Re: [squid-users] Squid as reverse proxy with outlook web access

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sun, 28 Oct 2007 00:25:13 +1300

Chris Robertson wrote:
> Killing-Time@gmx.de wrote:
>> Hello everybody,
>>
>> I'm trying to use squid in the following way at the company where I work:
>>
>> [Internet] --SSL connection--> [Squid Reverse Proxy] --HTTP
>> connection--> [Outlook Web Access Server]
>> [Internet] <--SSL connection-- [Squid Reverse Proxy] <--HTTP
>> connection-- [Outlook Web Access Server]
>>
>> As I'm new to squid, I tried using the configuration example which I
>> found here:
>> http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess
>>
>> If I'm getting this right, the aforementioned configuration should do
>> exactly what I'm looking for. So I tried using the configuration file
>> (adjusted to our system/network of course), but instead of getting
>> through to Outlook, I get an error page:
>>
>> (I entered https://squidserver/exchange into the browser on another
>> machine to test it)
>>
>
> Which is where your error lies...
>
>>
>>> ERROR
>>> The requested URL could not be retrieved
>>> ----------------------------------------
>>> While trying to retrieve the URL: https://owaserver/exchange
>>> The following error was encountered:
>>> - Access denied.
>>> Access control configuration prevents your request from being allowed
>>> at this time. Please contact your service provider if you feel this
>>> is incorrect.
>>>
>>> Your cache administrator is webmaster.
>>> ----------------------------------------
>>> Generated Fri, 26 Oct 2007 13:25:09 by
>>> squidserver.local.myCompany.com (squid/2.6.STABLE16)
>>>
>>
>> Here's my squid.conf file:
>>
>>
>>> # Added because of "ACL name 'all' not defined!" error on squid startup
>>> acl all src 0.0.0.0/0.0.0.0
>>>
>>> https_port xxx.xxx.xxx.xxx:443 cert=c:/squid/share/cert/cert.pem
>>> key=c:/squid/share/cert/key.pem defaultsite=owaserver
>>>
>>> cache_peer yyy.yyy.yyy.yyy parent 80 0 no-query originserver
>>> login=PASS >front-end-https=on name=owaserver
>>>
>>> acl OWAip dst yyy.yyy.yyy.yyy
>>> acl OWA dstdomain owaserver
>>> cache_peer_access owaserver allow OWA
>>> never_direct allow OWAip
>>>
>>> http_access allow OWAip
>>> http_access deny all
>>>
>
> You are only allowing accesses to yyy.yyy.yyy.yyy, but what you
> requested was http://squidserver/exchange which translates to
> https://xxx.xxx.xxx.xxx (and is therefore denied). Change the host file
> on the client, so owaserver points to xxx.xxx.xxx.xxx and then try
> surfing to https://owaserver/exchange. You should have better luck.

No need to play with host files.
Replace the acls and cache_peer_access with:

   acl OWA dstdomain domain.resolves.to.squidserver
   cache_peer_access owaserver allow OWA
   never_direct allow OWA

defaultsite= on the _port should be domain.resolves.to.squidserver
name= on cache_peer is just a simple handle to reference the peer by
        and should be unique for best config reading

Amos

>
>>> miss_access allow OWAip
>>> miss_access deny all
>>>

oh and OWA as newly defined should be used there too.

>>
>> Explanation:
>> - xxx.xxx.xxx.xxx is the IP of the machine with squid running on it.
>> - yyy.yyy.yyy.yyy is the IP of the Outlook Web Access Server
>> - "owaserver" is the name of the Outlook Web Access Server in our
>> company network
>>
>> I am using squid/2.6.STABLE16 with SSL support on Windows XP Pro.
>>
>> Can anybody help?
>> Kind regards,
>> - Patrick
>>
>>
>
> Chris
Received on Sat Oct 27 2007 - 05:25:20 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT