RE: [squid-users] Reverse proxy for Outlook 2010 anywhere with NTLM

Hi Amos,

i am using latest version 3.2.7 for CentOS.

I did following:

https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
key=/etc/squid/certs/codimensions/codimensions.key
defaultsite=codimensions.com vhost
http_port 80 accel defaultsite=continuitytrain.com vhost

acl CODIM dstdomain .continuitytrain.com
acl CONTRAIN dstdomain .codimensions.com

#always_direct allow CONTRAIN
#always_direct allow CODIM
never_direct allow CODIM
never_direct allow CONTRAIN
http_access allow CODIM
http_access allow CONTRAIN
http_access deny all

cache_peer_access exchange allow CODIM
cache_peer_access sharepoint allow CODIM
cache_peer_access crm1 allow CODIM
cache_peer_access crm2 allow CODIM
cache_peer_access ts allow CODIM
cache_peer_access meet allow CODIM
cache_peer_access apache allow CODIM
cache_peer_access apache allow CONTRAIN
cache_peer_access exchange deny all
cache_peer_access sharepoint deny all
cache_peer_access crm1 deny all
cache_peer_access crm2 deny all
cache_peer_access ts deny all
cache_peer_access meet deny all
cache_peer_access apache deny all
# eof

Now i can't reach www.continuitytrain.com or other virtual hosts that were
specified in last config (ts.codimensions.com ,
portal.codimensions.com....).

Thanks,
Damir

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Monday, March 04, 2013 4:32 AM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Reverse proxy for Outlook 2010 anywhere with NTLM

On 4/03/2013 9:08 a.m., Damir Reic wrote:
> I am trying to use squid as outlook reverse proxy but popup on outlook
> is apearing all the time and i don't know how to solve the problem.
> Also for some unknown reason with this config squid won't start at
> boot time and when i start it manually it take long time to start. I am
using squid 3.1.19 .
> Rest of stuff that i configured over squid works fine.
>
> Is my config good for reverse proxying multiple servers? Kinda strange
> that i can't specify multiple FQDNS inside ACL?

Yes very strange. Separate them with a single space in dstdomain type ACLs
and listing multiple FQDN should be working perfectly.

> #debug_options ALL,3
> logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

I am assuming that you have an old Squid version. If you are on the current
supported releases please remove the log format re-definition.

> pid_filename /var/run/squidext.pid
> httpd_suppress_version_string on
> cache_mgr nomail_address_given
> #visible_hostname webmail.codimensions.com via off forwarded_for
> transparent ssl_unclean_shutdown on # Internet connectors https_port
> 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=webmail.codimensions.com vhost https_port 443 accel
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=portal.codimensions.com vhost https_port 443 accel
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=crm.codimensions.com vhost https_port 444 accel
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=crm.codimensions.com vhost https_port 443 accel
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=autodiscover.codimensions.com vhost https_port 443 accel
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=meet.codimensions.com vhost https_port 443 accel
> cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=ts.codimensions.com vhost

Um. No.

You can only open a listening socket once across all applications on a
machine. Your config above is trying to open *:443 several times. This will
be rejected by the OS.

Also, vhost does not work well when the port is configured with a single
static SSL certificate. Since the client requested FQDN is probably not the
one the certificate was created for. This is a sure way to flood your users
with certificate error popups.

For virtual hosted HTTPS sites you require at minimum the squid-3.2 series
and the dynamic SSL certificate generator - to create certificates taylored
to the virtual host each client request is using.
With this feature you only need one port 443 opened.

> http_port 80 accel defaultsite=www.codimensions.com vhost http_port 80
> accel defaultsite=www.continuitytrain.com vhost http_port 80 accel
> defaultsite=continuitytrain.com vhost http_port 80 accel
> defaultsite=codimensions.com vhost

Same problem. Only without the SSL hassles.
This would suffice:
   http_port 80 accel vhost defaultsite=codimensions.com

NP: defaultsite= is the FQDN to use on any requests which arrive without
specifying a Host: header containing the virtual host FQDN.

> # destination server
> cache_peer 10.10.20.33 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt proxy-only
> no-query no-digest front-end-https=on originserver login=PASS
> connection-auth=on name=exchange forceddomain=webmail.codimensions.com
> cache_peer 10.10.20.53 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=crm1
> cache_peer 10.10.20.53 parent 444 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=crm2
> cache_peer 10.10.20.37 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
> name=sharepoint
> cache_peer 10.10.20.41 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
> name=ts
> cache_peer 10.10.20.34 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=meet
> cache_peer 10.10.20.90 parent 80 0 no-query originserver name=apache
> acl CODOMmail dstdomain webmail.codimensions.com
> autodiscover.codimensions.com
> acl CODOMportal dstdomain portal.codimensions.com
> acl CODOMcrm dstdomain crm.codimensions.com
> acl CODOMts dstdomain ts.codimensions.com
> acl CODOMmeet dstdomain meet.codimensions.com
> acl CODOMapache1 dstdomain www.codimensions.com
> acl CODOMapache2 dstdomain www.continuitytrain.com
> acl CODOMapache3 dstdomain .continuitytrain.com
> acl CODOMapache4 dstdomain .codimensions.com

Are you perhapse suffering from the problem that when you write:
   acl CODOMapache dstdomain www.codimensions.com .codimensions.com

... it complains about duplicate or sub- domains?

That is because the '.' at the start of the second one means match all
subdomains of codimensions.com. Which includes www.codimensions.com. So
mentioning www.* form is useless and the different ways of matching one
domain screws up the ACL calculations and can cause inconsistent
pass/fail behaviour. Just remove the useless www.* form of the domain
from your config.

Amos
Received on Mon Mar 04 2013 - 06:54:05 MST