On 11/02/2016 3:40 a.m., Philipp Fischer wrote: > Hi, > > i´m trying to get squid working as reverse Proxy for Exchange 2016. > > Actually it works quite smooth for OWA but fails again and again > when trying to connecto to the EAS Site of my Exchange. > > From the IIS-Logs of the mailserver i can see 401 replys two or three > times and then squid sends the user credentials which results in a > 200 message. > > When using EAS the connect (from Exchange remote connectivty > analyzer) connects to the autodiscover site first – which produces > about three 401´s and then to the eas-site – again about two or three > 401´s. > > Most times after the 5th 401 reply (not authenticated) squid cuts off > the Connection – is there any way to push squid to do more retries > after a 401 error? I think you may have the wrong idea here. 401 is not an error, and it not a message that matters to Squid. It is an instruction from the web service to the client. Suqid shoul dmost definitely *not* retry when it sees one. Squid job in this case is simply to relay the 401 to the client. So that the client can supply the necessary credentials on its next (repeated) request. Your cache_peer lines already contains "login=PASSTHRU connection-auth=on" which is correct for handling any type of 401 login that the server might want to use. Evrything else is a problem directly between the IIS and the client browser. > > Here´s my IIS-Log: > > 2016-02-10 13:18:56 10.89.5.3 OPTIONS /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=PBUQLXUG4EOZTNG08F3BGG&cafeReqId=f7e3c699-96b5-4e79-8a54-03334a9fe7fe; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 0 0 78 > > 2016-02-10 13:18:56 10.89.5.3 POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=LBQ9QZKE0YCFS3BZUOYG&cafeReqId=392f5e78-5272-4ed1-a062-c1706e341dbf; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 0 0 0 > > 2016-02-10 13:19:04 10.89.5.3 POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=XTSRHRKWV0ETDZKCRLXO6W&cafeReqId=684a8948-eeb9-401f-a9bf-61d2581f138f; 443 DOMAIN\test 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 200 0 0 7515 > > 2016-02-10 13:19:05 10.89.5.3 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=POVVU5U8Z0SDIKZWQEPRNA&cafeReqId=109adc1a-93f9-4491-aadc-b615e5b7c36a; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 2 5 0 > > Line 390924: 2016-02-10 13:19:07 10.89.5.3 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=YDXPIAVIDEYCERPKPSRQ&cafeReqId=402020a7-2bd9-4540-9050-b6dd9e34a136; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 2 5 124 > > Line 390929: 2016-02-10 13:19:07 10.89.5.3 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=PTIZMVB6NUOH1AJ1MGWWA&cafeReqId=2b329cfa-a318-4102-bb5c-3a7652e84d5d; 443 DOMAIN\test 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 200 0 0 390 > > Line 390934: 2016-02-10 13:19:07 10.89.5.3 POST /Microsoft-Server-ActiveSync/default.eas Cmd=FolderSync&User=test&DeviceId=1797657923&DeviceType=TestActiveSyncConnectivity&CorrelationID=<empty>;&ClientId=QC284CQDGK2JMD9TA6X6G&cafeReqId=d9ceafa7-9767-4552-bb34-2444c6435a10; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 2 5 0 > This looks normal by itself. It is simply the traffic making it through Squid. NO problems are visible at that end. > And here´s my Squid.conf: > > # This file is automatically generated by pfSense > # Do not edit manually ! > > icp_port 0 > dns_v4_first on > pid_filename /var/run/squid/squid.pid > cache_effective_user proxy > cache_effective_group proxy > error_default_language en > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons > visible_hostname localhost Very bad idea to use "localhost" as your publicy visible domain name. Recent Squid can auto-detect hostname quite well, and if that actually has a problem, then use a resolvable FQDN. Ubuntu found out the hard way some years back that there are ISP out there also setting their proxies names to "localhost". Which results in one end or the other simply dropping the apparently looped traffic in-transit. > cache_mgr admin@localhost Squid error pages instruct your users to email their problem reports to this addres. Squid itself will try to email it crash reports if/when they happen. > access_log /var/squid/logs/access.log > cache_log /var/squid/logs/cache.log > cache_store_log none > netdb_filename /var/squid/logs/netdb.state > pinger_enable on > pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger > > logfile_rotate 10 > debug_options rotate=10 No need for that second line to exist unless you want the cache.log and access.log rotation numbers to be different. The above two sections of lines all look like defaults anyway. If so, then you dont even need to configure any of them. > shutdown_lifetime 3 seconds NP: if you want short shutdown timeout to avoid problems then I highly recommend upgrading to one of the latest Squid releases (3.5.10+). > uri_whitespace strip > > acl dynamic urlpath_regex cgi-bin \? > cache deny dynamic The above is unnecessary. Squid correctly handles dynamic content and your refresh_pattern is already setup for the rare cases where there are problems. > > cache_mem 64 MB > maximum_object_size_in_memory 256 KB > memory_replacement_policy heap GDSF > cache_replacement_policy heap LFUDA > cache_dir ufs /var/squid/cache 100 16 256 These ... > forwarded_for on > minimum_object_size 0 KB > maximum_object_size 4 MB > offline_mode off > cache_swap_low 90 > cache_swap_high 95 ... are all defaults. No need to specify them. > cache allow all If you remove the above cache deny lines then you can also remove this one. > # Add any of your own refresh_pattern entries above these. > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > > #Remote proxies > > > # Setup some default acls > # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. > # acl localhost src 127.0.0.1/32 > acl allsrc src all The point of these ACLs being "built-in" is that you can *use* them anywhere in the config without having t have thee "acl ..." lines definign them manually. So consider what is the point of the "allsrc" ACL? its identical to "all" except that Squid has to use extra memory for the one with custom alternative name. I recommend replacing all uses of "allsrc" with "all" and removing the above. > acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 1025-65535 > acl sslports port 443 563 8080 > > # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. > #acl manager proto cache_object > ... same goes for this. > acl purge method PURGE > acl connect method CONNECT > > # Define protocols used for redirects > acl HTTP proto HTTP > acl HTTPS proto HTTPS > http_access allow manager localhost > > http_access deny manager > http_access allow purge localhost > http_access deny purge NP: current best practice is to put the above lines underneath the two below. So the Safe_ports and CONNECT protections (which are DoS protection) are applied before the slower and more resource hungry manager and purge rules. > http_access deny !safeports > http_access deny CONNECT !sslports > > # Always allow localhost connections > # From 3.2 further configuration cleanups have been done to make things easier and safer. > # The manager, localhost, and to_localhost ACL definitions are now built-in. That above comment has no relevance here. This part of squid.conf is about *using* the localhost ACL. > # http_access allow localhost > > request_body_max_size 0 KB Another default. > delay_pools 1 > delay_class 1 2 > delay_parameters 1 -1/-1 -1/-1 > delay_initial_bucket_level 100 > delay_access 1 allow allsrc > Um. This is bad. Forces Squid to do a lot of delayPools traffic accounting memory allocations and calculations. In an attempt to *not* slow the traffic down. Very counter-productive. > # Reverse Proxy settings > http_port 10.0.0.3:80 accel defaultsite=mail.DOMAIN.de vhost > https_port 10.0.0.3:443 accel cert=/usr/pbi/squid-amd64/local/etc/squid/56b21e54ee18f.crt key=/usr/pbi/squid-amd64/local/etc/squid/56b21e54ee18f.key defaultsite=mail.DOMAIN.de vhost > cache_peer 10.89.5.3 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_1_pfs > cache_peer 10.89.5.3 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_1_pfs > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/owa.*$ > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/exchange.*$ > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/public.*$ > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/exchweb.*$ > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/ecp.*$ > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/OAB.*$ > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/Microsoft-Server-ActiveSync.*$ > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/rpc/rpcproxy.dll.*$ > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/rpcwithcert/rpcproxy.dll.*$ > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/mapi.*$ > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/EWS.*$ > acl OWA_URI_pfs url_regex -i ^http://mail.DOMAIN.de/AutoDiscover/AutoDiscover.xml > acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/AutoDiscover/AutoDiscover.xml > acl OWA_URI_pfs url_regex -i ^http://autodiscover.DOMAIN.de/AutoDiscover/AutoDiscover.xml > acl OWA_URI_pfs url_regex -i ^https://autodiscover.DOMAIN.de/AutoDiscover/AutoDiscover.xml > cache_peer_access OWA_HOST_443_1_pfs allow OWA_URI_pfs > cache_peer_access OWA_HOST_80_1_pfs allow OWA_URI_pfs Your OWA ACL has a mix of http:// and https:// URLs that it matches. With Exchange and IIS its usually not a good idea to mix those up, and teh serevr can auto-redirect http:// URLs to teh https:// variant and loop if Squid sends to the wrong one. Or Squid can inadvertently publish what teh server things is secured information over the port-80 client connections. Others have found these setups work much better if you lock the traffic to only going to the cache_peer with same port type as it arrived to Squid over. like so: acl HTTPS proto HTTPS acl HTTP proto HTTP cache_peer_access OWA_HOST_443_1_pfs allow HTTPS OWA_URI_pfs cache_peer_access OWA_HOST_80_1_pfs allow HTTP OWA_URI_pfs Where the OWA_URI_pfs ACL does not contains the "http(s)://" portion of the URLs. OR, if you want to strictly require only those path+scheme combos, use two ACLs - one for each peer. With https:// entries in one, and http:// in the other. > cache_peer_access OWA_HOST_443_1_pfs deny allsrc > cache_peer_access OWA_HOST_80_1_pfs deny allsrc > never_direct allow OWA_URI_pfs > http_access allow OWA_URI_pfs > > > # Custom options before auth > > > # Setup allowed ACLs > # Default block all to be sure > http_access deny allsrc > > I also tried to Change the squid.conf to a example config from the faq´s – which had the same effect as described above. > > Any ideas anybody? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
