Re: [squid-users] squid reverse proxy infront of exchange 2010
On 2015-12-10 10:29 pm, Alex Samad wrote: Hi I did the change over today. Tested with Window 7 + exchange 2010 and it wouldn't connect whilst there was no tls1 ! interesting IE worked against the web site so .. Did you come across this issues ? On 11 December 2015 at 11:09, dweimer wrote: On 2015-12-10 4:24 pm, Alex Samad wrote: Hi Answer my own question http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html seems like there is a no-vhost, I presume vhost turns it on On 11 December 2015 at 09:23, Alex Samad wrote: Hi On 10 December 2015 at 23:44, dweimer wrote: https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \ cert=/certs/wildcard.certificate.crt \ key=/certs/wildcard.certificate.key \ options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \ dhparams=/usr/local/etc/squid/dh.param \ cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \ vhost what is the vhost option can't find it on the doco page http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html It maybe on by default now, unless you are doing multiple host names, its not necessary. The setup on mine is using a wildcard certificate and is proxying multiple domains names. So Outlook wouldn't connect using the Exchange Proxy method with RPC over HTTPS? Which version of office? Did you make sure all the windows and office updates are installed? -- Thanks, Dean E. Weimer http://www.dweimer.net/ ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid reverse proxy infront of exchange 2010
Hi I did the change over today. Tested with Window 7 + exchange 2010 and it wouldn't connect whilst there was no tls1 ! interesting IE worked against the web site so .. Did you come across this issues ? On 11 December 2015 at 11:09, dweimer wrote: > On 2015-12-10 4:24 pm, Alex Samad wrote: >> >> Hi >> >> Answer my own question >> http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html >> >> seems like there is a no-vhost, I presume vhost turns it on >> >> >> On 11 December 2015 at 09:23, Alex Samad wrote: >>> >>> Hi >>> >>> >>> On 10 December 2015 at 23:44, dweimer wrote: https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \ cert=/certs/wildcard.certificate.crt \ key=/certs/wildcard.certificate.key \ options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \ dhparams=/usr/local/etc/squid/dh.param \ cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \ vhost >>> >>> >>> what is the vhost option can't find it on the doco page >>> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html > > > It maybe on by default now, unless you are doing multiple host names, its > not necessary. The setup on mine is using a wildcard certificate and is > proxying multiple domains names. > > > -- > Thanks, >Dean E. Weimer >http://www.dweimer.net/ ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid reverse proxy infront of exchange 2010
On 2015-12-10 4:24 pm, Alex Samad wrote: Hi Answer my own question http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html seems like there is a no-vhost, I presume vhost turns it on On 11 December 2015 at 09:23, Alex Samad wrote: Hi On 10 December 2015 at 23:44, dweimer wrote: https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \ cert=/certs/wildcard.certificate.crt \ key=/certs/wildcard.certificate.key \ options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \ dhparams=/usr/local/etc/squid/dh.param \ cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \ vhost what is the vhost option can't find it on the doco page http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html It maybe on by default now, unless you are doing multiple host names, its not necessary. The setup on mine is using a wildcard certificate and is proxying multiple domains names. -- Thanks, Dean E. Weimer http://www.dweimer.net/ ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid reverse proxy infront of exchange 2010
Hi So I have taken this config done some slight customization for my site and it appears to be working Thanks for this .. On 10 December 2015 at 23:44, dweimer wrote: > On 2015-12-09 11:29 pm, Alex Samad wrote: >> >> Hi >> >> config >> https_port 22.4.2.5:443 accel >> cert=/etc/httpd/conf.d/office.abc.com.crt >> key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com >> options=NO_SSLv2,NO_SSLv3 >> dhparams=/etc/squid/squid-office-dhparams.pem >> >> cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA >> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest >> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER >> sslcert=/etc/httpd/conf.d/office.abc.com.crt >> sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer >> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest >> originserver login=PASS front-end-https=on ssl >> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt >> sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer >> acl exch_domain dstdomain office.abc.com >> acl exch_path urlpath_regex -i /exch(ange|web) >> acl exch_path urlpath_regex -i /public >> acl exch_path urlpath_regex -i /owa >> acl exch_path urlpath_regex -i /ecp >> acl exch_path urlpath_regex -i /microsoft-server-activesync >> acl exch_path urlpath_regex -i /rpc >> acl exch_path urlpath_regex -i /rpcwithcert >> acl exch_path urlpath_regex -i /exadmin >> acl exch_path urlpath_regex -i /ews >> acl exch_path urlpath_regex -i /oab >> acl exch_path urlpath_regex -i /autodiscover >> cache_peer_access exchangeServer allow exch_domain exch_path >> cache_peer_access webServer deny exch_domain exch_path >> never_direct allow exch_domain exch_path >> cache_mem 32 MB >> maximum_object_size_in_memory 128 KB >> access_log stdio:/var/log/squid/office-access.log squid >> cache_log /var/log/squid/office-cache.log >> cache_store_log stdio:/var/log/squid/office-cache_store.log >> pid_filename /var/run/squid-office.pid >> visible_hostname office.abc.com >> deny_info TCP_RESET all >> http_access allow all >> miss_access allow all >> icp_port 0 >> snmp_port 0 >> >> >> >> cache.log >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors >> available >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache... >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0, >> FD 6 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain >> yieldbroker.com from /etc/resolv.conf >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver >> 10.32.20.100 from /etc/resolv.conf >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver >> 10.32.20.102 from /etc/resolv.conf >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log >> stdio:/var/log/squid/office-access.log >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled; >> rebuild/rewrite every 3600/3600 sec >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log >> stdio:/var/log/squid/office-cache_store.log >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB, >> estimated 2520 objects >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem size: 32768 KB >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir >> selection >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and >> icons. >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled. >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent >> 127.0.0.1/443/0 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent >> 10.32.69.11/443/0 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0 >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off. >> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy >> HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11 >> flags=9 >> Jan 01 10:33:35 1970/12/1
Re: [squid-users] squid reverse proxy infront of exchange 2010
Hi Answer my own question http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html seems like there is a no-vhost, I presume vhost turns it on On 11 December 2015 at 09:23, Alex Samad wrote: > Hi > > > On 10 December 2015 at 23:44, dweimer wrote: >> https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \ >> cert=/certs/wildcard.certificate.crt \ >> key=/certs/wildcard.certificate.key \ >> options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \ >> dhparams=/usr/local/etc/squid/dh.param \ >> cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \ >> vhost > > what is the vhost option can't find it on the doco page > http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid reverse proxy infront of exchange 2010
Hi On 10 December 2015 at 23:44, dweimer wrote: > https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \ > cert=/certs/wildcard.certificate.crt \ > key=/certs/wildcard.certificate.key \ > options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \ > dhparams=/usr/local/etc/squid/dh.param \ > cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \ > vhost what is the vhost option can't find it on the doco page http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid reverse proxy infront of exchange 2010
Thanxs everyone i will try the changes and try with the debug options Tls1 might be an issue. Might have to look at the ssl offloading config so squid to exchange can be http instead of ssl Eliezer hopefuly you'll do a centos 6. Any chance you can let me have a non released .12 save me trying to build one. A On 11/12/2015 4:32 AM, "Eliezer Croitoru" wrote: > On 09/12/2015 12:49, Alex Samad wrote: > >> Hi >> >> Can't seem to find 3.5.12 for centos pre compiled at >> http://www1.ngtech.co.il/repo/centos/6/x86_64/ >> > Since it's in testing > I have built and tested for CentOS 7 but yet to publish them. > It will take a week or more. > > Eliezer > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid reverse proxy infront of exchange 2010
On 09/12/2015 12:49, Alex Samad wrote: Hi Can't seem to find 3.5.12 for centos pre compiled at http://www1.ngtech.co.il/repo/centos/6/x86_64/ Since it's in testing I have built and tested for CentOS 7 but yet to publish them. It will take a week or more. Eliezer ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid reverse proxy infront of exchange 2010
On 2015-12-09 11:29 pm, Alex Samad wrote: Hi config https_port 22.4.2.5:443 accel cert=/etc/httpd/conf.d/office.abc.com.crt key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com options=NO_SSLv2,NO_SSLv3 dhparams=/etc/squid/squid-office-dhparams.pem cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer acl exch_domain dstdomain office.abc.com acl exch_path urlpath_regex -i /exch(ange|web) acl exch_path urlpath_regex -i /public acl exch_path urlpath_regex -i /owa acl exch_path urlpath_regex -i /ecp acl exch_path urlpath_regex -i /microsoft-server-activesync acl exch_path urlpath_regex -i /rpc acl exch_path urlpath_regex -i /rpcwithcert acl exch_path urlpath_regex -i /exadmin acl exch_path urlpath_regex -i /ews acl exch_path urlpath_regex -i /oab acl exch_path urlpath_regex -i /autodiscover cache_peer_access exchangeServer allow exch_domain exch_path cache_peer_access webServer deny exch_domain exch_path never_direct allow exch_domain exch_path cache_mem 32 MB maximum_object_size_in_memory 128 KB access_log stdio:/var/log/squid/office-access.log squid cache_log /var/log/squid/office-cache.log cache_store_log stdio:/var/log/squid/office-cache_store.log pid_filename /var/run/squid-office.pid visible_hostname office.abc.com deny_info TCP_RESET all http_access allow all miss_access allow all icp_port 0 snmp_port 0 cache.log Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors available Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache... Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0, FD 6 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain yieldbroker.com from /etc/resolv.conf Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver 10.32.20.100 from /etc/resolv.conf Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver 10.32.20.102 from /etc/resolv.conf Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log stdio:/var/log/squid/office-access.log Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log stdio:/var/log/squid/office-cache_store.log Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB, estimated 2520 objects Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem size: 32768 KB Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir selection Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and icons. Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled. Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 127.0.0.1/443/0 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 10.32.69.11/443/0 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off. Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11 flags=9 Jan 01 10:33:35 1970/12/10 16:15:43 kid1| storeLateRelease: released 0 objects cache log Dec 10 16:16:23 2015.225 RELEASE -1 BE6736C8CD1A74A54575AF9880395D04 ? ? ? ? ?/? ?/? ? ? Dec 10 16:16:34 2015.287 RELEASE -1 78C390A2D412F8E601035A2C1FD771C8 ? ? ? ? ?/? ?/? ? ? Dec 10 16:16:34 2015.296 RELEASE -1 A7D8B3751858C54225D29408B56FE42D ? ? ? ?
Re: [squid-users] squid reverse proxy infront of exchange 2010
On 10/12/2015 6:29 p.m., Alex Samad wrote: > Hi > > config > https_port 22.4.2.5:443 accel > cert=/etc/httpd/conf.d/office.abc.com.crt > key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com > options=NO_SSLv2,NO_SSLv3 > dhparams=/etc/squid/squid-office-dhparams.pem > cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA None of those ECDHE entries will work properlyy. Squid does not have the additional curve name support needed to configure them. > cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest > originserver login=PASS ssl sslflags=DONT_VERIFY_PEER > sslcert=/etc/httpd/conf.d/office.abc.com.crt > sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer > cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest > originserver login=PASS front-end-https=on ssl > sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt > sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer Note that these cache_peer cert details are the "client certificate" used to 2-way TLS authenticate Squid with the Office server. I doubt the same certificate used on the https_port will work as both server and client certificate. Perhapse that is why the verification has to be fully disabled. > acl exch_domain dstdomain office.abc.com > acl exch_path urlpath_regex -i /exch(ange|web) > acl exch_path urlpath_regex -i /public > acl exch_path urlpath_regex -i /owa > acl exch_path urlpath_regex -i /ecp > acl exch_path urlpath_regex -i /microsoft-server-activesync > acl exch_path urlpath_regex -i /rpc > acl exch_path urlpath_regex -i /rpcwithcert > acl exch_path urlpath_regex -i /exadmin > acl exch_path urlpath_regex -i /ews > acl exch_path urlpath_regex -i /oab > acl exch_path urlpath_regex -i /autodiscover > cache_peer_access exchangeServer allow exch_domain exch_path > cache_peer_access webServer deny exch_domain exch_path > never_direct allow exch_domain exch_path > cache_mem 32 MB > maximum_object_size_in_memory 128 KB > access_log stdio:/var/log/squid/office-access.log squid > cache_log /var/log/squid/office-cache.log > cache_store_log stdio:/var/log/squid/office-cache_store.log > pid_filename /var/run/squid-office.pid > visible_hostname office.abc.com > deny_info TCP_RESET all > http_access allow all > miss_access allow all > icp_port 0 > snmp_port 0 > > > > cache.log > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors available > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache... > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0, FD 6 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain > yieldbroker.com from /etc/resolv.conf > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver > 10.32.20.100 from /etc/resolv.conf > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver > 10.32.20.102 from /etc/resolv.conf > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log > stdio:/var/log/squid/office-access.log > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled; > rebuild/rewrite every 3600/3600 sec > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log > stdio:/var/log/squid/office-cache_store.log > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB, > estimated 2520 objects > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem size: 32768 KB > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir selection > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and > icons. > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled. > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 127.0.0.1/443/0 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 10.32.69.11/443/0 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0 > Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off. > Jan 01 10:33:35
Re: [squid-users] squid reverse proxy infront of exchange 2010
Hi config https_port 22.4.2.5:443 accel cert=/etc/httpd/conf.d/office.abc.com.crt key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com options=NO_SSLv2,NO_SSLv3 dhparams=/etc/squid/squid-office-dhparams.pem cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer acl exch_domain dstdomain office.abc.com acl exch_path urlpath_regex -i /exch(ange|web) acl exch_path urlpath_regex -i /public acl exch_path urlpath_regex -i /owa acl exch_path urlpath_regex -i /ecp acl exch_path urlpath_regex -i /microsoft-server-activesync acl exch_path urlpath_regex -i /rpc acl exch_path urlpath_regex -i /rpcwithcert acl exch_path urlpath_regex -i /exadmin acl exch_path urlpath_regex -i /ews acl exch_path urlpath_regex -i /oab acl exch_path urlpath_regex -i /autodiscover cache_peer_access exchangeServer allow exch_domain exch_path cache_peer_access webServer deny exch_domain exch_path never_direct allow exch_domain exch_path cache_mem 32 MB maximum_object_size_in_memory 128 KB access_log stdio:/var/log/squid/office-access.log squid cache_log /var/log/squid/office-cache.log cache_store_log stdio:/var/log/squid/office-cache_store.log pid_filename /var/run/squid-office.pid visible_hostname office.abc.com deny_info TCP_RESET all http_access allow all miss_access allow all icp_port 0 snmp_port 0 cache.log Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors available Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache... Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0, FD 6 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain yieldbroker.com from /etc/resolv.conf Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver 10.32.20.100 from /etc/resolv.conf Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver 10.32.20.102 from /etc/resolv.conf Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log stdio:/var/log/squid/office-access.log Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log stdio:/var/log/squid/office-cache_store.log Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB, estimated 2520 objects Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem size: 32768 KB Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir selection Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and icons. Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled. Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 127.0.0.1/443/0 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 10.32.69.11/443/0 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0 Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off. Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11 flags=9 Jan 01 10:33:35 1970/12/10 16:15:43 kid1| storeLateRelease: released 0 objects cache log Dec 10 16:16:23 2015.225 RELEASE -1 BE6736C8CD1A74A54575AF9880395D04 ? ? ? ? ?/? ?/? ? ? Dec 10 16:16:34 2015.287 RELEASE -1 78C390A2D412F8E601035A2C1FD771C8 ? ? ? ? ?/? ?/? ? ? Dec 10 16:16:34 2015.296 RELEASE -1 A7D8B3751858C54225D29408B56FE42D ? ? ? ? ?/? ?/? ? ? Dec 10 16:16:37 2015.863 RELEASE -1 3
Re: [squid-users] squid reverse proxy infront of exchange 2010
Hi Can't seem to find 3.5.12 for centos pre compiled at http://www1.ngtech.co.il/repo/centos/6/x86_64/ On 8 December 2015 at 19:34, Amos Jeffries wrote: > * try an upgrade to 3.5.12. There were some regressions in the .10/.11 > releases that can lead to really weird behaviour. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid reverse proxy infront of exchange 2010
On 8/12/2015 7:35 p.m., Alex Samad wrote: > Hi > > Any suggestions on how to debug this... I wouldn't mind rolling > forward to 3.5 again > Some ideas inline. The main ones are: * re-enable cache.log. It is not optional. * try an upgrade to 3.5.12. There were some regressions in the .10/.11 releases that can lead to really weird behaviour. > On 2 December 2015 at 20:39, Alex Samad wrote: >> Just to add to this I have a lot of these in the log file >> >> TCP_MISS_ABORTED/000 0 RPC_IN_DATA >> TCP_MISS_ABORTED/200 4322 RPC_OUT_DATA >> TCP_MISS_ABORTED/000 0 RPC_IN_DATA https: >> >> >> >> On 2 December 2015 at 17:24, Alex Samad wrote: >>> Hi >>> >>> recently upgraded to squid-3.5.11-1.el6.x86_64 from the centos 6.7 squid >>> 3.1 >>> >>> >>> I am now having problems with people who use active sync via this >>> connection . seems like emails with attachments aren't making it >>> through . >>> >>> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest >>> originserver login=PASS front-end-https=on ssl >>> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.yx.com.crt >>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=exchangeServer You could try changing these from login=PASS to login=PASSTHRU >>> >>> >>> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest >>> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER >>> sslcert=/etc/httpd/conf.d/office.yx.com.crt >>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=webServer >>> c >>> >>> # List of acceptable URLs to send to the Exchange server >>> acl exch_url url_regex -i office.yieldbroker.com/exchange >>> acl exch_url url_regex -i office.yieldbroker.com/exchweb >>> acl exch_url url_regex -i office.yieldbroker.com/public >>> acl exch_url url_regex -i office.yieldbroker.com/owa >>> acl exch_url url_regex -i office.yieldbroker.com/ecp >>> acl exch_url url_regex -i office.yieldbroker.com/microsoft-server-activesync >>> acl exch_url url_regex -i office.yieldbroker.com/rpc >>> acl exch_url url_regex -i office.yieldbroker.com/rpcwithcert >>> acl exch_url url_regex -i office.yieldbroker.com/exadmin >>> acl exch_url url_regex -i office.yieldbroker.com/oab >>> # added after >>> acl exch_url url_regex -i office.yieldbroker.com/ews >>> # Not configured on exchange 2010 >>> #acl exch_url url_regex -i office.yieldbroker.com/autodiscover >>> >>> # Send the Exchange URLs to the Exchange server >>> cache_peer_access exchangeServer allow exch_url >>> >>> # Send everything else to the Apache >>> cache_peer_access webServer deny exch_url >>> >>> # This is to protect Squid >>> never_direct allow exch_url >>> >>> # Logging Configuration >>> redirect_rewrites_host_header off >>> cache_mem 32 MB >>> maximum_object_size_in_memory 128 KB >>> cache_log none You should re-enable cache.log and fix any of the issues that are logged there. >>> cache_store_log none >>> >>> access_log stdio:/var/log/squid/office-access.log squid >>> #access_log none >>> cache_log /var/log/squid/office-cache.log >>> #cache_log none >>> pid_filename /var/run/squid-office.pid >>> >>> >>> # Set the hostname so that we can see Squid in the path (Optional) >>> visible_hostname yieldbroker.com >>> deny_info TCP_RESET all This could lead to strange behaviour. Particularly since "deny all" is not being used in your http_access rules ... >>> >>> # Allow everyone through, internal and external connections >>> http_access allow all >>> miss_access allow all >>> >>> icp_port 0 >>> snmp_port 0 >>> >>> via off >>> >>> >>> The previous setup had worked for at least 18 months. >>> >>> Alex > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid reverse proxy infront of exchange 2010
Hi Any suggestions on how to debug this... I wouldn't mind rolling forward to 3.5 again On 2 December 2015 at 20:39, Alex Samad wrote: > Just to add to this I have a lot of these in the log file > > TCP_MISS_ABORTED/000 0 RPC_IN_DATA > TCP_MISS_ABORTED/200 4322 RPC_OUT_DATA > TCP_MISS_ABORTED/000 0 RPC_IN_DATA https: > > > > > > > On 2 December 2015 at 17:24, Alex Samad wrote: >> Hi >> >> recently upgraded to squid-3.5.11-1.el6.x86_64 from the centos 6.7 squid 3.1 >> >> >> I am now having problems with people who use active sync via this >> connection . seems like emails with attachments aren't making it >> through . >> >> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest >> originserver login=PASS front-end-https=on ssl >> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.yx.com.crt >> sslkey=/etc/httpd/conf.d/office.yx.com.key name=exchangeServer >> >> >> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest >> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER >> sslcert=/etc/httpd/conf.d/office.yx.com.crt >> sslkey=/etc/httpd/conf.d/office.yx.com.key name=webServer >> c >> >> # List of acceptable URLs to send to the Exchange server >> acl exch_url url_regex -i office.yieldbroker.com/exchange >> acl exch_url url_regex -i office.yieldbroker.com/exchweb >> acl exch_url url_regex -i office.yieldbroker.com/public >> acl exch_url url_regex -i office.yieldbroker.com/owa >> acl exch_url url_regex -i office.yieldbroker.com/ecp >> acl exch_url url_regex -i office.yieldbroker.com/microsoft-server-activesync >> acl exch_url url_regex -i office.yieldbroker.com/rpc >> acl exch_url url_regex -i office.yieldbroker.com/rpcwithcert >> acl exch_url url_regex -i office.yieldbroker.com/exadmin >> acl exch_url url_regex -i office.yieldbroker.com/oab >> # added after >> acl exch_url url_regex -i office.yieldbroker.com/ews >> # Not configured on exchange 2010 >> #acl exch_url url_regex -i office.yieldbroker.com/autodiscover >> >> # Send the Exchange URLs to the Exchange server >> cache_peer_access exchangeServer allow exch_url >> >> # Send everything else to the Apache >> cache_peer_access webServer deny exch_url >> >> # This is to protect Squid >> never_direct allow exch_url >> >> # Logging Configuration >> redirect_rewrites_host_header off >> cache_mem 32 MB >> maximum_object_size_in_memory 128 KB >> cache_log none >> cache_store_log none >> >> access_log stdio:/var/log/squid/office-access.log squid >> #access_log none >> cache_log /var/log/squid/office-cache.log >> #cache_log none >> pid_filename /var/run/squid-office.pid >> >> >> # Set the hostname so that we can see Squid in the path (Optional) >> visible_hostname yieldbroker.com >> deny_info TCP_RESET all >> >> # ACL - required to allow >> #acl all src ALL >> >> # Allow everyone through, internal and external connections >> http_access allow all >> miss_access allow all >> >> icp_port 0 >> snmp_port 0 >> >> via off >> >> >> The previous setup had worked for at least 18 months. >> >> Alex ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid reverse proxy infront of exchange 2010
Just to add to this I have a lot of these in the log file TCP_MISS_ABORTED/000 0 RPC_IN_DATA TCP_MISS_ABORTED/200 4322 RPC_OUT_DATA TCP_MISS_ABORTED/000 0 RPC_IN_DATA https: On 2 December 2015 at 17:24, Alex Samad wrote: > Hi > > recently upgraded to squid-3.5.11-1.el6.x86_64 from the centos 6.7 squid 3.1 > > > I am now having problems with people who use active sync via this > connection . seems like emails with attachments aren't making it > through . > > cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest > originserver login=PASS front-end-https=on ssl > sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.yx.com.crt > sslkey=/etc/httpd/conf.d/office.yx.com.key name=exchangeServer > > > cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest > originserver login=PASS ssl sslflags=DONT_VERIFY_PEER > sslcert=/etc/httpd/conf.d/office.yx.com.crt > sslkey=/etc/httpd/conf.d/office.yx.com.key name=webServer > c > > # List of acceptable URLs to send to the Exchange server > acl exch_url url_regex -i office.yieldbroker.com/exchange > acl exch_url url_regex -i office.yieldbroker.com/exchweb > acl exch_url url_regex -i office.yieldbroker.com/public > acl exch_url url_regex -i office.yieldbroker.com/owa > acl exch_url url_regex -i office.yieldbroker.com/ecp > acl exch_url url_regex -i office.yieldbroker.com/microsoft-server-activesync > acl exch_url url_regex -i office.yieldbroker.com/rpc > acl exch_url url_regex -i office.yieldbroker.com/rpcwithcert > acl exch_url url_regex -i office.yieldbroker.com/exadmin > acl exch_url url_regex -i office.yieldbroker.com/oab > # added after > acl exch_url url_regex -i office.yieldbroker.com/ews > # Not configured on exchange 2010 > #acl exch_url url_regex -i office.yieldbroker.com/autodiscover > > # Send the Exchange URLs to the Exchange server > cache_peer_access exchangeServer allow exch_url > > # Send everything else to the Apache > cache_peer_access webServer deny exch_url > > # This is to protect Squid > never_direct allow exch_url > > # Logging Configuration > redirect_rewrites_host_header off > cache_mem 32 MB > maximum_object_size_in_memory 128 KB > cache_log none > cache_store_log none > > access_log stdio:/var/log/squid/office-access.log squid > #access_log none > cache_log /var/log/squid/office-cache.log > #cache_log none > pid_filename /var/run/squid-office.pid > > > # Set the hostname so that we can see Squid in the path (Optional) > visible_hostname yieldbroker.com > deny_info TCP_RESET all > > # ACL - required to allow > #acl all src ALL > > # Allow everyone through, internal and external connections > http_access allow all > miss_access allow all > > icp_port 0 > snmp_port 0 > > via off > > > The previous setup had worked for at least 18 months. > > Alex ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
