Re: [squid-users] Reverse Proxy

My squid.conf

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl localnet src 10.200.2.0/24
acl OWA dstdomain webmail.airarabia.ae
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow OWA all
http_access allow localnet
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
miss_access allow OWA
miss_access deny all
http_port 10.200.22.49:80 defaultsite=webmail.airarabia.ae
https_port 10.200.22.49:443 defaultsite=webmail.airarabia.ae
cert=/etc/squid/keys/proxycert.pem key=/etc/squid/keys/proxykey.pem
cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS
front-end-https=on login=PASS name=owaServer
cache_peer proxy1.emirates.net.ae parent 8080 0 no-query default
cache_peer_access owaServer allow OWA
hierarchy_stoplist cgi-bin ?
cache_dir aufs /cache 29000 16 256
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %
mt
logformat mysql_columns %ts.%03tu %6tr %>a %Ss %03Hs %<st %rm %ru %un %
Sh %<A %mt
access_log /var/log/squid/access.log squid
access_log daemon:/usr/lib64/squid/db.cf mysql_columns
logfile_daemon /usr/lib64/squid/logmysqldb_daemon
pid_filename /var/run/squid.pid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
prefer_direct off
never_direct allow OWA
coredump_dir /var/spool/squid

OUTPUT of "host webmail.airarabia.ae" taking from DNS
webmail.airarabia.ae has address 10.200.22.12

clients browser
proxy set to 10.200.22.49 port 80
NO by-pass

Now confused with DNS what should be the DNS entires.

the clients will not by-pass.

should the DNS entry for webmail.airarabia.ae point to the OWA IP or to
Squid Proxy?

Please help as I am confused.

//Remy

On Sun, 2009-05-17 at 19:33 +1200, Amos Jeffries wrote:
> Mario Remy Almeida wrote:
> > Hi Amos,
> >
> > One thing I forgot to mentioned
> >
> > /etc/hosts has this entry
> > 10.200.22.12 mail.airarabia.ae
> >
> > Output of " host mail.airarabia.ae " from dns is ->
> > mail.airarabia.ae has address 10.200.9.20
> >
> >
> > User (browser) reads the host file from individual PCs
> > cat /etc/hosts | grep "mail.airarabia.ae"
> > 10.200.22.49 mail.airarabia.ae
> >
> >
> > 10.200.22.49 <- squid proxy ip
> > 10.200.22.12 <- OWA ip
>
> This could cause you some problems administering it.
>
> My advice on this is to setup DNS pointing at Squid for the HTTPS domain
> name, set squid.conf with the right OWA IP as a peer, and not have the
> individual hosts file overrides.
>
> The fact that the public IP for the domain is different to both the
> squid IP and the real OWA/Exchange IP is worrying. I trust that you know
> what destinations should be.
>
> Amos
>
> >
> > Please find the answers below.
> >
> > //Remy
> >
> > On Sun, 2009-05-17 at 18:16 +1200, Amos Jeffries wrote:
> >> Mario Remy Almeida wrote:
> >>> Hi Amos,
> >>>
> >>> I followed the instruction as per
> >>> http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
> >>>
> >>> But I am some how failing to configure https.
> >>>
> >>> My squid.conf
> >>> ========================================================================
> >>> https_port 443 defaultsite=mail.airarabia.ae \
> >>> cert=/etc/squid/keys/cert.pem key=/etc/squid/keys/key.pem
> >> Okay two extra things about the port:
> >> 1) unless you have the wilcard cert its best to specify the IP:port
> >> combo and generate the cert for those IP:port. That way you can use
> >> other IP for other domains and be sure Squid is sending SSL on the right IP.
> > changed it to ->
> > https_port 10.200.22.49:443 defaultsite=mail.airarabia.ae \
> > cert=/etc/squid/keys/cert.pem key=/etc/squid/keys/key.pem
> >
> >> 2) check that the cert/key are correct for the IP:port squid is
> >> listening on.
> >
> > use this command to generate the ssl certificate
> >
> > openssl req -x509 -days 365 -newkey rsa:1024 -keyout key.pem -nodes
> > \-out cert.pem
> >
>
> The keys do need to be signed in some way before they are valid for use.
> This looks like a key creation-only command, though with SSL certs I
> only know enough to follow the tutorials. Doing that (for all key steps)
> I've never had a problem.
>
> Amos
>
> >
> >>
> >>> cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS \
> >>> front-end-https=on login=PASS name=owaServer
> >> So OWA is listening on port 80?
> > yes on port 80 no issue
> >
> >>> cache_peer_access owaServer allow OWA
> >>> acl OWA dstdomain mail.airarabia.ae
> >>> http_access allow OWA
> >>> miss_access allow OWA
> >>> miss_access deny all
> >> Missing:
> >> never_direct allow OWA
> > Actually I forgot to mention it here
> > It is specified in squid.conf
> >
> >> that bit is important to prevent Squid even attempting to request a
> >> connection direct to OWA without the peerage settings.
> >>
> >> Amos
> >>
> >>> cache.log
> >>> ========================================================================
> >>> 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
> >>> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
> >>> 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
> >>> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
> >>> 2009/05/17 13:32:13| fwdNegotiateSSL: Error negotiating SSL connection \
> >>> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
> >>>
> >>> Error on the browser
> >>> ========================================================================
> >>> While trying to retrieve the URL: https://mail.airarabia.ae/exchweb/
> >>>
> >>> The following error was encountered:
> >>>
> >>> * Connection to 10.200.22.12 Failed
> >>>
> >>> The system returned:
> >>>
> >>> (71) Protocol error
> >>>
> >>> The remote host or network may be down. Please try the request again.
> >>>
> >>>
> >>> Please help
> >>>
> >>> //Remy
> >>>
> >>>
> >>> On Fri, 2009-05-15 at 16:35 +1200, Amos Jeffries wrote:
> >>>> Mario Remy Almeida wrote:
> >>>>> Hi All,
> >>>>>
> >>>>> Need to setup Reverse proxy
> >>>>>
> >>>>> I have
> >>>>>
> >>>>> Squid 2.7STABLE6
> >>>>> OS Centos
> >>>>>
> >>>>> Web server= Microsoft Outlook Web Access
> >>>>> SSL enabled
> >>>>> port 443
> >>>>>
> >>>>>
> >>>>> My squid config is as below
> >>>>>
> >>>>> acl vhosts1_domains dstdomain mail.airarabiauae.com
> >>>>> http_port 443 accel defaultsite=mail.airarabiauae.com vhost
> >>>>> cache_peer 10.200.22.12 parent 443 0 no-query originserver name=vhost1 \
> >>>>> ssl
> >>>>> cache_peer_access vhost1 allow vhosts1_domains
> >>>>>
> >>>>> Please someone tell me it that is the right way to configure it.
> >>>>>
> >>>> No. Here is the tutorial:
> >>>>
> >>>> http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
> >>>>
> >>>> port 443 is often encrypted. It requires the https_port option instead
> >>>> of http_port, and the certificate as well.
> >>>>
> >>>> The peer part may be correct, or further ssl-related options may be
> >>>> needed. It depends on your peer so I can't say for certain unless you
> >>>> actually hit a problem.
> >>>>
> >>>>
> >>>> Amos
> >> Amos
> >
>
> Amos

-- 
Mario Remy Almeida
Linux System Administrator
ISA
O: 06588817
M: 0508643912
E: malmeida_at_isaaviation.ae
------------------------------------------------------------------------------
Disclaimer and Confidentiality
This material has been checked for  computer viruses and although none has
been found, we cannot guarantee  that it is completely free from such problems
and do not accept any  liability for loss or damage which may be caused.
Please therefore  check any attachments for viruses before using them on your
own  equipment. If you do find a computer virus please inform us immediately
so that we may take appropriate action. This communication is intended  solely
for the addressee and is confidential. If you are not the intended recipient,
any disclosure, copying, distribution or any action  taken or omitted to be
taken in reliance on it, is prohibited and may be  unlawful. The views
expressed in this message are those of the  individual sender, and may not
necessarily be that of ISA.