Hi All,
My goal is to configure a reverse proxy for Outlook Anywhere clients using squid.
http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
This will replace existing TMG that my client is currently using.
However, when I run squid I get an error "No valid signing SSL certificate configured for HTTPS_port".
Before, I was able to get OWA and HTTPS traffic using NGINX as reverse proxy but was getting connection errors when trying to use OutlookAnywhere.
http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
This will replace existing TMG that my client is currently using.
However, when I run squid I get an error "No valid signing SSL certificate configured for HTTPS_port".
Before, I was able to get OWA and HTTPS traffic using NGINX as reverse proxy but was getting connection errors when trying to use OutlookAnywhere.
So now I have been testing Squid but cannot get past the certificate installation which was painless under Nginx.
Configuration is based on an article below:
Getting the " ...no valid signing certificate" every time.
I found few posts saying that it was not possible to use SSL certificates signed by public CA and self-signed certs must be used.
Can anyone confirm if this is a case?
Logs and config files below.
uname -a
Linux srv-squid 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
SSL certificate:
obtained from StartSSL for mail.contoso.com
SQUID.CONF
#### START
visible_hostname mail.contoso.com
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh ###this causes an error
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log none
cache_mgr nomail_address_given
forwarded_for transparent
### ignore_expect_100 ## not available in version 3.5
ssl_unclean_shutdown on
### The most important line
### "cert" should contain Exchange certificate and key
### "sslproxy_cafile" contains CA of root servers - StartSSL ?!
https_port mail.contoso.com:443 accel cert=/home/kk/ssl/cert-mail/mail.contoso.com.pem defaultsite=mail.contoso.com key=/home/kk/ssl/cert-mail/mail.contoso.com.key
cache_peer exch.kk1.tech parent 443 0 proxy-only no-digest no-query originserver front-end-https=on login=PASS sslflags=DONT_VERIFY_PEER connection-auth=on name=Exchange
acl exch_url url_regex -i mail.contoso.com/owa
acl exch_url url_regex -i mail.contoso.com/microsoft-server-activesync
acl exch_url url_regex -i mail.contoso.com/rpc
cache_peer_access Exchange allow exch_url
cache_peer_access Exchange deny all
never_direct allow exch_url
http_access allow exch_url
http_access deny all
miss_access allow exch_url
miss_access deny all
deny_info https://mail.contoso.com/owa all
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh ###this causes an error
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log none
cache_mgr nomail_address_given
forwarded_for transparent
### ignore_expect_100 ## not available in version 3.5
ssl_unclean_shutdown on
### The most important line
### "cert" should contain Exchange certificate and key
### "sslproxy_cafile" contains CA of root servers - StartSSL ?!
https_port mail.contoso.com:443 accel cert=/home/kk/ssl/cert-mail/mail.contoso.com.pem defaultsite=mail.contoso.com key=/home/kk/ssl/cert-mail/mail.contoso.com.key
cache_peer exch.kk1.tech parent 443 0 proxy-only no-digest no-query originserver front-end-https=on login=PASS sslflags=DONT_VERIFY_PEER connection-auth=on name=Exchange
acl exch_url url_regex -i mail.contoso.com/owa
acl exch_url url_regex -i mail.contoso.com/microsoft-server-activesync
acl exch_url url_regex -i mail.contoso.com/rpc
cache_peer_access Exchange allow exch_url
cache_peer_access Exchange deny all
never_direct allow exch_url
http_access allow exch_url
http_access deny all
miss_access allow exch_url
miss_access deny all
deny_info https://mail.contoso.com/owa all
###END
ERROR
cache.log
2016/11/05 08:52:13| storeDirWriteCleanLogs: Starting...
2016/11/05 08:52:13| Finished. Wrote 0 entries.
2016/11/05 08:52:13| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: No valid signing SSL certificate configured for HTTPS_port 3.3.3.201:443
Squid Cache (Version 3.5.22): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
Maximum Resident Size: 46624 KB
Page faults with physical i/o: 0
2016/11/05 08:52:13| storeDirWriteCleanLogs: Starting...
2016/11/05 08:52:13| Finished. Wrote 0 entries.
2016/11/05 08:52:13| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: No valid signing SSL certificate configured for HTTPS_port 3.3.3.201:443
Squid Cache (Version 3.5.22): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
Maximum Resident Size: 46624 KB
Page faults with physical i/o: 0
SQUID - compiled from sources
squid -v
Squid Cache: Version 3.5.22
Service Name: squid
configure options: '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid3' '--srcdir=.' '--datadir=/share/squid3' '--sysconfdir=/etc/squid3' '--with-logdir=/var/log' '--with-pidfile=/var/run/squid3.pid' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=' '--enable-arp-acl' '--enable-esi' '--enable-ssl' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-ssl' '--disable-ipv6' '--with-openssl' --enable-ltdl-convenience
Service Name: squid
configure options: '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid3' '--srcdir=.' '--datadir=/share/squid3' '--sysconfdir=/etc/squid3' '--with-logdir=/var/log' '--with-pidfile=/var/run/squid3.pid' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=' '--enable-arp-acl' '--enable-esi' '--enable-ssl' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-ssl' '--disable-ipv6' '--with-openssl' --enable-ltdl-convenience
Appreciate any feedback
Cheers
Konrad
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
