[squid-users] RPC Over HTTPS

From: Mario Remy Almeida <malmeida_at_isaaviation.ae>
Date: Thu, 11 Jun 2009 20:15:46 +0400

Hi All,

I have successfully configured reverse proxy,

But have issue with RCP over https

Testing my setup with the following link
https://www.testexchangeconnectivity.com/

have the below error

Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on
server hubsexchange.airarabiauae.com Failed to ping Endpoint
Additional Details An RPC Error was thrown by the RPC Runtime. Error
1818 1818

What could be the problem?

squid -v
==========================================================
Squid Cache: Version 2.7.STABLE6
configure options: '--host=x86_64-redhat-linux-gnu'
'--build=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--bindir=/usr/sbin'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-epoll'
'--enable-snmp' '--enable-removal-policies=heap,lru'
'--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl'
'--with-openssl=/usr/kerberos' '--enable-delay-pools'
'--enable-linux-netfilter' '--enable-linux-tproxy' '--with-pthreads'
'--enable-ntlm-auth-helpers=SMB,fakeauth'
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-digest-auth-helpers=password' '--enable-useragent-log' '--enable-referer-log' '--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-cache-digests' '--enable-ident-lookups' '--enable-follow-x-forwarded-for' '--enable-wccpv2' '--enable-x-accelerator-vary' '--enable-xmalloc-statistics' '--enable-icmp' '--enable-kill-parent-hack' '--enable-arp-acl' '--enable-default-err-language=English' '--enable-err-languages=English' '--disable-http-violations' '--enable-large-cache-files' '--with-dl' '--with-maxfd=16384' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char -O2 -g -m64 -mtune=generic' 'LDFLAGS=-pie'
==========================================================

squid.conf as below
=========================================
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32 10.200.8.20
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl PURGE method PURGE
acl localnet src 10.200.2.0/24
acl snmppublic snmp_community public
acl OWA dstdomain mail.airarabia.ae
http_access allow manager localhost
http_access deny manager
http_access allow localhost PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow OWA all
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
miss_access allow OWA
reply_body_max_size 52428800 allow all
follow_x_forwarded_for allow localnet
follow_x_forwarded_for allow localhost
follow_x_forwarded_for deny all
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on
ssl_unclean_shutdown on
sslproxy_flags DONT_VERIFY_PEER
http_port 8080
http_port 10.200.8.20:80 accel defaultsite=mail.airarabia.ae vhost

https_port 10.200.8.20:443 accel \
cert=/etc/squid/keys/airarabia_key.pem \
key=/etc/squid/keys/airarabia_key.pem defaultsite=mail.airarabia.ae
cache_peer proxy1.emirates.net.ae parent 8080 0 no-query default
cache_peer mail.airarabia.ae parent 443 0 no-query \
originserver front-end-https=on login=PASS name=owaServer \
ssl sslcert=/etc/squid/keys/airarabia_crt.pem \
sslkey=/etc/squid/keys/airarabia_key.pem sslflags=DONT_VERIFY_PEER
cache_peer_access owaServer allow OWA
cache_peer_access proxy1.emirates.net.ae allow !OWA
hierarchy_stoplist cgi-bin ?
cache_mem 600 MB
maximum_object_size_in_memory 20 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap GDSF
cache_dir aufs /cache 29000 16 256
store_dir_select_algorithm least-load
max_open_disk_fds 0
minimum_object_size 0 KB
maximum_object_size 1096 MB
cache_swap_low 90
cache_swap_high 95
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %
mt
logformat mysql_columns %ts.%03tu %6tr %>a %Ss %03Hs %<st %rm %ru %un %
Sh %<A %mt
access_log /var/log/squid/access.log squid
access_log daemon:/usr/lib64/squid/db.cf mysql_columns
logfile_daemon /usr/lib64/squid/logmysqldb_daemon
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 30
emulate_httpd_log on
log_ip_on_direct on
mime_table /etc/squid/mime.conf
log_mime_hdrs on
useragent_log /var/log/squid/useragent.lo
referer_log /var/log/squid/referer.log
pid_filename /var/run/squid.pid
debug_options ALL,1
log_fqdn off
strip_query_terms on
buffered_logs off
netdb_filename /var/log/squid/netdb.state
ftp_list_width 64
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on
diskd_program /usr/lib64/squid/diskd-daemon
unlinkd_program /usr/lib64/squid/unlinkd
pinger_program /usr/lib64/squid/pinger
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
read_ahead_gap 16 KB
negative_ttl 2 minutes
positive_dns_ttl 9 hours
negative_dns_ttl 1 minute
minimum_expiry_time 30 seconds
store_objects_per_bucket 15
request_header_max_size 20 KB
reply_header_max_size 25 KB
request_body_max_size 50 MB
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
cache_vary on
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
collapsed_forwarding off
extension_methods RPC_IN_DATA RPC_OUT_DATA
shutdown_lifetime 30 seconds
cache_mgr Rusol <rskender_at_airarabia.com>
mail_from Rusol <rskender_at_airarabia.com>
mail_program mail
cache_effective_user squid
cache_effective_group squid
httpd_suppress_version_string on
visible_hostname vsquid-01-shj
umask 027
snmp_port 3401
snmp_access allow snmppublic localhost
snmp_access deny all
icon_directory /usr/share/squid/icons
global_internal_static on
short_icon_urls on
nonhierarchical_direct on
prefer_direct off
never_direct allow OWA
never_direct allow all
max_filedescriptors 0
check_hostnames off
allow_underscore on
dns_timeout 2 minutes
hosts_file /etc/hosts
ignore_unknown_nameservers on
ipcache_size 2048
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
forwarded_for off
cachemgr_passwd disable all
client_db off
uri_whitespace strip
coredump_dir /var/spool/squid
windows_ipaddrchangemonitor off
==========================================================

//Remy

------------------------------------------------------------------------------
Disclaimer and Confidentiality

This material has been checked for computer viruses and although none has
been found, we cannot guarantee that it is completely free from such problems
and do not accept any liability for loss or damage which may be caused.
Please therefore check any attachments for viruses before using them on your
own equipment. If you do find a computer virus please inform us immediately
so that we may take appropriate action. This communication is intended solely
for the addressee and is confidential. If you are not the intended recipient,
any disclosure, copying, distribution or any action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful. The views
expressed in this message are those of the individual sender, and may not
necessarily be that of ISA.
Received on Thu Jun 11 2009 - 16:15:51 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 11 2009 - 12:00:03 MDT