Odhiambo Washington wrote:
> On Sun, Jun 1, 2008 at 1:38 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> Odhiambo Washington wrote:
>>> Hello gurus,
>>>
>>> I have been trying the whole day to get Squid to work as a reverse
>>> proxy/accelerator for OWA and RPC-over-https with no sucess. I believe
>>> I've come to my /etc on this!
>>> I have read the Wiki entries and this thread:
>>>
>>> http://www.nabble.com/Forwarding-Denied-when-using-dst-cache_peer-in-acl-td15123146.html
>>>
>> Not that the article references two Squid wiki articles. All the configs
>> doing OWA using "dst" ACL were relevant only up to 2.5 and fatally flawed
>> with a required but unstated DNS hack.
>> The wiki presently has updated configs which work with all current Squid.
>
> Thank you for informing me about that. All my thinking was that those
> wiki entries are still relevant. I actually wasn't looking at the
> above thread per se, but only for the comments and the challenges the
> poster faced, but within it there are references to the wiki entries,
> which is what I was following keenly.
>
>>> However, I seem to still miss a critical point.
>>> My Squid (2.7RC) is first and foremost being used as a LAN proxy. This
>>> in itself has posed a challenge to me in terms of specifying who is
>>> allowed to use it as a proxy.
>>> I have an M$ Exchange server which is is self-contained, with
>>> self-signed certificate.
>>> Can I configure Squid as a proxy for the LAN as well as an accelerator
>>> for several backend website(s)? I've found this challenging in terms
>>> of ordering the ACLs.
>> Yes. With some access control tweaking two 'components' can be kept
>> seperate. see below.
>
> That's nice for the ears!
>
>>> I can see from the above thread that Wouter de Jong-2 actually/finally
>>> managed to configure Squid to accelerate OWA as well as do the
>>> RPC-over-HTTP(s) but he does not mention is th squid instance is also
>>> being used as a proxy.
>>> Does someone have a sample config for squid being used as LAN proxy
>>> and accelerator, especially for M$ Exchange OWA and RPCoHTTPS?
>> Should be no need. All the current squid releases support multiple http_port
>> entries. That is the first important part.
>>
>> Near the top of your config above your ALL of your regular proxy port and
>> _access controls. Setup the OWA/RPC acceleration as listed in the wiki.
>> Omitting the controls which do blanket 'deny all'.
>
> Noted, and thank you for that valuable information. Not heading to the
> wiki again. But I have two last hurdles:
> 1. My Exchange OWA is accessible as either
> https://192.168.0.26/exchange or
> https://mxech.msexch.ourdomain.tld/exchange
> 2. (a bit OT) The use of a non-commercial certificate on the Exchange server
>
> Q1. How do I tell Squid to access the /exchange bit in the url?
Does it have to be added in squid? or can squid be left only knowing the
'192.168.0.26'/'mxech.msexch.ourdomain.tld' bits?
I ask this because while squid can do url-rewriting, that method does
not cover all possible uses of the URL, just the request and Host: ones.
If your exchange server can accept the /exchange/* URI that would be
much better.
The way to do it without headaches is to get a unique domain/subdomain
for the exchange URL and the exchange server handling the entire path of
the URI. And squid only switching on the domain.
> Q2. Do I have to export the cerificate from the Exchange server to be
> used with Squid in the accel configuration?
If you require clients to SSL auth, yes you will need whatever
certificate squid presents to them to be your official one.
> Anyone has an idea how I can surmount these two
> Being so much used to doing everything with Open Source apps, this
> Microsohit Exchange thing is the biggest challenge I've ever faced in
> my SysAdmin life! I must take some leave as soon as I get this
> OWA/PRCoHTTPS thing running.
> I therefore highly appreciate any help I can get towards this goal.
>
>
>> http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess
>> http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp
>>
>> Then following that setup your main proxy port and controls.
>
> Do I require both entries for OWA and RPCoHTTPS or is there a way to
> kind of amalgamate the configurations? My OWA and RPCoHTTPS
> destination is one and the same.
Um, I would not think so. But I'm a relative newbie when it comes to SSL
certificates.
Amos
-- Please use Squid 2.7.STABLE1 or 3.0.STABLE6Received on Sun Jun 01 2008 - 23:37:19 MDT
This archive was generated by hypermail 2.2.0 : Mon Jun 02 2008 - 12:00:03 MDT