Wouter de Jong wrote:
> Hi,
>
> I've setup an Outlook Web Access reverse proxy and RPC-over-HTTPs proxy
> with Squid by following these 2 wiki documents :
>
> http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess?highlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29
>
> http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp?highlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29
>
>
> It works ok ... except the acl that is listed in the example, does not
> work for me...
>
> Here's the snippet :
>
> ##############################################################
> # Define the required extension methods for RPC-over-HTTPs
> extension_methods RPC_IN_DATA RPC_OUT_DATA
>
> # Define our cache_peer (the MS Exchange Server)
> cache_peer 192.168.128.196 parent 443 0 no-query originserver login=PASS
> ssl sslflags=DONT_VERIFY_PEER name=sbs.company.local
>
> # ACL to only allow OWA/OMA/ActiveSync/RPC
> acl exchange_urlpath_regex urlpath_regex -i ^/exchange($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i ^/exchweb($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i ^/public($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i ^/iisadmpwd($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i ^/rpc($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i
> ^/Microsoft-Server-ActiveSync($|/.*|\?.*)
>
> #acl OWAip dst 192.168.128.196
> acl OWAip dst 213.206.xxx.yyy
> acl OWA dstdomain exchange.company.com
> cache_peer_access sbs.company.local allow OWA
> never_direct allow OWAip
>
> # lock down access
> http_access deny !exchange_urlpath_regex
> http_access allow OWAip
> http_access deny all
> miss_access allow OWAip
> miss_access deny al
> ##############################################################
>
> 192.168.128.196 is internal IP of Exchange server, this is behind an
> OpenVPN tunnel.
> 213.206.xxx.yyy is the IP of the Squid-server, exchange.company.com
> points to this address.
>
> And here's my 'problem' :
>
> Whenever I use 192.168.128.196 (the IP of the cache_peer/the
> Exchange-server) for acl 'OWAip', I get a Forwarding Denied.
Yes, the client machines will never ask for the internal secret IP of
the OWA.
> However, if I use '213.206.xxx.yyy' as OWAip, it works....
Yes, that being the public address for the OWA when going via squid.
>
> ACL debug logging reveals that the 213.206.xxx.yyy is being matched at
> the dst, and NOT 192.168.128.196
>
> Am I reading the example wrong, or ..... is this a known issue ?
No, wiki example was wrong.
Client machines to contact and all pages served up by the OWA need to
contain either the public-access IP (213.206.xxx.yyy) or the
public-access domain (exchange.company.com) which both need to point at
squid.
There's another (very tricky) method the wiki may have once mentioned to
give that config muckup. I've fixed it now.
>
> I'm using squid/2.6.STABLE18 from FreeBSD 6.3 Ports.
>
>
> Hopefully someone can explain if I misinterpret the example (eg. I
> fucked up), the example is wrong, or squid is not behaving as it should.
>
Amos
-- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.Received on Sun Jan 27 2008 - 20:46:10 MST
This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST