Re: [squid-users] ACL issue using Squid as reverse proxy server

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 26 Jan 2011 23:29:11 +1300

On 26/01/11 20:27, smudly Quickhands wrote:
>
> I am trying to setup Squid as a reverse proxy for my Exchange server. I have copied the SSL certificate from the exchange server and installed it on the Squid server. I can start Squid without any errors using /usr/sbin/squid -N -d 1 -D
>
> However when I try and access Exchange using OWA I get get directed to a Squid error page telling me Access Denied. Access control configuration prevents your request from being allowed at this time.
>
> If I look in the access log all I see is 1296024671.805 0 25.36.2.52 TCP_DENIED/403 3937 GET https://mail.myco.com/owa - NONE/- text/html
>
> IP 25.36.2.52 is the computer i am using for testing Is this a problem connecting to the Squid server or to the Exchange server?
>
> I am running Squid 3.1.10-31.2 on a 64 bit OpenSUSE 11.3 server.
>
> I only have one domain for mail.myco.com so I have set it up so that on the test computer so that mail.myco.com returns the IP of the Squid server and on the Squid server I have added a line to the hosts file for mail.myco.com to return the ip of the Exchange server.
>
>
> Below is the squid.conf file. I would appreciate any suggestions.
>
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
> acl localnet src 25.0.0.0/8 # RFC1918 possible internal network
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> https_port 25.36.2.33:443 cert=/etc/ssl/certs/mail.myco.com.pem key=/etc/ssl/server.key defaultsite=mail.myco.com

NP: from Squid-3.2 you will be required to start that set of options
with "accel" mode flag right after the ip:port. It would be a good idea
to add that now and save trouble later.

> cache_peer 25.36.2.32 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/ssl/certs/mail.myco.com.pem sslkey=/etc/ssl/server.key name=owaServer
> acl OWA src 25.36.2.33/0

  /0 ? that strips away all of the set bits of the IP address and
reduces it to 0.0.0.0/0.
  This is equivalent to matching the entire IPv4 part of the Internet.

So ... if a client computer is connecting via IPv4 they are passed to
the OWA server.

This looks a bit like you were trying to configure 25.36.2.33/32 or just
"25.36.2.33" but that would mean only connections Squid generated
internally and looped back at itself from outside would pass to OWA.

What you should actually have there is:
   acl OWA dstdomain mail.myco.com

> cache_peer_access owaServer allow OWA
> never_direct allow OWA
>
> http_access allow OWA
> http_access deny all

The above "deny all" prevents any following http_access rules from being
used.

> acl mysite dstdomain mail.myco.com
> http_access allow mysite
>
> http_access allow localnet
> http_access allow localhost
>
> http_access allow localhost
>
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
>
> # We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?

This default hierarchy_stoplist could cause you trouble on a reverse
proxy. It can be dropped.

>
> cache_dir ufs /var/cache/squid 100 16 256
>
> coredump_dir /var/cache/squid
>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Wed Jan 26 2011 - 10:29:23 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 27 2011 - 12:00:03 MST