[squid-users] HTTP POSTS don't seem to be passed to OWA (broken spell check) - Henrik, you there?

Hello List,

I've run into what I hope will be the last problem of trying to get OWA
and Squid to behave! :-)

I've seen several posts where folks have got OWA to work with Squid, but
the spell check function was broken. Unfortunately, after much searching
on the net via Google for answers, I'm coming up blank (those posts
didn't seem to have any resolution). Here are my details:

- I'm running Squid 2.5.STABLE5-2 on Fedora Core 2.
- Squid is configured as a reverse-proxy to an Exchange 2003
server (OWA)
- User -> (HTTPS) -> Proxy -> (HTTP) -> OWA
- Users can access their mail boxes with no problem; system is
VERY stable
- Spell check works fine if you access the OWA server directly
- Spell check hangs if you access it via a proxied connection
- Turning on debugging reveals NO ACL problems in cache log
- I see a POST request in the access log, however, the POST
doesn't seem to get passed to OWA

Here are the log entries from the OWA server (IIS):

via proxy:
----------

2005-07-12 13:03:20 10.1.2.37 GET /exchange/ - 80 owauser@ourcompany.com
192.168.252.101
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322)
200 0 0
2005-07-12 13:03:20 10.1.2.37 GET /exchange/owauser/ Cmd=navbar 80
owauser@ourcompany.com 192.168.252.101
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322)
200 0 0
2005-07-12 13:03:20 10.1.2.37 GET /exchange/owauser/Inbox/ Cmd=contents
80 owauser@ourcompany.com 192.168.252.101
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322)
200 0 0
2005-07-12 13:03:20 10.1.2.37 GET
/exchweb/6.5.7226.0/controls/tf_Messages.xsl - 80 - 192.168.252.101
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322)
200 0 0
2005-07-12 13:03:20 10.1.2.37 SEARCH /exchange/owauser/Inbox/ - 80
owauser@ourcompany.com 192.168.252.101
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322)
207 0 0

direct to OWA server:
---------------------

2005-07-12 13:08:14 10.1.2.37 GET /exchange/owauser/ cmd=spellcheck 443
owauser@ourcompany.com 10.1.2.37
Mozilla/4.0+(compatible;+MSIE+6.)+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200
0 0
2005-07-12 13:08:14 10.1.2.37 POST /exchweb/bin/spell/owaspell.dll - 443
- 10.1.2.37
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322)
401 2 2148074254
2005-07-12 13:08:14 10.1.2.37 POST /exchweb/bin/spell/owaspell.dll - 443
owauser@ourcompany.com 10.1.2.37
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322)
200 0 0
2005-07-12 13:08:20 10.1.2.37 POLL /exchange/owauser/Inbox - 80
owauser@ourcompany.com 192.168.252.101
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322)
207 0 0

It appears that the log entries in the "via proxy" section are actually
the user browsing their inbox, not the actual spell check function. In
other words, it doesn't appear that the POST is even making it to IIS.
In the "direct to OWA server" section, we see the POSTS and life is
good.

Here's my squid.conf:

# Squid Reverse Proxy Configuration file

cache_access_log /var/log/squid/access.outlook.log
cache_store_log /var/log/squid/store.outlook.log
cache_log /var/log/squid/cache.outlook.log
pid_filename /var/run/squid.outlook.pid

# Bind to NAT'd address for outlook server
http_port 192.168.252.16:80

# Setup SSL Parameters
# Note: disable the following line if SSL is not being proxied
https_port 192.168.252.16:443 cert=crt_file key=key_file

# Disable ICP
icp_port 0

# Disable Caching
cache_dir null /tmp
acl all_no_cache src 0/0
no_cache deny all_no_cache

# Setup ACL's to restrict traffic
# Allow traffic to ports 80 & 443 only
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 443 # https
http_access deny !Safe_ports

# Block "connect" attempts
acl CONNECT method CONNECT
http_access deny CONNECT

# Protect against shell attempts
# Note: blocks attempts to call "cmd.exe" "/bin/sh" and "default.ida"
# can add others as needed
acl bad_requests urlpath_regex -i cmd.exe \/bin\/sh default\.ida
http_access deny bad_requests

##########################
# Test for OWA Spell Check
#acl owa-exchange urlpath_regex \/exchange(\/|$|\?)
#acl owa-webid urlpath_regex \/WebID\/
#acl owa-host dst 10.1.2.37/255.255.255.255
#http_access allow owa-host owa-exchange
#http_access allow owa-host owa-webid
#debug_options ALL,1 33,2

# Final Permit All
acl all src 0.0.0.0/0.0.0.0
http_access allow all

# Final Deny All
#acl all src 0.0.0.0/0.0.0.0
#http_access deny all

# Setup Reverse Proxy Parameters
#redirect_program /etc/squid/redirect.outlook.pl
#redirect_children 5
#redirect_rewrites_host_header on
httpd_accel_host owahost.ourcompany.com
#httpd_accel_host 10.1.11.21
httpd_accel_port 80
httpd_accel_single_host on
httpd_accel_uses_host_header on

# Specify where core dumps are written
coredump_dir /var/spool/squid

The configuration is a bit odd because I've been playing around with
different combinations of things. I'm trying to minimize ACL conflicts
so I'm not beating my head against the wall! :-)

Microsoft has been involved with this issue, and they're pointing to the
proxy. Unfortunately, based on what I'm seeing, it appears they may be
correct. I'd really appreciate help from the list. FWIW, I'm not a
programmer...just a Cisco network dude who is the only "opensource guy"
in our company; I'm by no means a Squid/Opensource guru. I could
definitely use the community's assistance. If anyone who responds to
this request needs specific info, please let me know what the correct
syntax is for the info you need - it may take me twice as long to try
and find it, and I want to respond with the correct info the first time.

Thanks in advance!

-Jason
Received on Tue Jul 12 2005 - 09:01:10 MDT