Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

From: Fried Wil <wilfried.pascault_at_gmail.com>
Date: Tue, 21 Feb 2012 10:57:00 +0100

Hi Amos,

Thanks for your very good explaination.

I wanna to specify all i want to need :

https://webmail.domain.foo/ --> https://EXCHANGE_IP/owa/
https://webmail.domain.foo/owa/ --> https://EXCHANGE_IP/owa/
https://webmail.domain.foo/rpc/ --> https://EXCHANGE_IP/rpc/
https://webmail.domain.foo/Microsoft-Active-Sync/ -->https://EXCHANGE_IP/Microsoft-Active-Sync/
https://webmail.domain.foo/EWS/ --> https://EXCHANGE_IP/EWS/

The 302 redirection is needed only for the / .

I'have test your configuration Amos, and it's the same ..

1329818099.937 0 CLIENT_IP TCP_MISS/503 3243 GET
https://webmail.domain.foo/ - NONE/- text/html

but for /owa/ ..

1329818128.646 2 CLIENT_IP TCP_MISS/302 435 GET
https://webmail.domain.foo/owa/ - FIRST_UP_PARENT/exchangeServer -
1329818128.685 3 CLIENT_IP TCP_MISS/200 1491 GET
https://webmail.domain.foo/owa/auth/logon.aspx? -
FIRST_UP_PARENT/exchangeServer text/html

This is my new squid.conf configuration :

############BEGIN##############
https_port webmail.lexsi.com:443 accel
cert=/etc/squid3/webmail.domain.foo.crt key=/etc/squid3/server.key
defaultsite=webmail.domain.foo vhost

cache_peer EXCHANGE_IP parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_IP.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl HTTPSOWA url_regex -i ^https://webmail.domain.foo/.*$
acl HTTPS proto HTTPS
acl lexsi dstdomain webmail.domain.foo

acl OWA dstdomain webmail.domain.foo
acl OWA-SITE urlpath_regex
(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_IP/owa/

cache_peer_access exchangeServer allow OWA
cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all

acl redirectOWA urlpath_regex ^/$
deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA
http_access deny HTTPSOWA redirectOWA
http_access allow all (for tests ^^)

############END##############

Thx in advance guys

On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote:
> On 21.02.2012 04:59, Fried Wil wrote:
> >Hello Guys,
> >
> >I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
> >usage ... (rpc not compatible with apache2). I would like to
> >redirect
> >the "/" to "/owa". How can i do that ? thx guys
> >
>
> Um. I've started with a bit of a side-track some major
> simplifications inline with your config. The answer to your question
> is at the end.
>
>
> >This is my configuration of squid.conf just for OWA Access.
> >
> >$
> >https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
> >key=/etc/squid3/server.key defaultsite=webmail.domain.foo
>
> NOTE: it is important to be aware that in 3.1 and older if you omit
> "vhost" flag but set "defaultsite=". Has the effect or re-writing
> *all* inbound request URI with the domain name specified as
> defaultsite= value. The importance of this will become clearer
> later...
>
>
> >
> >cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
> >login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
> >sslflags=DONT_VERIFY_PEER name=exchangeServer
> >
> >acl url_allow url_regex -i ^https://webmail.domain.foo/.*$
>
> Hint #1: "^https://webmail.domain.foo/.*$" overlaps and matches same
> URL as all the following patterns.
>
>
> Remove the patterns from here...
>
> >acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
> >acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
> >acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
> >acl url_allow url_regex -i
> >^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
> >acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
> >acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
> >acl url_allow url_regex -i
> >^https://webmail.domain.foo/autodiscover.*$
>
> ... down to here.
>
> Hint #2: "url_regex -i ^https://webmail.domain.foo/.*$" canbe
> further reduced to a simple pair of ACL:
>
> acl HTTPS proto HTTPS
> acl foo dstdomain webmail.domain.foo
>
> >
> >acl OWA dstdomain webmail.domain.foo
>
> Hint #3: note how the new "foo" ACL and "OWA" ACL are identical. You
> can drop the suggested "foo" ACL and use "OWA".
>
>
> Result: You can replace all uses of "url_allow" in *_access lines
> with the pair "HTTPS OWA".
>
>
> >acl OWA-SITE urlpath_regex
> >
> >(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
> >acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/
> >
> >cache_peer_access exchangeServer allow OWA
>
> Hint #4: remembering that http_port defaultsite= has already made
> the URI domain name "webmail.domain.foo" you will notice how the
> "OWA" ACL will always match.
> This by itself means no other "cache_peer_access exchangeServer"
> lines will be tested.
>
>
> >cache_peer_access exchangeServer deny all
>
> Hint #5: now that you have configured "exchangeServer deny all" the
> rest of the "cache_peer_access exchangeServer" lines are
> meaningless.
>
> >never_direct allow OWA
> >
> >cache_peer_access exchangeServer allow OWA-SITE
> >cache_peer_access exchangeServer deny all
> >never_direct allow OWA-SITE
> >
> >cache_peer_access exchangeServer allow OWA-DIRS
> >cache_peer_access exchangeServer deny all
> >never_direct allow OWA-DIRS
> >
> >I wanna just to redirect the https://webmail.domain.foo/ to
> >https://EXCHANGE_SERVER/owa/
> >
> >I saw "url_rewrite_program" but it doesn't works :(
>
>
> Please explain "doesn't work". Details are critical.
>
> Firstly, you need to get straight whether you are redirecting or
> re-writing. They are very different things, with very different
> effects on Exchange.
>
>
> - URL *re-write*, may or may not work. Exchange is *very* sensitive
> to even minor changes in the URI it is asked for. Re-writing can
> break Exchange service from one release to the next or from one
> windows update cycle to the next. Re-write has its occasional uses,
> but Exchange is not one of them. url_rewrite_program can do both
> types of URI alteration. Although you only need it for the re-write.
>
>
> - Proper HTTP *redirect* using 3xx status messages should work fine.
> But Squid needs to be configured to handle both the before and after
> URL when received from the client. Exchange only needs to handle the
> "after" URI.
>
>
> To simply do a global / to /owa/ *redirect* you can do this very
> simple:
>
> acl redirectOWA urlpath_regex ^/$
> deny_info 303:https://EXCHANGE_SERVER/owa/ redirectOWA
> http_access deny HTTPS OWA redirectOWA
>
> Place this at the top of the reverse-proxy http_access lines and the
> clients will be redirected to load that given URL before they are
> sent anywhere near Exchange.
>
> NOTE: The domain "EXCHANGE_SERVER" needs to point at your Squid
> https_port address if you want the OWA requests to continue to
> operate through Squid. BUT, I think you are actually wanting to
> redirect with:
>
> deny_info 303:https://webmail.domain.foo/owa/ redirectOWA
>
>
> HTH
> Amos
>
Received on Tue Feb 21 2012 - 09:56:50 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 21 2012 - 12:00:05 MST