[squid-users] login=PASS problem with MS Exchange SOAP

From: dladla <datkin_at_jla.com>
Date: Fri, 17 Aug 2012 00:46:23 -0700 (PDT)

I recently decided to build a new virtual server to replace our ageing squid
reverse proxy server. The old one was running Oracle Enterprise Linux 5 with
squid 3.0.STABLE26. I built the new one with Centos 6 and initially I used
the standard version of squid installed with yum, ie 3.1.10. When I had
problems with that I built 3.2.1 but that had the same problem.

The issue is that login=PASS is not working properly with Exchange 2010.
Although normal user logins to OWA work ok, and ActiveSync works ok, the
Soap interface (which is used by the Blackberry Bis server) doesn't
authenticate, and the Exchange server just keeps returning 401 not

My config file is:
visible_hostname gw01
##extension_methods RPC_IN_DATA RPC_OUT_DATA
pid_filename /var/run/squid_owa.pid
cache_effective_user squid
cache_effective_group squid
access_log /var/log/squid/access_owa.log squid
cache_log /var/log/squid/cache_owa.log
cache_store_log /var/log/squid/store_owa.log
acl http url_regex -i ^http://
acl owa dstdomain owa.company.com
http_port 82 accel defaultsite=owa.company.com
https_port 444 accel cert=/usr/local/ssl/company.com.cert
key=/usr/local/ssl/company.com.key defaultsite=owa.company.com
http_access allow http
http_access allow owa
http_access deny all
url_rewrite_program /usr/local/sbin/squid_owa_url_rewrite
cache_peer parent 443 0 login=PASS connection-auth=on
front-end-https no-query originserver proxy-only ssl
sslflag=DONT_VERIFY_PEER name=owa.company.com
cache_peer_access owa.company.com allow owa
cache_peer_access owa.company.com deny all

The rewrite program just redirects http to https and adds /owa onto the end
of the URL if necessary. After turning on some debugging and poring through
log files I saw this request being sent to the Exchange server:

POST /EWS/Exchange.asmx HTTP/1.1
Accept: text/xml, text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Content-Type: text/xml; charset=UTF-8
Host: owa.company.com
Content-Length: 501
Via: 1.1 gw01 (squid/3.2.1)
Surrogate-Capability: gw01="Surrogate/1.0"
Authorization: Basic UEFTUw==
Cache-Control: max-age=259200
Connection: keep-alive
Front-End-Https: On

So the newer versions of squid are sending the literal Authorization string
"PASS" encoded as base64! The old version sends the correct authentication

I guess this is a bug?


View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/login-PASS-problem-with-MS-Exchange-SOAP-tp4656215.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Fri Aug 17 2012 - 07:46:24 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 29 2012 - 12:00:08 MDT