Re: [squid-users] OWA Reverse Proxy Problems

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 10 Feb 2012 14:43:26 +1300

On 10/02/2012 5:05 a.m., Sauron99_at_gmx.de wrote:
> Hi all,
> i have huge problem with getting Squid working as a reverse proxy for OWA.
> I have created a certificate request on my Windows Server 2008, then I have created a certificate and converted it to .pfx.

Possible Problem: Squid only accepts SSL keys and certificates in PEM
format.

> This one I could get into IIS and enable it to my DefaultWebsite in IIS and OWA. So far so good....
>
> Then I have recompiled squid with the --enable-ssl flag on my Debian Server.
>
> This is what my ssquid.conf looks like now:
>
> .1.199 = Debian Squid
> .1.249 = Exchange Server
>
>
> visible_hostname my.dyndns.org
> https_port 192.168.1.199:443 cert=/usr/local/src/sslowa/my.dyndns.org.pem key=/usr/local/src/sslowa/my.dyndns.org.key defaultsite=192.168.1.249

Problem: The "accel" mode flag is missing.
      https_port 192.168.1.199:443 accel cert=...

>
> #cache_peer 192.168.1.249 parent 80 0 no-query originserver login=PASS front-end-https=on name=owaServer
> cache_peer 192.168.1.249 parent 443 0 no-query originserver login=PASS front-end-https=on name=owaServer
> #cache_peer 192.168.1.249 parent 443 0 no-query originserver login=PASS ssl sslcert=/usr/local/src/sslowa/my.dyndns.org.key name=owaServer
>
>
> acl OWA dstdomain my.dyndns.org
> cache_peer_access owaServer allow OWA
> never_direct allow OWA
>
> # lock down access to only query the OWA server!
> http_access allow OWA
> http_access deny all
> miss_access allow OWA
> miss_access deny all

Possible Problem: this is all above any other http_access config in
squid.conf right?

>
>
>
> I have tried all of the cache-peer things up there, and I have also tried to disable https:// in IIS for OWA. So far no luck there. I do always geht a 403 Access Denied Error, when Im trying to get this site.
>
> Of course I have also tried to put defaultsite to defaultsite=192.168.1.249/owa, because OWA is listening on /owa.

Making the domain name "contains invalid / characters will not be helping.

You must not alter the URL path when reverse proxying things to Exchange
for RPC or OWA. Also the domain used by the client should be sent
through untouched if at all possible. The http_port vhost option is used
to ensure that happens.

Amos
Received on Fri Feb 10 2012 - 01:43:33 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 10 2012 - 12:00:03 MST