Re: [squid-users] Squid30 + Exchange OWA 2010 forms based authentication problem from Amos Jeffries on 2011-10-04 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 05 Oct 2011 00:02:28 +1300

On 04/10/11 08:45, Sergey Demochkin wrote:
> Guys, I would appreciate your help on the following issue:
>
> I setup squid30 on FreeBSD 8.1 release as reverse proxy for OWA 2010. Here is my squid's config:
>
> ####
> visible_hostname owa.external.domain
> cache_mgr squid
> https_port 172.16.1.3:8080 accel vhost cert=/etc/ssl/crt/server-cert.crt key=/etc/ssl/key/server-key.key sslflags=DONT_VERIFY_DOMAIN clientca=/etc/ssl/CA/cacert.pem cafile=/etc/ssl/CA/cacert.pem capath=/etc/ssl/CA/ sslcontext=id
> cache_peer 10.200.210.25 parent 8080 0 proxy-only no-query no-digest ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN login=PASS front-end-https=on
> cache_dir ufs /var/squid/cache 100 16 256
> cache_access_log /var/squid/logs/access.log squid

That should be:
access_log /var/squid/logs/access.log

> cache_log /var/squid/logs/cache.log squid

That should be:
cache_log /var/squid/logs/cache.log

> cache_store_log /var/squid/logs/store.log squid

That should be:
cache_store_log none

> logfile_rotate 100
> pid_filename /var/squid/squid.pid
> acl OWA dstdomain owa.external.domain
> acl OWA-DIRS urlpath_regex (\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/exchange\/)
> acl OWA-SITE url_regex ^https://owa.external.domain
> cache_peer_access 10.200.210.25 allow OWA
> http_access allow OWA
> http_access allow OWA OWA-DIRS OWA-SITE

NP: "allow OWA" overrides "allow OWA ..." so the fancy regex pattern
ACLs are not used, and can be dropped.

> http_access deny all
> ####
>
> 10.200.210.25 is the OWA server and it is set in hosts files on squid and on OWA itself as owa.external.domain
>
> The problem is that when I connect to squid I see the OWA login page but when I enter login and pass into OWA authentication form I get an empty page with 400 status code. In squid's access.log I see:
>
> client_ip TCP_MISS/400 528 POST https://owa.external.domain:8080/owa/auth.owa - FIRST_UP_PARENT/10.200.210.25 text/html
>
> When I connect to OWA from LAN I have no problem athenticating through the form.
>
> If I change the authentication settings on exchange server from Forms Based to Plain Text then when I connect via squid I get a login prompt and after providing login and pass I get to my mailbox and I can read/send/receive emails.
>
> Any ideas how to make OWA's forms based authentication work with squid?

The 400 is coming back from the server itself. Squid is relaying the
form out and the POST data back to it. It is hard to know what is wrong.
Most likely the OWA server logs have some more clues that can help you
track it down.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.12

Received on Tue Oct 04 2011 - 11:04:07 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 05 2011 - 12:00:02 MDT