On 17/08/2012 7:46 p.m., dladla wrote:
> I recently decided to build a new virtual server to replace our ageing squid
> reverse proxy server. The old one was running Oracle Enterprise Linux 5 with
> squid 3.0.STABLE26. I built the new one with Centos 6 and initially I used
> the standard version of squid installed with yum, ie 3.1.10. When I had
> problems with that I built 3.2.1 but that had the same problem.
>
> The issue is that login=PASS is not working properly with Exchange 2010.
> Although normal user logins to OWA work ok, and ActiveSync works ok, the
> Soap interface (which is used by the Blackberry Bis server) doesn't
> authenticate, and the Exchange server just keeps returning 401 not
> authorized.
>
> My config file is:
> visible_hostname gw01
> ##extension_methods RPC_IN_DATA RPC_OUT_DATA
> pid_filename /var/run/squid_owa.pid
> cache_effective_user squid
> cache_effective_group squid
> access_log /var/log/squid/access_owa.log squid
> cache_log /var/log/squid/cache_owa.log
> cache_store_log /var/log/squid/store_owa.log
> acl http url_regex -i ^http://
> acl owa dstdomain owa.company.com
> http_port 82 accel defaultsite=owa.company.com
> https_port 444 accel cert=/usr/local/ssl/company.com.cert
> key=/usr/local/ssl/company.com.key defaultsite=owa.company.com
> http_access allow http
> http_access allow owa
> http_access deny all
> url_rewrite_program /usr/local/sbin/squid_owa_url_rewrite
> cache_peer 192.168.0.91 parent 443 0 login=PASS connection-auth=on
> front-end-https no-query originserver proxy-only ssl
> sslflag=DONT_VERIFY_PEER name=owa.company.com
> cache_peer_access owa.company.com allow owa
> cache_peer_access owa.company.com deny all
>
>
> The rewrite program just redirects http to https and adds /owa onto the end
> of the URL if necessary. After turning on some debugging and poring through
> log files I saw this request being sent to the Exchange server:
>
> POST /EWS/Exchange.asmx HTTP/1.1
> Accept: text/xml, text/html, */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
> Content-Type: text/xml; charset=UTF-8
> SOAPAction:
> http://schemas.microsoft.com/exchange/services/2006/messages/GetFolder
> Host: owa.company.com
> Content-Length: 501
> Via: 1.1 gw01 (squid/3.2.1)
> Surrogate-Capability: gw01="Surrogate/1.0"
> X-Forwarded-For: 178.239.83.1
> Authorization: Basic UEFTUw==
> Cache-Control: max-age=259200
> Connection: keep-alive
> Front-End-Https: On
>
> So the newer versions of squid are sending the literal Authorization string
> "PASS" encoded as base64! The old version sends the correct authentication
> information.
>
> I guess this is a bug?
For the record: http://bugs.squid-cache.org/show_bug.cgi?id=3625Amos
Amos
Received on Wed Aug 29 2012 - 13:30:52 MDT
This archive was generated by hypermail 2.2.0 : Wed Aug 29 2012 - 12:00:08 MDT