[squid-users] Lotus iNotes redirect problem with Squid reverse proxy from Geoff.Moore@dont-contact.us on 2004-09-03 (squid-users)

From: <Geoff.Moore@dont-contact.us>
Date: Fri, 3 Sep 2004 12:39:02 +0100

Hello all,

Straight away I apologise that this is a Notes-specific question. I've
also posted to notes.net, but I'd be very interested to hear if other
Squid people have come across something similar.

We have a Slackware box running Squid 2.5.STABLE4. The box functions as a
secure reverse proxy for a backend Lotus Domino R6.52 box running iNotes
webmail. Everything works up to a point. Incoming https web traffic goes
to squid https_port 443. The backend connection is unencrypted, and the
squid accelerator settings are:

## These are the accelerator (or reverse proxy) settings.
httpd_accel_port 80
httpd_accel_host 192.168.0.1 # Notes IP
httpd_accel_single_host on # Only one backend.
httpd_accel_uses_host_header on

When users connect from the internet to https://our.portal.url/ they
receive the usual password dialog box. This is Squid asking for windows
authentication via Samba-3.0.0 to the Windows DC. After successful
Windows authentication they are directed to the iNotes logon page for
Notes authentication.

The problem is that after authenticating in Notes, the browser brings up a
redirect warning "You are about to be redirected to a connection that is
not secure". The user can click OK, but the browser then times out.

You then see that the requested URL was:

http://our.portal.url/mail/gmoore.nsf/iNotes/Proxy/?

This redirect is wrong on two counts. First, it's http rather than https,
hence the insecure warning. Also, even if it is manually edited to https,
it still times out. In order to get past this, the user has to manually
edit the browser URL to

https://our.portal.url/

and hit return.

We obviously need to get rid of this "insecure redirect" warning, and have
iNotes fire up without requiring the user to mess about with the URL. This
is almost certainly an iNotes issue, and I'll hopefully find a Notes fix
or workaround. Has anyone else seen anything similar?

Failing a Notes fix, we're a bit stuck for ideas! One idea might be to
upgrade to Squid 3 and set up encryption on the backend (ie. from Squid to
the Notes box), though I'm not convinced this will make any difference. I
just wonder if getting Squid to connect to SSL on the Notes box might
somehow bypass the pesky redirect. Hmmmmmmmmmm.

Thanks in advance for your thoughts.

Geoffrey.

----------------
Geoffrey Moore
Team Solutionz Ltd.
07811 031968
Received on Fri Sep 03 2004 - 05:39:04 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:01 MDT