Hi Amos
I have "cleared" the configuration:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl xxxxx src 192.168.55.0/24
acl xxxxx src 10.221.121.0/24
acl xxxxx src 10.223.0.71/32
http_access allow xxxxx
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
ssl_unclean_shutdown on
http_port 80 transparent
https_port 10.223.247.201:443 accel vhost cert=/etc/squid/cert/wm.XXXxxxxx.it.cert key=/etc/squid/cert/wm.XXXxxxxx.it.private.key cafile=/etc/squid/cert/cafile.cert
cache_peer mi1exprom1.nf.xxxxxXXX.it parent 443 0 ssl sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only no-query no-digest front-end-https=auto originserver name=MI11
cache_peer_access MI11 allow all
hierarchy_stoplist cgi-bin ?
logformat combined2 %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs % Date: Tue, 11 Aug 2009 00:24:54 +1200
> From: squid3_at_treenet.co.nz
> To: hdyugoplastika_at_hotmail.com
> CC: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] [suiqd-2.7STABLE6-1]Problem RPC via HTTPSț
>
> hdyugoplastika hdyugoplastika wrote:
>> Hi at all
>> I have a problem with authentication RPC over HTTPS with
>> squid-2.7STABLE6-1 (rpm downloaded from squid-cache.org).
>> I have squid server(version 2.5STABLE14-1 + owa patch) where RPC over HTTPS
>> authetication works fine. With both version now problem via OWA.
>> These are the log:
>>
>> access.log
>> 10.223.0.71 - - [10/Aug/2009:11:03:56 +0200] "RPC_IN_DATA https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002 HTTP/1.1" 401 509 TCP_MISS:SOURCEHASH_PARENT
>> 10.223.0.71 - - [10/Aug/2009:11:03:56 +0200] "RPC_OUT_DATA https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002 HTTP/1.1" 401 509 TCP_MISS:SOURCEHASH_PARENT
>>
>>
>> cache.log(I insert just, for me, rilevant)
>> 2009/08/10 11:03:52| httpAppendBody: Request not yet fully sent "RPC_IN_DATA
>> https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002"
>> 2009/08/10 11:03:52| fwdComplete:
>> https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002
>> 2009/08/10 11:03:52| fwdReforward:
>> https://webmail.XXXxxxxx.it/rpc/rpcproxy.dll?EXPROMO1.nf.xxxxxXXX.it:6002?
>> 2009/08/10 11:03:52| fwdReforward: No, ENTRY_FWD_HDR_WAIT isn't set
>> 2009/08/10 11:03:52| fwdComplete: not re-forwarding status 401
>>
>> and useful(?) exchange log:
>> 2009-08-10 09:00:07 W3SVC1 MI1EXPROM1 10.223.247.61 GET
>> /exchweb/bin/auth/owalogon.asp
>> url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245
>> HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 0
>> 2009-08-10 09:00:38 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA
>> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
>> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 46
>> 2009-08-10 09:00:38 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA
>> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
>> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 448 124
>> 2009-08-10 09:02:08 W3SVC1 MI1EXPROM1 10.223.247.61 GET
>> /exchweb/bin/auth/owalogon.asp
>> url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245
>> HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 15
>> 2009-08-10 09:03:52 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA
>> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
>> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 344 0
>> 2009-08-10 09:03:52 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA
>> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
>> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 0
>> 2009-08-10 09:03:56 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_IN_DATA
>> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
>> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 344 0
>> 2009-08-10 09:03:56 W3SVC1 MI1EXPROM1 10.223.247.61 RPC_OUT_DATA
>> /rpc/rpcproxy.dll EXPROMO1.nf.xxxxxXXX.it:6002 443 - 10.223.247.201 HTTP/1.0
>> MSRPC - - webmail.XXXxxxxx.it 401 2 2148074254 375 451 0
>> 2009-08-10 09:04:07 W3SVC1 MI1EXPROM1 10.223.247.61 GET
>> /exchweb/bin/auth/owalogon.asp
>> url=https://webmail.XXXxxxxx.it/exchange/&reason=0 443 - 192.168.21.245
>> HTTP/1.1 libwww-perl/5.823 - - webmail.XXXxxxxx.it 200 0 0 9070 205 0
>>
>> Below the configuration:
>> squid 2.5STABLE14-1 + owa patch
>>
>> http_port 80
>> extension_methods RPC_IN_DATA RPC_OUT_DATA
>> https_port 10.223.243.26:443 cert=/etc/squid/cert/wm.XXXxxxxx.it.cert
>> key=/etc/squid/cert/wm.XXXxxxxx.it.private.key
>> cafile=/etc/squid/cert/cafile.cert
>> ssl_unclean_shutdown on
>> cache_peer mail.XXXxxxxx.it parent 443 0 ssl
>> sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only
>> no-query no-digest front-end-https=on
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>> emulate_httpd_log on
>> log_ip_on_direct on
>> debug_options ALL,1,83,2
>> hosts_file /etc/hosts
>> redirect_rewrites_host_header on
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> shutdown_lifetime 0 seconds
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> acl xxxxx src 192.168.55.0/24
>> acl easy_bb src xxx.xxx.64.0/19
>> acl easy_bb src xxx.xxx.224.0/19
>> acl easy_bb src xxx.xxx.16.0/20
>> acl easy_bb src xxx.xxx.81.0/24
>> acl easy_bb src xxx.xxx.87.0/24
>> acl easy_bb src xxx.xxx.26.0/24
>> acl easy_bb src xxx.xxx.144.0/20
>> acl easy_bb src xxx.xxx.240.0/20
>> acl destination dst 10.223.243.24/32
>> acl access_mail urlpath_regex -i "/etc/squid/users/access_mail.txt"
>> acl access_url url_regex -i "/etc/squid/url_valid.txt"
>> acl acl_pfa dstdomain webmail.XXXxxxxx.it
>> http_access deny easy_bb
>> http_access allow xxxxx
>> http_access allow access_mail
>> http_access allow access_url
>> http_access allow localhost
>> http_access deny all
>> http_reply_access allow all
>> icp_access allow all
>> cache_peer_access mail.XXXxxxxx.it allow acl_pfa
>> cache_peer_access mail.XXXxxxxx.it deny all
>> tcp_outgoing_address 10.223.247.203 xxxxx
>> tcp_outgoing_address 10.223.247.201
>> cache_mgr net_at_xxxxx.it
>> cache_effective_user squid
>> cache_effective_group squid
>> visible_hostname webmail.XXXxxxxx.it
>> httpd_accel_host virtual
>> httpd_accel_port 443
>> httpd_accel_single_host on
>> httpd_accel_with_proxy off
>> httpd_accel_uses_host_header on
>> err_html_text .
>> deny_info ERR_xxxxxXXX all
>> deny_info ERR_xxxxxXXX access_mail
>> never_direct allow all
>> strip_query_terms off
>> coredump_dir /var/spool/squid
>> max_filedesc 4096
>>
>>
>> Configuratio
>> squid.conf-2.7STABLE6-1
>> acl all src all
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>> acl xxxxx src 192.168.55.0/24
>> acl xxxxx src 10.221.121.0/24
>> acl easy_bb src xxx.xxx.64.0/19
>> acl easy_bb src xxx.xxx.224.0/19
>> acl easy_bb src xxx.xxx.16.0/20
>> acl easy_bb src xxx.xxx.81.0/24
>> acl easy_bb src xxx.xxx.87.0/24
>> acl easy_bb src xxx.xxx.26.0/24
>> acl easy_bb src xxx.xxx.144.0/20
>> acl easy_bb src xxx.xxx.240.0/20
>> acl access_mail urlpath_regex -i "/etc/squid/users/access_mail.txt"
>> acl access_url url_regex -i "/etc/squid/url_valid.txt"
>> acl acl_pfa dstdomain webmail.XXXxxxxx.it
>> http_access deny easy_bb
>> http_access allow xxxxx
>> http_access allow access_mail
>> http_access allow access_url
>> http_access allow localhost
>> http_access deny all
>> http_reply_access allow all
>> icp_access allow all
>> ssl_unclean_shutdown on
>> http_port 80 accel vhost
>> https_port 10.223.247.201:443 accel vhost
>> cert=/etc/squid/cert/wm.XXXxxxxx.it.cert
>> key=/etc/squid/cert/wm.XXXxxxxx.it.private.key
>> cafile=/etc/squid/cert/cafile.cert
>> cache_peer mi1exprom1.nf.xxxxxXXX.it parent 443 0 ssl
>> sslcert=/etc/squid/cert/mi1exprom1.cert sslflags=DONT_VERIFY_PEER proxy-only
>> no-query no-digest front-end-https=auto sourcehash round-robin originserver
>> name=MI11
>
> Do not use round-robin on these peers!
>
>> cache_peer_access MI11 allow acl_pfa
>> cache_peer_access MI11 deny all
>> hierarchy_stoplist cgi-bin ?
>> logformat combined2 %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %
>
>
> You are also adding and removing a whole lot of settings to this one
> since the working config.
>
> I'd recommend going back t the original, removing the http_accel_* bits
> and making the http_port/https_post and any other changes actually
> needed to load the config. Then checking that that works before going on
> to adjust the other settings.
>
> This is clearly not the whole config because some important things like
> Safe_ports definition are missing even from the working one.
>
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
> Current Beta Squid 3.1.0.13
_________________________________________________________________
Drag n dropGet easy photo sharing with Windows Live Photos.
http://www.microsoft.com/windows/windowslive/products/photos.aspx
Received on Tue Aug 11 2009 - 08:45:38 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 11 2009 - 12:00:02 MDT