Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 21 Feb 2012 12:26:11 +1300

On 21.02.2012 04:59, Fried Wil wrote:
> Hello Guys,
>
> I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
> usage ... (rpc not compatible with apache2). I would like to
> redirect
> the "/" to "/owa". How can i do that ? thx guys
>

Um. I've started with a bit of a side-track some major simplifications
inline with your config. The answer to your question is at the end.

> This is my configuration of squid.conf just for OWA Access.
>
> $
> https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
> key=/etc/squid3/server.key defaultsite=webmail.domain.foo

NOTE: it is important to be aware that in 3.1 and older if you omit
"vhost" flag but set "defaultsite=". Has the effect or re-writing *all*
inbound request URI with the domain name specified as defaultsite=
value. The importance of this will become clearer later...

>
> cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
> login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
> sslflags=DONT_VERIFY_PEER name=exchangeServer
>
> acl url_allow url_regex -i ^https://webmail.domain.foo/.*$

Hint #1: "^https://webmail.domain.foo/.*$" overlaps and matches same
URL as all the following patterns.

Remove the patterns from here...

> acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
> acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
> acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
> acl url_allow url_regex -i
> ^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
> acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
> acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
> acl url_allow url_regex -i
> ^https://webmail.domain.foo/autodiscover.*$

... down to here.

Hint #2: "url_regex -i ^https://webmail.domain.foo/.*$" canbe further
reduced to a simple pair of ACL:

   acl HTTPS proto HTTPS
   acl foo dstdomain webmail.domain.foo

>
> acl OWA dstdomain webmail.domain.foo

Hint #3: note how the new "foo" ACL and "OWA" ACL are identical. You
can drop the suggested "foo" ACL and use "OWA".

Result: You can replace all uses of "url_allow" in *_access lines with
the pair "HTTPS OWA".

> acl OWA-SITE urlpath_regex
>
> (\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
> acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/
>
> cache_peer_access exchangeServer allow OWA

Hint #4: remembering that http_port defaultsite= has already made the
URI domain name "webmail.domain.foo" you will notice how the "OWA" ACL
will always match.
  This by itself means no other "cache_peer_access exchangeServer" lines
will be tested.

> cache_peer_access exchangeServer deny all

Hint #5: now that you have configured "exchangeServer deny all" the
rest of the "cache_peer_access exchangeServer" lines are meaningless.

> never_direct allow OWA
>
> cache_peer_access exchangeServer allow OWA-SITE
> cache_peer_access exchangeServer deny all
> never_direct allow OWA-SITE
>
> cache_peer_access exchangeServer allow OWA-DIRS
> cache_peer_access exchangeServer deny all
> never_direct allow OWA-DIRS
>
> I wanna just to redirect the https://webmail.domain.foo/ to
> https://EXCHANGE_SERVER/owa/
>
> I saw "url_rewrite_program" but it doesn't works :(

Please explain "doesn't work". Details are critical.

Firstly, you need to get straight whether you are redirecting or
re-writing. They are very different things, with very different effects
on Exchange.

- URL *re-write*, may or may not work. Exchange is *very* sensitive to
even minor changes in the URI it is asked for. Re-writing can break
Exchange service from one release to the next or from one windows update
cycle to the next. Re-write has its occasional uses, but Exchange is not
one of them. url_rewrite_program can do both types of URI alteration.
Although you only need it for the re-write.

- Proper HTTP *redirect* using 3xx status messages should work fine.
But Squid needs to be configured to handle both the before and after URL
when received from the client. Exchange only needs to handle the "after"
URI.

To simply do a global / to /owa/ *redirect* you can do this very
simple:

  acl redirectOWA urlpath_regex ^/$
  deny_info 303:https://EXCHANGE_SERVER/owa/ redirectOWA
  http_access deny HTTPS OWA redirectOWA

Place this at the top of the reverse-proxy http_access lines and the
clients will be redirected to load that given URL before they are sent
anywhere near Exchange.

NOTE: The domain "EXCHANGE_SERVER" needs to point at your Squid
https_port address if you want the OWA requests to continue to operate
through Squid. BUT, I think you are actually wanting to redirect with:

  deny_info 303:https://webmail.domain.foo/owa/ redirectOWA

HTH
Amos
Received on Mon Feb 20 2012 - 23:26:16 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 21 2012 - 12:00:05 MST