[squid-users] ACL issue using Squid as reverse proxy server

From: smudly Quickhands <smudly_at_hotmail.com>
Date: Wed, 26 Jan 2011 07:27:49 +0000

I am trying to setup Squid as a reverse proxy for my Exchange server.   I have copied the SSL certificate from the exchange server and installed it on the Squid server.  I can start Squid without any errors using  /usr/sbin/squid -N -d 1 -D

However when I try and access Exchange using OWA I get get directed to a Squid error page  telling me Access Denied.   Access control configuration prevents your request from being allowed at this time.  

If I look in the access log all I see is 1296024671.805      0 25.36.2.52 TCP_DENIED/403 3937 GET https://mail.myco.com/owa - NONE/- text/html

IP 25.36.2.52 is the computer i am using for testing   Is this a problem connecting to the Squid server or to the Exchange server?

I am running Squid 3.1.10-31.2 on a 64 bit  OpenSUSE 11.3 server.

I only have one domain for mail.myco.com so I have set it up so that on the test computer so that mail.myco.com returns the IP of the Squid server and on the Squid server I have added a line to the hosts file for mail.myco.com to return the ip of the Exchange server.

Below is the squid.conf file.   I would appreciate any suggestions.  

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl localnet src 25.0.0.0/8    # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 443        # https
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

https_port  25.36.2.33:443 cert=/etc/ssl/certs/mail.myco.com.pem key=/etc/ssl/server.key defaultsite=mail.myco.com
cache_peer 25.36.2.32 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/ssl/certs/mail.myco.com.pem sslkey=/etc/ssl/server.key name=owaServer
acl OWA src 25.36.2.33/0
cache_peer_access owaServer allow OWA
never_direct allow OWA

http_access allow OWA
http_access deny all
acl mysite dstdomain mail.myco.com
http_access allow mysite

http_access allow localnet
http_access allow localhost

http_access allow localhost

http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

cache_dir ufs /var/cache/squid 100 16 256

coredump_dir /var/cache/squid

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

                                               
Received on Wed Jan 26 2011 - 07:28:02 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 27 2011 - 12:00:03 MST