Mario Remy Almeida wrote:
> My squid.conf
>
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl localnet src 10.200.2.0/24
> acl OWA dstdomain webmail.airarabia.ae
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow OWA all
> http_access allow localnet
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> icp_access allow localnet
> icp_access deny all
> miss_access allow OWA
> miss_access deny all
> http_port 10.200.22.49:80 defaultsite=webmail.airarabia.ae
> https_port 10.200.22.49:443 defaultsite=webmail.airarabia.ae
> cert=/etc/squid/keys/proxycert.pem key=/etc/squid/keys/proxykey.pem
> cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS
> front-end-https=on login=PASS name=owaServer
> cache_peer proxy1.emirates.net.ae parent 8080 0 no-query default
> cache_peer_access owaServer allow OWA
> hierarchy_stoplist cgi-bin ?
> cache_dir aufs /cache 29000 16 256
> logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
> logformat mysql_columns %ts.%03tu %6tr %>a %Ss %03Hs %<st %rm %ru %un
> %Sh %<A %mt
> access_log /var/log/squid/access.log squid
> access_log daemon:/usr/lib64/squid/db.cf mysql_columns
> logfile_daemon /usr/lib64/squid/logmysqldb_daemon
> pid_filename /var/run/squid.pid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
> upgrade_http0.9 deny shoutcast
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> prefer_direct off
> never_direct allow OWA
> coredump_dir /var/spool/squid
>
>
> OUTPUT of "host webmail.airarabia.ae" taking from DNS
> webmail.airarabia.ae has address 10.200.22.12
>
>
> clients browser
> proxy set to 10.200.22.49 port 80
> NO by-pass
>
> Now confused with DNS what should be the DNS entires.
>
> the clients will not by-pass.
>
> should the DNS entry point to the OWA IP or to Squid Proxy?
>
>
> Please help as I am confused.
>
Oh, I see...
You need this:
10.200.22.49 -> SquidProxy
10.200.22.12 -> OWA
10.200.2.22 -> DNS Server
DNS Entires,
webmail.airarabia.com pointing to 10.200.22.49 (HTTP, HTTPS stuff)
mail.airarabia.com pointing to 10.200.22.12 (SMTP stuff)
On Squid Proxy Server,
/etc/resolv.conf:
nameserver 10.200.2.22
/etc/hosts:
127.0.0.1 localhost
squid.conf as above but:
http_port 10.200.22.49:80 accel defaultsite=webmail.airarabia.ae
https_port 10.200.22.49:443 accel defaultsite=webmail.airarabia.ae \
cert=/etc/squid/keys/proxycert.pem key=/etc/squid/keys/proxykey.pem
cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS \
front-end-https=on name=owaServer
cache_peer_access owaServer allow OWA
cache_peer proxy1.emirates.net.ae parent 8080 0 no-query default
cache_peer_access proxy1.emirates.net.ae allow !OWA
NOTE the 'accel' option on ports and "!OWA" on default parent peer access.
Amos
> //Remy
>
> On Sun, 2009-05-17 at 19:33 +1200, Amos Jeffries wrote:
>> Mario Remy Almeida wrote:
>> > Hi Amos,
>> >
>> > One thing I forgot to mentioned
>> >
>> > /etc/hosts has this entry
>> > 10.200.22.12 mail.airarabia.ae
>> >
>> > Output of " host mail.airarabia.ae " from dns is ->
>> > mail.airarabia.ae has address 10.200.9.20
>> >
>> >
>> > User (browser) reads the host file from individual PCs
>> > cat /etc/hosts | grep "mail.airarabia.ae"
>> > 10.200.22.49 mail.airarabia.ae
>> >
>> >
>> > 10.200.22.49 <- squid proxy ip
>> > 10.200.22.12 <- OWA ip
>>
>> This could cause you some problems administering it.
>>
>> My advice on this is to setup DNS pointing at Squid for the HTTPS domain
>> name, set squid.conf with the right OWA IP as a peer, and not have the
>> individual hosts file overrides.
>>
>> The fact that the public IP for the domain is different to both the
>> squid IP and the real OWA/Exchange IP is worrying. I trust that you know
>> what destinations should be.
>>
>> Amos
>>
>> >
>> > Please find the answers below.
>> >
>> > //Remy
>> >
>> > On Sun, 2009-05-17 at 18:16 +1200, Amos Jeffries wrote:
>> >> Mario Remy Almeida wrote:
>> >>> Hi Amos,
>> >>>
>> >>> I followed the instruction as per
>> >>> http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
>> >>>
>> >>> But I am some how failing to configure https.
>> >>>
>> >>> My squid.conf
>> >>> ========================================================================
>> >>> https_port 443 defaultsite=mail.airarabia.ae \
>> >>> cert=/etc/squid/keys/cert.pem key=/etc/squid/keys/key.pem
>> >> Okay two extra things about the port:
>> >> 1) unless you have the wilcard cert its best to specify the IP:port
>> >> combo and generate the cert for those IP:port. That way you can use
>> >> other IP for other domains and be sure Squid is sending SSL on the right IP.
>> > changed it to ->
>> > https_port 10.200.22.49:443 defaultsite=mail.airarabia.ae \
>> > cert=/etc/squid/keys/cert.pem key=/etc/squid/keys/key.pem
>> >
>> >> 2) check that the cert/key are correct for the IP:port squid is
>> >> listening on.
>> >
>> > use this command to generate the ssl certificate
>> >
>> > openssl req -x509 -days 365 -newkey rsa:1024 -keyout key.pem -nodes
>> > \-out cert.pem
>> >
>>
>> The keys do need to be signed in some way before they are valid for use.
>> This looks like a key creation-only command, though with SSL certs I
>> only know enough to follow the tutorials. Doing that (for all key steps)
>> I've never had a problem.
>>
>> Amos
>>
>> >
>> >>
>> >>> cache_peer 10.200.22.12 parent 80 0 no-query originserver login=PASS \
>> >>> front-end-https=on login=PASS name=owaServer
>> >> So OWA is listening on port 80?
>> > yes on port 80 no issue
>> >
>> >>> cache_peer_access owaServer allow OWA
>> >>> acl OWA dstdomain mail.airarabia.ae
>> >>> http_access allow OWA
>> >>> miss_access allow OWA
>> >>> miss_access deny all
>> >> Missing:
>> >> never_direct allow OWA
>> > Actually I forgot to mention it here
>> > It is specified in squid.conf
>> >
>> >> that bit is important to prevent Squid even attempting to request a
>> >> connection direct to OWA without the peerage settings.
>> >>
>> >> Amos
>> >>
>> >>> cache.log
>> >>> ========================================================================
>> >>> 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
>> >>> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
>> >>> 2009/05/17 13:32:12| fwdNegotiateSSL: Error negotiating SSL connection \
>> >>> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
>> >>> 2009/05/17 13:32:13| fwdNegotiateSSL: Error negotiating SSL connection \
>> >>> on FD 24: error:00000000:lib(0):func(0):reason(0) (5/-1/104)
>> >>>
>> >>> Error on the browser
>> >>> ========================================================================
>> >>> While trying to retrieve the URL: https://mail.airarabia.ae/exchweb/
>> >>>
>> >>> The following error was encountered:
>> >>>
>> >>> * Connection to 10.200.22.12 Failed
>> >>>
>> >>> The system returned:
>> >>>
>> >>> (71) Protocol error
>> >>>
>> >>> The remote host or network may be down. Please try the request again.
>> >>>
>> >>>
>> >>> Please help
>> >>>
>> >>> //Remy
>> >>>
>> >>>
>> >>> On Fri, 2009-05-15 at 16:35 +1200, Amos Jeffries wrote:
>> >>>> Mario Remy Almeida wrote:
>> >>>>> Hi All,
>> >>>>>
>> >>>>> Need to setup Reverse proxy
>> >>>>>
>> >>>>> I have
>> >>>>>
>> >>>>> Squid 2.7STABLE6
>> >>>>> OS Centos
>> >>>>>
>> >>>>> Web server= Microsoft Outlook Web Access
>> >>>>> SSL enabled
>> >>>>> port 443
>> >>>>>
>> >>>>>
>> >>>>> My squid config is as below
>> >>>>>
>> >>>>> acl vhosts1_domains dstdomain mail.airarabiauae.com
>> >>>>> http_port 443 accel defaultsite=mail.airarabiauae.com vhost
>> >>>>> cache_peer 10.200.22.12 parent 443 0 no-query originserver name=vhost1 \
>> >>>>> ssl
>> >>>>> cache_peer_access vhost1 allow vhosts1_domains
>> >>>>>
>> >>>>> Please someone tell me it that is the right way to configure it.
>> >>>>>
>> >>>> No. Here is the tutorial:
>> >>>>
>> >>>> http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess
>> >>>>
>> >>>> port 443 is often encrypted. It requires the https_port option instead
>> >>>> of http_port, and the certificate as well.
>> >>>>
>> >>>> The peer part may be correct, or further ssl-related options may be
>> >>>> needed. It depends on your peer so I can't say for certain unless you
>> >>>> actually hit a problem.
>> >>>>
>> >>>>
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.7Received on Sun May 17 2009 - 12:57:49 MDT
This archive was generated by hypermail 2.2.0 : Sun May 17 2009 - 12:00:01 MDT