[squid-users] iNotes webmail attachments with squid reverse proxy

From: <Geoff.Moore@dont-contact.us>
Date: Tue, 5 Oct 2004 12:56:44 +0100

Hello,

I'm a Slackware box running Squid/3/PRE3 and Samba-3.0.0. The box
functions as an ssl reverse proxy for a backend Lotus Domino R6.52 box
running iNotes webmail. Incoming https web traffic goes to squid
https_port 443. The backend connection is also encrypted and goes to the
Notes box on port 443.

Internet -- (ssl) -- SQUID -- (ssl) -- Lotus Domino server

Ordinary iNotes webmail works very well. My only issue arises when trying
to access attachments within iNotes webmail. When I click on an attached
file I receive the browser error "Error : Unable to download <filename>
from https://portal.oursite.com". It is only when we are using ssl (back
and front end) that this issue arises. When we use unencrypted back and
front ends everything (including attachments) works fine.

The access.log shows something like this (the last line is when I tried to
access an attached zip file). No error gets shown in the access.log, it's
only in the browser that the error shows up.

1096974715.709 24 x.y.195.236 TCP_MISS/304 286 GET
https://portal.oursite.com/icons/vwicn150.gif user1
FIRST_UP_PARENT/201.1.1.220 image/gif
1096974718.945 80 x.y.195.236 TCP_MISS/200 7670 GET
https://portal.oursite.com/mail/jguiney.nsf/d551aa968989f38680256d6b0031c210/ED62487316343F1F80256ED3003EF506/?
user1 FIRST_UP_PARENT/201.1.1.220 text/html
1096974720.205 24 x.y.195.236 TCP_MISS/304 286 GET
https://portal.oursite.com/icons/vwicn178.gif user1
FIRST_UP_PARENT/201.1.1.220 image/gif
1096974725.708 60 x.y.195.236 TCP_MISS/200 60811 GET
https://portal.oursite.com/mail/jguiney.nsf/0/ED62487316343F1F80256ED3003EF506/$File/OS%5FNetBIOSCfgUtil%2Ezip?
user1 FIRST_UP_PARENT/201.1.1.220 application/x-zip

The relevant bits of the config file look like this:

## ACLs set on directories so need to set squid to run under this account
cache_effective_user squid
cache_effective_group squidadm

## We dont use ICP
icp_port 0

### Sets up external SSL with Internet CA certificate
https_port 443 cert=/usr/local/squid/etc/oursite.crt
key=/usr/local/squid/etc/oursite.key defaultsite=portal.oursite.com

## In Squid 3 configure the accelerator settings using cache_peer
# See squid.conf.default for Squid3 for full explanation of all options.
# "ssl sslflags=DONT_VERIFY_PEER" are important options - allow the use of
a self-cert cert in Notes, otherwise
# squid would choke on SSL cert errors
# Other options are standard for a reverse proxy
cache_peer 201.1.1.220 parent 443 0 no-query proxy-only originserver ssl
sslflags=DONT_VERIFY_PEER

## Set up auth_param. Src was built with --enable-auth="basic"
auth_param basic program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Langford Lodge iNotes
auth_param basic credentialsttl 2 hours

## define our ACL's. Safe ports, cache manager and authenticated users
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl password proxy_auth REQUIRED
http_access allow CONNECT

## map acl with access
## Note new access for cache_peer for reverse proxy
cache_peer_access 201.1.1.220 allow all
http_access allow localhost
http_access deny to_localhost
http_access allow all password
http_access deny all

My gut reaction is that it might be an issue with the redirector code in
the new Squid3 ssl functionality, but I'd be perfectly happy with a dirty
workaround for this one.... it's a bit of a showstopper not to have
attachments working. Thanks in advance for any insights.

Geoffrey.
Received on Tue Oct 05 2004 - 05:56:48 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:01 MST