[squid-users] squid as proxy for exchange with https/ssl?

hi there.

i have to set up a squid3 (built with enable-ssl) to accept requests from
outlook for an exchange server and redirect them there. but i have a little
trouble knowing which certificates i need all in all and which one of them
to put where.

when directly accessing the exchange server owa ith a web browser, i open
https://[fqdn of exchange server]/owa.

output of /usr/sbin/squid -v and the beginning of the squid.conf are
included below.

any hint and help is deeply appreciated :)

marcel mueller

some detailed info:

Squid Cache: Version 3.1.6
configure options: '--build=i486-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-ssl'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-arp-acl' '--enable-esi' '--disable-translation'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=i486-linux-gnu' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS='
'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -Wall -O2' --with-squid=/root/squid3-3.1.6

squid.conf excerpt:

# which certificate do i have to put in the https_port line?
https_port [private ip of squid]:443 cert=[certificate1].pem
defaultsite=[fqdn of exchange server]

#which certificate do i have to put in the cache_peer line?
cache_peer [fqdn of exchange server] parent 443 0 no-query originserver
login=PASS ssl sslcert=/[certificate2].pem name=[fqdn of exchange server]
front-end-https
acl EXCH dstdomain [fqdn of exchange server]
cache_peer_access [fqdn of exchange server] allow EXCH
cache_peer_access [fqdn of exchange server] deny all
never_direct allow EXCH
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all
Received on Fri Mar 04 2011 - 10:51:26 MST