> FIRSTUP_PARENT/10.32.69.11 - >> Dec 10 16:20:07 2015.306 24654 192.168.56.1 TCP_MISS_ABORTED/200 2004 >> RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? - >> FIRSTUP_PARENT/10.32.69.11 application/rpc >> >> >> This is when I try and send an email with an attachment. An email with >> no attached goes through no problem... >> >> >> this config works with 3.1, not with 3.5 .. >> >> still on .11 as I can't find centos 6 compile of .12 >> >> I think there is some issue with rpc sending or receiving .. >> >> On 8 December 2015 at 19:34, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>> >>> On 8/12/2015 7:35 p.m., Alex Samad wrote: >>>> >>>> Hi >>>> >>>> Any suggestions on how to debug this... I wouldn't mind rolling >>>> forward to 3.5 again >>>> >>> >>> Some ideas inline. The main ones are: >>> >>> * re-enable cache.log. It is not optional. >>> >>> * try an upgrade to 3.5.12. There were some regressions in the .10/.11 >>> releases that can lead to really weird behaviour. >>> >>> >>>> On 2 December 2015 at 20:39, Alex Samad wrote: >>>>> >>>>> Just to add to this I have a lot of these in the log file >>>>> >>>>> TCP_MISS_ABORTED/000 0 RPC_IN_DATA >>>>> TCP_MISS_ABORTED/200 4322 RPC_OUT_DATA >>>>> TCP_MISS_ABORTED/000 0 RPC_IN_DATA https: >>>>> >>>>> >>>>> >>>>> On 2 December 2015 at 17:24, Alex Samad wrote: >>>>>> >>>>>> Hi >>>>>> >>>>>> recently upgraded to squid-3.5.11-1.el6.x86_64 from the centos 6.7 >>>>>> squid 3.1 >>>>>> >>>>>> >>>>>> I am now having problems with people who use active sync via this >>>>>> connection . seems like emails with attachments aren't making it >>>>>> through . >>>>>> >>>>>> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest >>>>>> originserver login=PASS front-end-https=on ssl >>>>>> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.yx.com.crt >>>>>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=exchangeServer >>> >>> >>> You could try changing these from login=PASS to login=PASSTHRU >>> >>>>>> >>>>>> >>>>>> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest >>>>>> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER >>>>>> sslcert=/etc/httpd/conf.d/office.yx.com.crt >>>>>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=webServer >>>>>> c >>>>>> >>>>>> # List of acceptable URLs to send to the Exchange server >>>>>> acl exch_url url_regex -i office.yieldbroker.com/exchange >>>>>> acl exch_url url_regex -i office.yieldbroker.com/exchweb >>>>>> acl exch_url url_regex -i office.yieldbroker.com/public >>>>>> acl exch_url url_regex -i office.yieldbroker.com/owa >>>>>> acl exch_url url_regex -i office.yieldbroker.com/ecp >>>>>> acl exch_url url_regex -i >>>>>> office.yieldbroker.com/microsoft-server-activesync >>>>>> acl exch_url url_regex -i office.yieldbroker.com/rpc >>>>>> acl exch_url url_regex -i office.yieldbroker.com/rpcwithcert >>>>>> acl exch_url url_regex -i office.yieldbroker.com/exadmin >>>>>> acl exch_url url_regex -i office.yieldbroker.com/oab >>>>>> # added after >>>>>> acl exch_url url_regex -i office.yieldbroker.com/ews >>>>>> # Not configured on exchange 2010 >>>>>> #acl exch_url url_regex -i office.yieldbroker.com/autodiscover >>>>>> >>>>>> # Send the Exchange URLs to the Exchange server >>>>>> cache_peer_access exchangeServer allow exch_url >>>>>> >>>>>> # Send everything else to the Apache >>>>>> cache_peer_access webServer deny exch_url >>>>>> >>>>>> # This is to protect Squid >>>>>> never_direct allow exch_url >>>>>> >>>>>> # Logging Configuration >>>>>> redirect_rewrites_host_header off >>>>>> cache_mem 32 MB >>>>>> maximum_object_size_in_memory 128 KB >>>>>> cache_log none >>> >>> >>> You should re-enable cache.log and fix any of the issues that are logged >>> there. >>> >>> >>>>>> cache_store_log none >>>>>> >>>>>> access_log stdio:/var/log/squid/office-access.log squid >>>>>> #access_log none >>>>>> cache_log /var/log/squid/office-cache.log >>>>>> #cache_log none >>>>>> pid_filename /var/run/squid-office.pid >>>>>> >>>>>> >>>>>> # Set the hostname so that we can see Squid in the path (Optional) >>>>>> visible_hostname yieldbroker.com >>>>>> deny_info TCP_RESET all >>> >>> >>> This could lead to strange behaviour. Particularly since "deny all" is >>> not being used in your http_access rules ... >>> >>> >>>>>> >>>>>> # Allow everyone through, internal and external connections >>>>>> http_access allow all >>>>>> miss_access allow all >>>>>> >>>>>> icp_port 0 >>>>>> snmp_port 0 >>>>>> >>>>>> via off >>>>>> >>>>>> >>>>>> The previous setup had worked for at least 18 months. >>>>>> >>>>>> Alex > > > On our Reverse proxy I ran into an issue uploading attachments to Exchange > back end, a while back, turned out the solution was to lock it down so that > the proxy only used ssl version 3 to connect to the Exchange server. This > however did recently break after a windows update in Novemeber. Further > investigation led to the particular cipher that was in use. After > discovering this I was able to use the same cipher with TLSv1.0 > > Currently I am using TLSv1.0 with RC4-SHA cipher to talk to the Exchange > server. > > cache_peer 10.20.10.161 parent 443 0 ssl no-query proxy-only no-digest > originserver \ > name=owa2010_parent sslcapath=/usr/local/share/certs > sslflags=DONT_VERIFY_PEER \ > login=PASSTHRU front-end-https=on connection-auth=on sslcipher=RC4-SHA > sslversion=4 > > I am not however locking down the incoming connections to this setting, I am > using the following for the https_port setting. This does pass PCI scans, in > case anyone is wondering about the choice of cipher options, and you will > notice the RC4 used to send traffic between the Proxy and Exchange is > disabled as that doesn't meet current requirements. > > https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \ > cert=/certs/wildcard.certificate.crt \ > key=/certs/wildcard.certificate.key \ > options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \ > dhparams=/usr/local/etc/squid/dh.param \ > cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \ > vhost > > > -- > Thanks, > Dean E. Weimer > http://www.dweimer.net/ _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
