Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?

On Mon, Jun 2, 2008 at 2:37 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Odhiambo Washington wrote:
>>
>> On Sun, Jun 1, 2008 at 1:38 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>> wrote:
>>>
>>> Odhiambo Washington wrote:
>>>>
>>>> Hello gurus,
>>>>
>>>> I have been trying the whole day to get Squid to work as a reverse
>>>> proxy/accelerator for OWA and RPC-over-https with no sucess. I believe
>>>> I've come to my /etc on this!
>>>> I have read the Wiki entries and this thread:
>>>>
>>>>
>>>> http://www.nabble.com/Forwarding-Denied-when-using-dst-cache_peer-in-acl-td15123146.html
>>>>
>>> Not that the article references two Squid wiki articles. All the configs
>>> doing OWA using "dst" ACL were relevant only up to 2.5 and fatally flawed
>>> with a required but unstated DNS hack.
>>> The wiki presently has updated configs which work with all current Squid.
>>
>> Thank you for informing me about that. All my thinking was that those
>> wiki entries are still relevant. I actually wasn't looking at the
>> above thread per se, but only for the comments and the challenges the
>> poster faced, but within it there are references to the wiki entries,
>> which is what I was following keenly.
>>
>>>> However, I seem to still miss a critical point.
>>>> My Squid (2.7RC) is first and foremost being used as a LAN proxy. This
>>>> in itself has posed a challenge to me in terms of specifying who is
>>>> allowed to use it as a proxy.
>>>> I have an M$ Exchange server which is is self-contained, with
>>>> self-signed certificate.
>>>> Can I configure Squid as a proxy for the LAN as well as an accelerator
>>>> for several backend website(s)? I've found this challenging in terms
>>>> of ordering the ACLs.
>>>
>>> Yes. With some access control tweaking two 'components' can be kept
>>> seperate. see below.
>>
>> That's nice for the ears!
>>
>>>> I can see from the above thread that Wouter de Jong-2 actually/finally
>>>> managed to configure Squid to accelerate OWA as well as do the
>>>> RPC-over-HTTP(s) but he does not mention is th squid instance is also
>>>> being used as a proxy.
>>>> Does someone have a sample config for squid being used as LAN proxy
>>>> and accelerator, especially for M$ Exchange OWA and RPCoHTTPS?
>>>
>>> Should be no need. All the current squid releases support multiple
>>> http_port
>>> entries. That is the first important part.
>>>
>>> Near the top of your config above your ALL of your regular proxy port and
>>> _access controls. Setup the OWA/RPC acceleration as listed in the wiki.
>>> Omitting the controls which do blanket 'deny all'.
>>
>> Noted, and thank you for that valuable information. Not heading to the
>> wiki again. But I have two last hurdles:
>> 1. My Exchange OWA is accessible as either
>> https://192.168.0.26/exchange or
>> https://mxech.msexch.ourdomain.tld/exchange
>> 2. (a bit OT) The use of a non-commercial certificate on the Exchange
>> server
>>
>> Q1. How do I tell Squid to access the /exchange bit in the url?
>
> Does it have to be added in squid? or can squid be left only knowing the
> '192.168.0.26'/'mxech.msexch.ourdomain.tld' bits?
> I ask this because while squid can do url-rewriting, that method does not
> cover all possible uses of the URL, just the request and Host: ones.
> If your exchange server can accept the /exchange/* URI that would be much
> better.

After reading some Microshit articles, I managed to do make the URI
simpler, so M$ Exchange can now be accessed simply as
https://msexch.msexch.ourdomain.tld/ or https://192.168.0.26.
The /exchange is now not necessary as the redirection is now done
within IIS (yes, the Windows web server) so I am one step ahead.
I am also NOT enforcing SSL on the exchange now, but that is a small
switch that I can easily re-enable if this RPCoHTTPS stuff requires
it, especially because Outlook needs the https:// URI. However, as we
are going to do the SSL offloading on the accelerator, I believe
http:// would suffice.

> The way to do it without headaches is to get a unique domain/subdomain for
> the exchange URL and the exchange server handling the entire path of the
> URI. And squid only switching on the domain.

This is now done as a result of the change above.

>> Q2. Do I have to export the cerificate from the Exchange server to be
>> used with Squid in the accel configuration?
>
> If you require clients to SSL auth, yes you will need whatever certificate
> squid presents to them to be your official one.

The certificate required in the Squid config MUST be in pem format??
That is where my problem is. When I read about exporting the
certificate used in the exchange server, all I was able to get is a
.pfx certificate. Not sure if squid will accept this as-is, or should
I just blindly try?:-)

>> Anyone has an idea how I can surmount these two
>> Being so much used to doing everything with Open Source apps, this
>> Microsohit Exchange thing is the biggest challenge I've ever faced in
>> my SysAdmin life! I must take some leave as soon as I get this
>> OWA/PRCoHTTPS thing running.
>> I therefore highly appreciate any help I can get towards this goal.
>>
>>
>>> http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess
>>> http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp
>>>
>>> Then following that setup your main proxy port and controls.
>>
>> Do I require both entries for OWA and RPCoHTTPS or is there a way to
>> kind of amalgamate the configurations? My OWA and RPCoHTTPS
>> destination is one and the same.
>
> Um, I would not think so. But I'm a relative newbie when it comes to SSL
> certificates.

Let me take another stub at this question, so as to be clear:
In both config examples, there is the following specification:

https_port ip_of_squid:443 cert=/path/to/certificate/
defaultsite=owa_hostname (the OWA example)
https_port ip_of_squid:443 cert=/path/to/certificate
defaultsite=rpcohttp.url.com (the RPCoHTTPS example)

What values do I give for "owa_hostname" and "rpcohttp.url.com" ?
My owa_hostname, I believe, is msexch.msexch.ourdomain.tld.
I am only not sure what my rpcohttp.url.com should be:-(

On the other front:

cache_peer ip_of_owa_server parent 443 0 no-query originserver
login=PASS ssl sslcert=/path/to/certificate name=owa_hostname (OWA)
cache_peer ip_of_exchange_server parent 443 0 no-query originserver
login=PASS ssl sslcert=/path/to/certificate name=the_exchange_server
(RPCoHTTP)

I am seeing a situation where those two entries are going to be the
similar/same in my case, bar for owa_hostname and the_exchange_server,
both of which I still can't differentiate, given that I only have one
Exchange box!
In my case, ip_of_owa_server == ip_of_exchange_server

I am hoping someone can tell me how to differentiate between
owa_hostname and the_exchange_server.

Then again, when it comes to the ACLs, there may be some redundancy
considering that my server is just one, no?

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
"Oh My God! They killed init! You Bastards!"
 --from a /. post