Re: [squid-users] OWA Reverse Proxy Problems from Henrik Nordstr�m on 2012-02-12 (squid-users)

From: Henrik Nordstr�m <henrik_at_henriknordstrom.net>
Date: Sun, 12 Feb 2012 13:43:55 +0100

tor 2012-02-09 klockan 17:05 +0100 skrev Sauron99_at_gmx.de:
> Hi all,
> i have huge problem with getting Squid working as a reverse proxy for OWA.
> I have created a certificate request on my Windows Server 2008, then I
> have created a certificate and converted it to .pfx. This one I could
> get into IIS and enable it to my DefaultWebsite in IIS and OWA. So far
> so good....

What site name have you configured in OWA?

Recommended setup is to use a hostname, and to first verify that the OWA
server responds properly to this hostname and then introduce the reverse
proxy inbetween, changing the hostname to point to the reverse proxy
instead of OWA.

Accessing directly by IP is NOT RECOMMENDED.

I also recommend using https both client<->squid and squid<->owa for
simplicity.

> visible_hostname my.dyndns.org
> https_port 192.168.1.199:443 cert=/usr/local/src/sslowa/my.dyndns.org.pem key=/usr/local/src/sslowa/my.dyndns.org.key defaultsite=192.168.1.249

defaultsite SHOULD NOT be the internal IP of OWA. It should be the same
as the hostname you use in the https:// URL. If unsure then use vhost
instead and forget about defaultsite.

Based on your acls below I would guess your OWA server name is
my.dyndns.org?

> #cache_peer 192.168.1.249 parent 80 0 no-query originserver login=PASS front-end-https=on name=owaServer
> cache_peer 192.168.1.249 parent 443 0 no-query originserver login=PASS front-end-https=on name=owaServer

front-end-https is only for when you use https client<->squid but http
squid<->owa.

Port 443 is https so you need the ssl flag there.

> #cache_peer 192.168.1.249 parent 443 0 no-query originserver login=PASS ssl sslcert=/usr/local/src/sslowa/my.dyndns.org.key name=owaServer

No need to specify a SSL client certificate for using in the connection
to OWA.

cache_peer 192.168.1.249 parent 443 0 no-query originserver login=PASS ssl name=owaServer

> acl OWA dstdomain my.dyndns.org
> cache_peer_access owaServer allow OWA
> never_direct allow OWA

This is fine, assuming your OWA name is my.dyndns.org, and you correct
the https_port and cache_peer parts above.

> # lock down access to only query the OWA server!
> http_access allow OWA
> http_access deny all

> miss_access allow OWA
> miss_access deny all

You don't need miss_access.

Regards
Henrik
Received on Sun Feb 12 2012 - 12:45:14 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 12 2012 - 12:00:03 MST