Re: [squid-users] Reverse proxying to OWA

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 04 Feb 2010 11:11:06 +1300

On Wed, 3 Feb 2010 15:26:30 +0100, Arnoud Tijssen <ATijssen_at_Ram.nl> wrote:
> Hi,
>
> I`v setup my squid3 (STABLE 23 with openssl support) box to proxy
requests
> to an upstream OWA server from one of our clients.
> The idea is that our client uses our proxyserver to synchronize with
their
> own exchange environment.
> The client`s owaserver is to be found at let`s say
> http://owaserver/exchange
>
>
> This is my squid.conf;
>
> # Define the required extension methods for RPC-over-HTTPs
> extension_methods RPC_IN_DATA RPC_OUT_DATA
>
> # Define our cache_peer (the MS Exchange Server)
> cache_peer <owaserver> parent 80 0 no-query originserver login=PASS ssl
> sslflags=DONT_VERIFY_PEER name=owaserver
>
> # ACL to only allow OWA/OMA/ActiveSync/RPC
> acl exchange_urlpath_regex urlpath_regex -i
> ^http://<owaserver>/exchange($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i
> ^http://<owaserver>/exchweb($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i
> ^http://<owaserver>/public($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i
> ^http://<owaserver>/iisadmpwd($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i
^http://<owaserver>/rpc($|/.*)
> acl exchange_urlpath_regex urlpath_regex -i
> ^http://<owaserver>/Microsoft-Server-ActiveSync($|/.*|\?.*)
>

First problem: "urlpath_regex" is a _path_ regex. The "http://<domain>"
will screw up the match.

The way to do this is:
 acl OWAdomain dstdomain <owaserver>
 acl exchange_urlpath_regex urlpath_regex -i
^/(exchange|exchweb|public|iisadmpwd|rpc)($|/.*)
 acl exchange_urlpath_regex urlpath_regex -i
^/Microsoft-Server-ActiveSync($|/.*|\?.*)

 never_direct allow OWAdomain
 cache_peer_access owaserver allow OWAdomain

> acl OWA-IP dst <owaserver>
> acl OWA dstdomain <ip squid box>
> cache_peer_access owaserver allow OWA
> never_direct allow OWA

That seems a bit confused. 'If people are connecting to the raw-IP of the
Squid box, let them through, passing the raw-IP URL to another box where it
is invalid." ??

>
> # Deny Access to other then Exchange
> http_access deny !exchange_urlpath_regex
> http_access allow OWA-IP
> http_access deny all
> miss_access allow OWA-IP
> miss_access deny all
>
>
> When I comment the last 5 lines out, the synchronization works like a
> charm, but when I activate the http_access acls I get a TCP_DENIED.
>
> The idea is to restrict my clients to solely be able to synchronize
their
> email via Activesync and nothing else.

The above criteria by itself is met by:
  http_access allow OWAdomain exchange_urlpath_regex
  http_access deny all

> Furthermore, other clients should be able to use the proxyserver for
> internet browsing using standard acl`s

So clients who are not yours? I'm a little confused, but I'll give it a
try anyway..

If I understand right you have two groups of clients, some to do the OWA
things and some just regular?

That looks like this:

 acl clientsA src 192.0.2.0/24

# permit A group to do OWA
 http_access allow clientsA OWAdomain exchange_urlpath_regex
# but nobody else is allowed to do OWA...
 http_access deny OWAdomain
# 'A' group are also not allowed to do any non-OWA stuff.
 http_access deny clientsA

... follow that with normal proxy access controls for anybody not in the
'A' group subnet.

Amos
Received on Wed Feb 03 2010 - 22:11:10 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 12:00:04 MST