Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Mon, 02 Jun 2008 11:39:35 +0200

On mån, 2008-06-02 at 11:09 +0300, Odhiambo Washington wrote:
> it, especially because Outlook needs the https:// URI. However, as we
> are going to do the SSL offloading on the accelerator, I believe
> http:// would suffice.

It will, but you need to configure Squid cache_peer with the
front-end-https=auto option to let OWA know there is an SSL frontend
doing https->http translation.

> The certificate required in the Squid config MUST be in pem format??

Yes.

> That is where my problem is. When I read about exporting the
> certificate used in the exchange server, all I was able to get is a
> .pfx certificate. Not sure if squid will accept this as-is, or should
> I just blindly try?:-)

pfx archives is binary encrypted archives of both the certificate and
private key. Used for transferring a certificate from one server to
another is a reasonably secure manner.

It can be converted to PEM files by using the openssl tool.

openssl pkcs12 -in file.pfx -out file.pem

it will ask you for the export password (encryption key).

> Let me take another stub at this question, so as to be clear:
> In both config examples, there is the following specification:
>
> https_port ip_of_squid:443 cert=/path/to/certificate/
> defaultsite=owa_hostname (the OWA example)
> https_port ip_of_squid:443 cert=/path/to/certificate
> defaultsite=rpcohttp.url.com (the RPCoHTTPS example)

defaultsite SHOULD be the external hostname the clients connect to,
which usually is the same name as the certificate is issued to. If
unsure use vhost instead..

Note: There can only be one https_port per ip:port combination. But
quite likely the same can be used both for OWA and RPCoHTTP even if you
have OWA and Exchange on different servers... (which you don't, you have
them both on the same server)

Regards
Henrik

Received on Mon Jun 02 2008 - 09:39:44 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 02 2008 - 12:00:03 MDT