[squid-users] RE : [squid-users] SQUID3 + Reverse proxy + OWA: strange error

Just for your information, my config is running smoothly,

Here are the keys for the config of squid:

acl webmail_domains dstdomain webmail.xxx.fr
acl www_domains dstdomain www.xxx.fr

http_access allow webmail_domains
http_access allow www_domains
http_access deny all
http_reply_access allow all

https_port 443 accel vhost cert=/certificats/server.pem key=/certificats/key.pem cafile=/certificats/ca-cert defaultsite=www.xxx.fr

cache_peer 172.21.0.63 parent 80 0 no-query originserver login=PASS front- end-https=auto proxy-only name=webmail

cache_peer_access webmail allow webmail_domains

cache_peer 172.21.0.66 parent 80 0 no-query originserver login=PASS front-end-https=auto proxy-only name=www

cache_peer_access www allow www_domains

Did someone know if I can have two different ssl certs if I only have one socket for squid ? If no, I have to setup 2 ip on my squid-box and rewrite my nat rules.

_________________________________
 
David LIMA
Professional Services
www.scc.com
 
 

-----Message d'origine-----
De : LIMA David
Envoyé : lundi 15 novembre 2004 19:39
À : squid-users@squid-cache.org
Objet : [squid-users] SQUID3 + Reverse proxy + OWA: strange error

Hi all,

I'm trying to setup a squid3 to do reverse proxy for OWA running on Exchange 2000 but I can't success: (I have read all posts about OWA + squid but unable to find a clue...)

Here is my setup

---------- ------------- ----------------
- CLIENT - ==> :443 - SQUID3 - ==> :80 - OWA@exch2000 -
---------- ------------- ----------------

When I go to http://webmail.xxx.fr/exchange/ it works, auth + browsing etc ...

When I go to https://webmail.xxx.fr/exchange the auth box comes (I use basic auth on OWA), I put my login and password, then the 2 frames of the OWA web site appear but they are blank. When I go to my log files (exchange) I can't find the problem.

 Here is my setup for squid:
______________________________

http_port 3128
ssl_unclean_shutdown on
no_cache deny QUERY
acl all src 0.0.0.0/0.0.0.0
acl all-dst dst 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 80
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
acl owa-exchange urlpath_regex \/exchange(\/|$)
acl owa-webid urlpath_regex \/WebID\/
acl owa-host dst 172.21.0.63/255.255.255.255
http_access allow owa-host owa-exchange
http_access allow owa-host owa-webid
http_reply_access allow all-dst
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all ==> !!!! for testing purpose only !!!!
http_access deny all
visible_hostname webmail.xxx.fr
https_port 443 cert=/certificats/server.pem key=/certificats/key.pem cafile=/certificats/ca-cert defaultsite=webmail.xxx.fr
cache_peer webmail.xxx.fr parent 80 0 no-query originserver login=PASS front-end-https=auto proxy-only

Here is a sample of my access.log during an unsuccess attempt
_____________________________

4 172.21.1.4 TCP_MISS/401 333 GET https://webmail.xxx.fr/exchange/ - FIRST_UP_PARENT/webmail.xxx.fr text/html
19 172.21.1.4 TCP_MISS/200 1518 GET https://webmail.xxx.fr/exchange/ - FIRST_UP_PARENT/webmail.xxx.fr text/html

==> When I run squid in console mode (squid -d1 -N), I see that an error occur, but after googling and browsing the squid-archive-list I can't find out why: "ClientNegotiateSSL: Error negotiating SSL connection on FD 16"

I have a second question: I want that squid serves https://www.xxx.fr on a host, and https://www.xxx.fr/exchange/ or https://webmail.xxx.fr or https://webmail.xxx.fr/exchange/ on a second host ==> it is possible to do that with squid? And if yes, how ?

Any help would be greatly appreciated. Thanks a lot.

David LIMA
Professional Services
www.scc.com
 
 

------------------------------------------------------------------------------------------

Ce message contient des informations dont le contenu est susceptible d'être confidentiel.
Il est destiné au(x) destinataire(s) indiqué(s) exclusivement.

A moins que vous ne fassiez partie de la liste des destinataires, ou que vous soyez
habilité à recevoir le mail à leur place, il vous est interdit de le copier, de l'utiliser
ou de dévoiler son contenu à un tiers.

Si vous avez reçu cet email par erreur, merci de prendre contact avec l'émetteur.

Les opinions exprimées dans cet e-mail sont celles de l'émetteur et ne reflètent pas
nécessairement celles de l'entreprise.

Ce e-mail peut contenir des pièces jointes dont certaines pourraient contenir des virus
qui pourraient endommager votre système informatique.

La compagnie a pris toutes dispositions afin de minimiser ce risque et décline toute
responsabilité pour toute perte ou dommage résultant directement ou indirectement de
l'utilisation de cet email ou de son contenu.

Il vous appartient d'effectuer vos propres contrôles anti-virus avant d'ouvrir
la ou les pièces jointes.
------------------------------------------------------------------------------------------

-
Received on Wed Nov 17 2004 - 10:58:44 MST