On Wed, 3 Feb 2010 15:26:30 +0100, Arnoud Tijssen <ATijssen_at_Ram.nl> wrote:
> Hi,
>
> I`v setup my squid3 (STABLE 23 with openssl support) box to proxy
requests
> to an upstream OWA server from one of our clients.
> The idea is that our client uses our proxyserver to synchronize with
their
> own exchange environment.
> The client`s owaserver is to be found at let`s say
> http://owaserver/exchange
>
>
> This is my squid.conf;
>
> # Define the required extension methods for RPC-over-HTTPs
> extension_methods RPC_IN_DATA RPC_OUT_DATA
>
> # Define our cache_peer (the MS Exchange Server)
> cache_peer <owaserver> parent 80 0 no-query originserver login=PASS ssl
> sslflags=DONT_VERIFY_PEER name=owaserver
>
> # ACL to only allow OWA/OMA/ActiveSync/RPC
> acl exchange_urlpath_regex urlpath_regex -i
> ^http://<owaserver>/exchange($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i
> ^http://<owaserver>/exchweb($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i
> ^http://<owaserver>/public($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i
> ^http://<owaserver>/iisadmpwd($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i
^http://<owaserver>/rpc($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i
> ^http://<owaserver>/Microsoft-Server-ActiveSync($|/.*|\?.*)
>
First problem: "urlpath_regex" is a _path_ regex. The "http://<domain>"
will screw up the match.
The way to do this is:
acl OWAdomain dstdomain <owaserver>
acl exchange_urlpath_regex urlpath_regex -i
^/(exchange|exchweb|public|iisadmpwd|rpc)($|/.*)
acl exchange_urlpath_regex urlpath_regex -i
^/Microsoft-Server-ActiveSync($|/.*|\?.*)
never_direct allow OWAdomain
cache_peer_access owaserver allow OWAdomain
> acl OWA-IP dst <owaserver>
> acl OWA dstdomain <ip squid box>
> cache_peer_access owaserver allow OWA
> never_direct allow OWA
That seems a bit confused. 'If people are connecting to the raw-IP of the
Squid box, let them through, passing the raw-IP URL to another box where it
is invalid." ??
>
> # Deny Access to other then Exchange
> http_access deny !exchange_urlpath_regex
> http_access allow OWA-IP
> http_access deny all
> miss_access allow OWA-IP
> miss_access deny all
>
>
> When I comment the last 5 lines out, the synchronization works like a
> charm, but when I activate the http_access acls I get a TCP_DENIED.
>
> The idea is to restrict my clients to solely be able to synchronize
their
> email via Activesync and nothing else.
The above criteria by itself is met by:
http_access allow OWAdomain exchange_urlpath_regex
http_access deny all
> Furthermore, other clients should be able to use the proxyserver for
> internet browsing using standard acl`s
So clients who are not yours? I'm a little confused, but I'll give it a
try anyway..
If I understand right you have two groups of clients, some to do the OWA
things and some just regular?
That looks like this:
acl clientsA src 192.0.2.0/24
# permit A group to do OWA
http_access allow clientsA OWAdomain exchange_urlpath_regex
# but nobody else is allowed to do OWA...
http_access deny OWAdomain
# 'A' group are also not allowed to do any non-OWA stuff.
http_access deny clientsA
... follow that with normal proxy access controls for anybody not in the
'A' group subnet.
Amos
Received on Wed Feb 03 2010 - 22:11:10 MST
This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 12:00:04 MST