Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?

On Mon, Jun 2, 2008 at 12:39 PM, Henrik Nordstrom
<henrik_at_henriknordstrom.net> wrote:
> On mån, 2008-06-02 at 11:09 +0300, Odhiambo Washington wrote:
>> it, especially because Outlook needs the https:// URI. However, as we
>> are going to do the SSL offloading on the accelerator, I believe
>> http:// would suffice.

Thanks for chipping in, Henrik.

> It will, but you need to configure Squid cache_peer with the
> front-end-https=auto option to let OWA know there is an SSL frontend
> doing https->http translation.

So, for OWA, is the following correct:
cache_peer 192.168.0.26 parent 443 0 no-query originserver login=PASS
ssl front-end-https=auto
sslcert=/opt/squid27/etc/certs/msexch_w3svc1_cert.pem
name=msexch.msexch.ourdomain.tld

(actually, this is supposed to be the only entry for cache_peer I am
goingto have?)

>
>> The certificate required in the Squid config MUST be in pem format??
>
> Yes.
>
>> That is where my problem is. When I read about exporting the
>> certificate used in the exchange server, all I was able to get is a
>> .pfx certificate. Not sure if squid will accept this as-is, or should
>> I just blindly try?:-)
>
> pfx archives is binary encrypted archives of both the certificate and
> private key. Used for transferring a certificate from one server to
> another is a reasonably secure manner.
>
> It can be converted to PEM files by using the openssl tool.
>
> openssl pkcs12 -in file.pfx -out file.pem
>
> it will ask you for the export password (encryption key).

That has worked. It also requied a PEM passphrase. I hope this is not
supposed to be another problem. These ssl stuff!

>> Let me take another stub at this question, so as to be clear:
>> In both config examples, there is the following specification:
>>
>> https_port ip_of_squid:443 cert=/path/to/certificate/
>> defaultsite=owa_hostname (the OWA example)
>> https_port ip_of_squid:443 cert=/path/to/certificate
>> defaultsite=rpcohttp.url.com (the RPCoHTTPS example)
>
> defaultsite SHOULD be the external hostname the clients connect to,
> which usually is the same name as the certificate is issued to. If
> unsure use vhost instead..

In my case, I don't have a certificate for the external hostname,
which brings me back to the confusing issue regarding the certificate:
I can make a self-signed certificate for the external hostname. Not a
problem. However, does this mean I really don't need the internal
certifcate Exchange is using?

> Note: There can only be one https_port per ip:port combination. But
> quite likely the same can be used both for OWA and RPCoHTTP even if you
> have OWA and Exchange on different servers... (which you don't, you have
> them both on the same server)

Suppose:

My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4)
My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of 192.168.0.26)

Given that both OWA and RPCoHTTPS are directed at these...

What values should I use for the following variables (from the wiki):

(a) owa_hostname?
(b) ip_of_owa_server?
(c) rpcohttp.url.com?
(d) the_exchange_server?

From there, I believe I will only get stuck at the ssl certificates
step, which is where I am still a bit confused.

Thank you in advance.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
"Oh My God! They killed init! You Bastards!"
 --from a /. post