Re: [squid-users] Lotus iNotes redirect problem with Squid reverse proxy

From: <Geoff.Moore@dont-contact.us>
Date: Tue, 7 Sep 2004 09:33:17 +0100

Henrik Nordstrom <hno@squid-cache.org> wrote on 03/09/2004 13:19:24:

> On Fri, 3 Sep 2004 Geoff.Moore@TeamSolutionz.com wrote:
>
> > When users connect from the internet to https://our.portal.url/ they
> > receive the usual password dialog box. This is Squid asking for
windows
> > authentication via Samba-3.0.0 to the Windows DC. After successful
> > Windows authentication they are directed to the iNotes logon page for
> > Notes authentication.
> >
> > The problem is that after authenticating in Notes, the browser brings
up a
> > redirect warning "You are about to be redirected to a connection that
is
> > not secure". The user can click OK, but the browser then times out.
> >
> > You then see that the requested URL was:
> >
> > http://our.portal.url/mail/gmoore.nsf/iNotes/Proxy/?
>
> This is a general problem of reverse proxies when the backend URL is
> different from the external URL. There is no very easy solutions to this

> problem.
>
> The easiest solution is to make sure there is no difference on the two
> sides of the proxy. This you can do by running https:// the whole way to

> the server. You can do this with the SSL update by using a redirector
> helper to rewrite the protocol back to https:// while it is forwarded by

> Squid (SSL update patch required). In Squid-3 this can be done without
the
> help of a redirector.
>
> The other solution is to make the web server aware of what the
externally
> visible URL looks like. This is for example the case with the
> "Front-End-Https" HTTP header used by MS OWA (and supported by the Squid

> SSL update) which indicates to the web application that the externally
> visible URL accessed by the end-user is using https:// even if the
> connection to the internal web server was using http://.
>
> Regards
> Henrik
>

Henrik,

Thanks very much for your help. I upgraded to Squid 3, played for a while
with the new options in squid.conf, and now iNotes works brilliantly. We
also installed a new version of the iNotes redirector on Notes, but this
only started working after the new Squid was set up.
For the record, I ran ./configure with the following options:
 --enable-auth=?basic? --enable-basic-auth-helpers=?winbind? --enable-ssl
 --enable-auth-on-accel

The important lines in the new squid.conf are:
### Sets up external SSL with Internet CA certificate
https_port 443 cert=/usr/local/squid/etc/ourcert.crt
key=/usr/local/squid/etc/ourcert.key defaultsite=our.portal.com

## In Squid 3 configure the accelerator settings using cache_peer
# See squid.conf.default for Squid3 for full explanation of all options.
# "ssl sslflags=DONT_VERIFY_PEER" are important options - allow the use of
a self-cert cert in Notes, otherwise
# squid would choke on SSL cert errors
# Other options are fairly standard for a reverse proxy
cache_peer <Notes server IP> parent 443 0 no-query proxy-only originserver
ssl sslflags=DONT_VERIFY_PEER

## Set up auth_param. Src was built with --enable-auth="basic"
auth_param basic program /usr/local/squid/libexec/wb_auth
auth_param basic children 5
auth_param basic realm Our iNotes Proxy
auth_param basic credentialsttl 2 hours

## map acl with access
## Note new access for cache_peer for reverse proxy
cache_peer_access <Notes server IP> allow all
http_access allow localhost
http_access deny to_localhost
http_access allow all password
http_access deny all

## These are the old accelerator (or reverse proxy) settings - now not
required.
#httpd_accel_port 80
#httpd_accel_host <Notes server IP> # Notes IP
#httpd_accel_single_host on # Only one backend.
#httpd_accel_uses_host_header on

Regards,
Geoffrey.
Received on Tue Sep 07 2004 - 02:33:21 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT