Re: [squid-users] reverse proxy and exchange 2007

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 24 Feb 2011 11:22:33 +1300

 On Wed, 23 Feb 2011 08:45:46 -0800 (PST), gohone wrote:
> Hello,
>
> I have a 2007 exchange server and I would like make it available
> from the
> outside.
>
> So I set up a reverse proxy with squid (version 3.0 STABLE19) and a
> self
> signed certificate.
>
> client --> squid --> Exchange OWA
> https https
>
> The access is working from the outside but I would like the client
> needs a
> certificate to access to OWA.
> If I don't have certificate on the client I have the warning message
> about
> the identity of the certificate when I try to connect to OWA but I
> can
> continue if I ignore the ssl error and finally the connection is done
> ... I
> know the error is normal because it's a self signed certificate and
> the ca
> is not in the trusted list but I would like the access is possible
> only if
> I have the certificate on the client.
>
> What can I do in "squid" to resolve this issue ?

 You can present a real non- self-signed certificate to the visitors via
 http_port.

 The *internal* link between Squid and OWA is the place where
 self-signed certificates can be used without general public access being
 involved.
 The warnings are ignored on that link via the sslflags=DONT_VERIFY_PEER
 option to cache_peer.

> Apparently some ACls exists like "user_cert" but I don't know if it's
> the
> solution and I don't see examples about the syntax.

 ACLs are for checking and validation, not for sending.

>
>
> Below My config in Squid.
>
>
> visible_hostname exchange_outside
> debug_options ALL,1
> extension_methods RPC_IN_DATA RPC_OUT_DATA
> https_port 443 accel cert=/path/exchg.pem key=/path/exchg.pem \
> defaultsite=exchange_outside vhost

> cache_peer "ip_exchange" parent 4433 0 no-query originserver \
> no-digest login=PASS ssl front-end-https=on sslcert=/chemin du
> certificat/owa.pem sslkey=/path/owa.pem sslcafile=/path/ca.crt
> name=exchange_hostname

> acl all src 0.0.0.0/0.0.0.0

 "all" is defined internally by Squid-3.
 You will be getting warnings about the "all" ACL definition. Remove the
 above line to resolve those.

 Amos
Received on Wed Feb 23 2011 - 22:22:36 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 24 2011 - 12:00:03 MST