hdyugoplastika hdyugoplastika wrote:
> Hi at all
> I have a problem with authentication RPC over HTTPS with
> squid-2.7STABLE6-1 (rpm downloaded from squid-cache.org).
> I have squid server(version 2.5STABLE14-1 + owa patch) where RPC over HTTPS
> authetication works fine. With both version now problem via OWA.
> These are the log:
>
> access.log
> 10.223.0.71 - - [10/Aug/2009:11:03:56 +0200] "RPC_IN_DATA https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002 HTTP/1.1" 401 509 TCP_MISS:SOURCEHASH_PARENT
> 10.223.0.71 - - [10/Aug/2009:11:03:56 +0200] "RPC_OUT_DATA https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002 HTTP/1.1" 401 509 TCP_MISS:SOURCEHASH_PARENT
>
>
> cache.log(I insert just, for me, rilevant)
> 2009/08/10 11:03:52| httpAppendBody: Request not yet fully sent "RPC_IN_DATA
> https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002"
> 2009/08/10 11:03:52| fwdComplete:
> https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002
> 2009/08/10 11:03:52| fwdReforward:
> https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002?
> 2009/08/10 11:03:52| fwdReforward: No, ENTRY_FWD_HDR_WAIT isn't set
> 2009/08/10 11:03:52| fwdComplete: not re-forwarding status 401
>
> and useful(?) exchange log:
> 2009-08-10 09:00:07 W3SVC1 MI1EXPROM1 10.223.247.61 GET
> /exchweb/bin/auth/owalogon.asp
> url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245
> HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 0
> 2009-08-10 09:00:38 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA
> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 46
> 2009-08-10 09:00:38 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA
> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 448 124
> 2009-08-10 09:02:08 W3SVC1 MI1EXPROM1 10.223.247.61 GET
> /exchweb/bin/auth/owalogon.asp
> url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245
> HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 15
> 2009-08-10 09:03:52 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA
> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 344 0
> 2009-08-10 09:03:52 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA
> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 0
> 2009-08-10 09:03:56 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA
> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 344 0
> 2009-08-10 09:03:56 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA
> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 0
> 2009-08-10 09:04:07 W3SVC1 MI1EXPROM1 10.223.247.61 GET
> /exchweb/bin/auth/owalogon.asp
> url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245
> HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 0
>
> Below the configuration:
> squid 2.5STABLE14-1 + owa patch
>
> http_port 80
> extension_methods RPC_IN_DATA RPC_OUT_DATA
> https_port 10.223.243.26:443 cert=/etc/squid/cert/wm.XXXxxxxx.it.cert
> key=/etc/squid/cert/wm.XXXxxxxx.it.private.key
> cafile=/etc/squid/cert/cafile.cert
> ssl_unclean_shutdown on
> cache_peer mail.XXXxxxxx.it parent 443 0 ssl
> sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only
> no-query no-digest front-end-https=on
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> emulate_httpd_log on
> log_ip_on_direct on
> debug_options ALL,1,83,2
> hosts_file /etc/hosts
> redirect_rewrites_host_header on
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> shutdown_lifetime 0 seconds
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl xxxxx src 192.168.55.0/24
> acl easy_bb src xxx.xxx.64.0/19
> acl easy_bb src xxx.xxx.224.0/19
> acl easy_bb src xxx.xxx.16.0/20
> acl easy_bb src xxx.xxx.81.0/24
> acl easy_bb src xxx.xxx.87.0/24
> acl easy_bb src xxx.xxx.26.0/24
> acl easy_bb src xxx.xxx.144.0/20
> acl easy_bb src xxx.xxx.240.0/20
> acl destination dst 10.223.243.24/32
> acl access_mail urlpath_regex -i "/etc/squid/users/access_mail.txt"
> acl access_url url_regex -i "/etc/squid/url_valid.txt"
> acl acl_pfa dstdomain webmail.XXXxxxxx.it
> http_access deny easy_bb
> http_access allow xxxxx
> http_access allow access_mail
> http_access allow access_url
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_peer_access mail.XXXxxxxx.it allow acl_pfa
> cache_peer_access mail.XXXxxxxx.it deny all
> tcp_outgoing_address 10.223.247.203 xxxxx
> tcp_outgoing_address 10.223.247.201
> cache_mgr net_at_xxxxx.it
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname webmail.XXXxxxxx.it
> httpd_accel_host virtual
> httpd_accel_port 443
> httpd_accel_single_host on
> httpd_accel_with_proxy off
> httpd_accel_uses_host_header on
> err_html_text .
> deny_info ERR_xxxxxXXX all
> deny_info ERR_xxxxxXXX access_mail
> never_direct allow all
> strip_query_terms off
> coredump_dir /var/spool/squid
> max_filedesc 4096
>
>
> Configuratio
> squid.conf-2.7STABLE6-1
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> acl xxxxx src 192.168.55.0/24
> acl xxxxx src 10.221.121.0/24
> acl easy_bb src xxx.xxx.64.0/19
> acl easy_bb src xxx.xxx.224.0/19
> acl easy_bb src xxx.xxx.16.0/20
> acl easy_bb src xxx.xxx.81.0/24
> acl easy_bb src xxx.xxx.87.0/24
> acl easy_bb src xxx.xxx.26.0/24
> acl easy_bb src xxx.xxx.144.0/20
> acl easy_bb src xxx.xxx.240.0/20
> acl access_mail urlpath_regex -i "/etc/squid/users/access_mail.txt"
> acl access_url url_regex -i "/etc/squid/url_valid.txt"
> acl acl_pfa dstdomain webmail.XXXxxxxx.it
> http_access deny easy_bb
> http_access allow xxxxx
> http_access allow access_mail
> http_access allow access_url
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> ssl_unclean_shutdown on
> http_port 80 accel vhost
> https_port 10.223.247.201:443 accel vhost
> cert=/etc/squid/cert/wm.XXXxxxxx.it.cert
> key=/etc/squid/cert/wm.XXXxxxxx.it.private.key
> cafile=/etc/squid/cert/cafile.cert
> cache_peer mi1exprom1.nf.xxxxxXXX.it parent 443 0 ssl
> sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only
> no-query no-digest front-end-https=auto sourcehash round-robin originserver
> name=MI11
Do not use round-robin on these peers!
> cache_peer_access MI11 allow acl_pfa
> cache_peer_access MI11 deny all
> hierarchy_stoplist cgi-bin ?
> logformat combined2 %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %
You are also adding and removing a whole lot of settings to this one
since the working config.
I'd recommend going back t the original, removing the http_accel_* bits
and making the http_port/https_post and any other changes actually
needed to load the config. Then checking that that works before going on
to adjust the other settings.
This is clearly not the whole config because some important things like
Safe_ports definition are missing even from the working one.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13Received on Mon Aug 10 2009 - 12:25:11 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 11 2009 - 12:00:02 MDT