Hi Amos,
One thing I forgot to mentioned
/etc/hosts has this entry
10.200.22.12 mail.airarabia.ae
Output of " host mail.airarabia.ae " from dns is ->
mail.airarabia.ae has address 10.200.9.20
User (browser) reads the host file from individual PCs
cat /etc/hosts | grep "mail.airarabia.ae"
10.200.22.49 mail.airarabia.ae
10.200.22.49 <- squid proxy ip
10.200.22.12 <- OWA ip
Please find the answers below.
//Remy
On Sun, 2009-05-17 at 18:16 +1200, Amos Jeffries wrote:
> Mario Remy Almeida wrote:
> > Hi Amos,
> >
> > I followed the instruction as per
> > http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
> >
> > But I am some how failing to configure https.
> >
> > My squid.conf
> > ========================================================================
> > https_port 443 defaultsite=mail.airarabia.ae \
> > cert=/etc/squid/keys/cert.pem key=/etc/squid/keys/key.pem
>
> Okay two extra things about the port:
> 1) unless you have the wilcard cert its best to specify the IP:port
> combo and generate the cert for those IP:port. That way you can use
> other IP for other domains and be sure Squid is sending SSL on the right IP.
changed it to ->
https_port 10.200.22.49:443 defaultsite=mail.airarabia.ae \
cert=/etc/squid/keys/cert.pem key=/etc/squid/keys/key.pem
>
> 2) check that the cert/key are correct for the IP:port squid is
> listening on.
use this command to generate the ssl certificate
openssl req -x509 -days 365 -newkey rsa:1024 -keyout key.pem -nodes
\-out cert.pem
>
>
> > cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS \
> > front-end-https=on login=PASS name=owaServer
>
> So OWA is listening on port 80?
yes on port 80 no issue
>
> > cache_peer_access owaServer allow OWA
> > acl OWA dstdomain mail.airarabia.ae
> > http_access allow OWA
> > miss_access allow OWA
> > miss_access deny all
>
> Missing:
> never_direct allow OWA
Actually I forgot to mention it here
It is specified in squid.conf
>
> that bit is important to prevent Squid even attempting to request a
> connection direct to OWA without the peerage settings.
>
> Amos
>
> >
> > cache.log
> > ========================================================================
> > 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
> > on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
> > 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
> > on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
> > 2009/05/17 13:32:13| fwdNegotiateSSL: Error negotiating SSL connection \
> > on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
> >
> > Error on the browser
> > ========================================================================
> > While trying to retrieve the URL: https://mail.airarabia.ae/exchweb/
> >
> > The following error was encountered:
> >
> > * Connection to 10.200.22.12 Failed
> >
> > The system returned:
> >
> > (71) Protocol error
> >
> > The remote host or network may be down. Please try the request again.
> >
> >
> > Please help
> >
> > //Remy
> >
> >
> > On Fri, 2009-05-15 at 16:35 +1200, Amos Jeffries wrote:
> >> Mario Remy Almeida wrote:
> >>> Hi All,
> >>>
> >>> Need to setup Reverse proxy
> >>>
> >>> I have
> >>>
> >>> Squid 2.7STABLE6
> >>> OS Centos
> >>>
> >>> Web server= Microsoft Outlook Web Access
> >>> SSL enabled
> >>> port 443
> >>>
> >>>
> >>> My squid config is as below
> >>>
> >>> acl vhosts1_domains dstdomain mail.airarabiauae.com
> >>> http_port 443 accel defaultsite=mail.airarabiauae.com vhost
> >>> cache_peer 10.200.22.12 parent 443 0 no-query originserver name=vhost1 \
> >>> ssl
> >>> cache_peer_access vhost1 allow vhosts1_domains
> >>>
> >>> Please someone tell me it that is the right way to configure it.
> >>>
> >> No. Here is the tutorial:
> >>
> >> http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
> >>
> >> port 443 is often encrypted. It requires the https_port option instead
> >> of http_port, and the certificate as well.
> >>
> >> The peer part may be correct, or further ssl-related options may be
> >> needed. It depends on your peer so I can't say for certain unless you
> >> actually hit a problem.
> >>
> >>
> >> Amos
> >
>
> Amos
------------------------------------------------------------------------------
Disclaimer and Confidentiality
This material has been checked for computer viruses and although none has
been found, we cannot guarantee that it is completely free from such problems
and do not accept any liability for loss or damage which may be caused.
Please therefore check any attachments for viruses before using them on your
own equipment. If you do find a computer virus please inform us immediately
so that we may take appropriate action. This communication is intended solely
for the addressee and is confidential. If you are not the intended recipient,
any disclosure, copying, distribution or any action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful. The views
expressed in this message are those of the individual sender, and may not
necessarily be that of ISA.
Received on Sun May 17 2009 - 06:45:37 MDT
This archive was generated by hypermail 2.2.0 : Sun May 17 2009 - 12:00:01 MDT