Re: [squid-users] OWA on Exchange 2003 proxy
Thanks again for the help Henrik. Answers to your questions are below. On Thursday, October 30, 2003, at 05:57 PM, Henrik Nordstrom wrote: On Thu, 30 Oct 2003, Jonathan Giles wrote: in squid.conf in ver. 3, these are the options I have made: https_port 443 cert=/etc/openssl/cacert.pem key=/etc/openssl/privkey.pem accel defaultsite=owa.clinedavis.com cache_peer owa.clinedavis.com parent 80 0 no-query front-end-https=on --- in /etc/hosts --- 10.1.16.67 owa.clinedavis.com --- and when I go to the squid server I get this... Bad Request (Invalid URL) Hmm.. you should not be seeing this error. I am confused as well. What does it mean? in access.log I get this 1067539553.232 1 10.1.16.100 TCP_NEGATIVE_HIT/400 270 GET https://owa.clinedavis.com/ - NONE/- text/html What was the first entry? This is a cache hit for an error which occurred earlier. you are probably right. These are definitely associated with the session: 1067612977.854 22 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/exchange - FIRST_UP_PARENT/owa.clinedavis.com text/html TCP_MISS means that the page wasn't in the cache, so I should just ignore it right? 1067543543.673 23 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/ - FIRST_UP_PARENT/owa.clinedavis.com text/html This looks better. when I change the ip in etc/hosts to some other web server, it works. Does the OWA server listen on 10.1.16.67 port 80? yes. Note: You do not need to specify the server by name in cache_peer. Using IP addresses is fine here. but the name should work right? In squid2 this following config works, but still has that not loading folders problem. What URL is the client asking for? For this to work the client must be asking for https://owa.clinedavis.com/ yup what the client is asking for is https://owa.clinedavis.com/exchange Regards Henrik ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: [squid-users] OWA on Exchange 2003 proxy
Thanks again for the help, Henrik. I got squid3 to compile and install, now having trouble getting it to work. in squid.conf in ver. 3, these are the options I have made: https_port 443 cert=/etc/openssl/cacert.pem key=/etc/openssl/privkey.pem accel defaultsite=owa.clinedavis.com cache_peer owa.clinedavis.com parent 80 0 no-query front-end-https=on --- in /etc/hosts --- 10.1.16.67 owa.clinedavis.com --- and when I go to the squid server I get this... Bad Request (Invalid URL) in access.log I get this 1067539553.232 1 10.1.16.100 TCP_NEGATIVE_HIT/400 270 GET https://owa.clinedavis.com/ - NONE/- text/html 1067543543.673 23 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/ - FIRST_UP_PARENT/owa.clinedavis.com text/html when I change the ip in etc/hosts to some other web server, it works. In squid2 this following config works, but still has that not loading folders problem. squid.conf https_port 443 cert=/etc/openssl/cacert.pem key=/etc/openssl/privkey.pem httpd_accel_host owa.clinedavis.com cache_peer owa.clinedavis.com parent 80 0 no-query front-end-https=on Any help would be greatly appreciated. Thanks, jg On Wednesday, October 29, 2003, at 05:00 PM, Henrik Nordstrom wrote: On Wed, 29 Oct 2003, Jonathan Giles wrote: 1) forms based authentication mode turns on ssl on the exchange server. Https connections fail because it does not like the test cert we put on the exchange server. Is there any way to tell squid to ignore the problem with the ssl test cert on the 2003 exchange server? If you use Squid-3 then you can tell Exchange that https is added by a frontend server such as Squid. See the cache_peer directive in Squid-3. We can skip forms based auths if we can cause squid to time out sessions... Seems as though exchange credentials are stored on the web client, and are not destroyed until the web client is quit. Correct. 2) if using IE on Windows, exchange2003 goes into high gear mode and gives special features to the client, and this does not work on the squid system I configured for exchange2000. I believe there is a redirect that is causing the proxy to spin it's gears, as the mail folder list never gets populated with mail messages. So, if someone here has a suggestion with regards to this issue, or if there is a way to stop letting Exchange 2003 know that the client is IE on windows, it would be very helpful. You quite likely need to use the above Squid-3 feature for this to work properly.. Modern Exchange OWA installations uses WebDAV for folder access etc when accessed by MSIE clients and this requires that OWA knows exacly by which means it is accessed. Any front-end server such as a Squid reverse proxy MUST NOT modify the URL (including the host component) and if the front-end uses SSL while using plain HTTP to the OWA server then it must tell so to the OWA by using the custom X-Front-End-HTTPS header. Regards Henrik ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
[squid-users] OWA on Exchange 2003 proxy
I was wondering if anyone had any experience with squid and OWA on Exchange 2003 proxies. My major hurtles are two in number. 1) forms based authentication mode turns on ssl on the exchange server. Https connections fail because it does not like the test cert we put on the exchange server. Is there any way to tell squid to ignore the problem with the ssl test cert on the 2003 exchange server? We can skip forms based auths if we can cause squid to time out sessions... Seems as though exchange credentials are stored on the web client, and are not destroyed until the web client is quit. 2) if using IE on Windows, exchange2003 goes into high gear mode and gives special features to the client, and this does not work on the squid system I configured for exchange2000. I believe there is a redirect that is causing the proxy to spin it's gears, as the mail folder list never gets populated with mail messages. So, if someone here has a suggestion with regards to this issue, or if there is a way to stop letting Exchange 2003 know that the client is IE on windows, it would be very helpful. Maybe some of these issues are addressed in squid3? Thanks very much! jg ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
[squid-users] getting a CA to take PEM format csrs
hello: I have a working config for an https accel setup, but I have hit a big problem. I have looked over the lists and have not found how other people deal with this. I work with Thawte.com to get other certs for other https (apache) servers, and they have told me they do not accept PEM anything. And I understand that the csr must be in PEM for a CA to issue a PEM crt. Thawte has told me it will be really hard to find a CA that accepts PEM. How have other people here delt with this? Here attached is Thawte's response to my request. Hi Jonathan The PEM format requirement is misleading, as the PEM format mentioned actually refers to a standard DER format certificate, the guys developing the Apache standards seem to have confused the file types. Therefore since you are able to generate standard format CSRs, squid should also work with standard format certificates, even though Apache and squid are not the same they share the same openssl libraries. What error message do you receive when you restart the daemon? Please send us the error logs. Of course my logs just say Bungled conf file at the config Aug 25 17:22:29 owa squid: Bungled squid.conf line 62: https_port 443 cert=/etc/openssl/certs/owa.clinedavis.com.test.crt key=/etc/openssl/private/owa.clinedavis.com.key This is using the crt and key that was created using Thawte's directions. Any suggestions would be greatly appreciated! jg ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: [squid-users] getting a CA to take PEM format csrs
Henrik: Again thanks for the help. I went through the apache mod_ssl directions to the letter, and still having trouble. here are the commands they refer to. openssl genrsa -des3 -out www.virtualhost.com.key 1024 openssl req -new -key www.virtualhost.com.key -out www.virtualhost.com.csr openssl x509 -req -days 30 -in www.virtualhost.com.csr -signkey www.virtualhost.com.key -out www.virtualhost.com.crt Using the test .crt and key created by openssl, this is what I get from... [EMAIL PROTECTED] openssl]# /usr/local/squid/sbin/squid -D -d 1 Enter PEM pass phrase: 2003/08/27 16:17:24| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.080 seconds = 0.060 user + 0.020 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 360 Aborted [EMAIL PROTECTED] openssl]# /usr/local/squid/sbin/squid -D -d 1 Enter PEM pass phrase: [EMAIL PROTECTED] openssl]# Enter PEM pass phrase: 2003/08/27 16:17:53| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.070 seconds = 0.050 user + 0.020 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 359 Enter PEM pass phrase: 2003/08/27 16:17:56| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.070 seconds = 0.040 user + 0.030 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 359 Enter PEM pass phrase: 2003/08/27 16:17:59| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.090 seconds = 0.070 user + 0.020 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 359 Enter PEM pass phrase: 2003/08/27 16:18:02| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.070 seconds = 0.060 user + 0.010 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 359 Enter PEM pass phrase: 2003/08/27 16:18:06| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.080 seconds = 0.050 user + 0.030 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 359 [EMAIL PROTECTED] openssl]# On Tuesday, August 26, 2003, at 08:07 PM, Henrik Nordstrom wrote: The Thawte guide for Apache mod_ssl works just fine for Squid, and their instructions does generate a PEM formatted CSR... and Thawte gives you a PEM formatted certificate back if you follow this procedure. The Apache guys have not confused the file formats. Apache mod_ssl wants PEM formatted certificates just as Squid. This is different from the DER format expected by many others but has the major benefit that the certificate can be exchanged in plain text email etc.. However, if you have a CA which insists in binary DER certificates then OpenSSL have options to convert these to/from PEM format if needed. The error you are seeing probably means that your Squid binary is not SSL enabled.. what does squid -v say about your configure options? And is there any comments regarding configure options next to the https_port option in your squid.conf.default? Regards Henrik On Tuesday 26 August 2003 23.24, Jonathan Giles wrote: hello: I have a working config for an https accel setup, but I have hit a big problem. I have looked over the lists and have not found how other people deal with this. I work with Thawte.com to get other certs for other https (apache) servers, and they have told me they do not accept PEM anything. And I understand that the csr must be in PEM
Re: [squid-users] getting a CA to take PEM format csrs
Thanks. Got it. So I would start by hand with -N, put in my passphrase, suspend it with a cntrl z, then bg it? I just tried this and it works. Thanks again for the help. jg On Wednesday, August 27, 2003, at 12:58 PM, Henrik Nordstrom wrote: On Wed, 27 Aug 2003, Jonathan Giles wrote: Henrik: Again thanks for the help. I went through the apache mod_ssl directions to the letter, and still having trouble. here are the commands they refer to. openssl genrsa -des3 -out www.virtualhost.com.key 1024 If you use encrypted RSA keys then you must start Squid with the -N option. [EMAIL PROTECTED] openssl]# /usr/local/squid/sbin/squid -D -d 1 Enter PEM pass phrase: 2003/08/27 16:17:24| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password Or else you get the above error... which causes this.. FATAL: Bungled squid.conf line 64: https_port 443 Regards Henrik ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: [squid-users] OWA and squid
You suggestion works very nicely. Thanks for all the help and patience! jg On Tuesday, August 5, 2003, at 04:38 PM, Henrik Nordstrom wrote: Make sure the OWA web server has support for virtual domains enabled. If all else fails, create a virtual domain instance with the external domain name. The key to get this to work is to make sure OWA knows it's external name and use it. Regards Henrik On Tuesday 05 August 2003 20.06, Jonathan Giles wrote: Henrik: I have compile the latest, and although the hosts file is now being used, and I have tried out your suggestion as below, I am still getting redirects on the browser. Do you have any other suggestions? jg On Wednesday, July 30, 2003, at 04:08 PM, Henrik Nordstrom wrote: On Wednesday 30 July 2003 16.36, Jonathan Giles wrote: The problem we are having is that once the client logs onto the server through Squid, the OWA server redirects the broswer to the OWA directly, without the Squid server in line of traffic. Try this: httpd_accel_host the.externally.visible.name.of.owa /etc/hosts: ip.of.owa.server the.externally.visible.name.of.owa Do NOT use a redirector helper etc. Firewalling the OWA once you get this running is recommended. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED] ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it. ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: [squid-users] OWA and squid
Henrik: I have compile the latest, and although the hosts file is now being used, and I have tried out your suggestion as below, I am still getting redirects on the browser. Do you have any other suggestions? jg On Wednesday, July 30, 2003, at 04:08 PM, Henrik Nordstrom wrote: On Wednesday 30 July 2003 16.36, Jonathan Giles wrote: The problem we are having is that once the client logs onto the server through Squid, the OWA server redirects the broswer to the OWA directly, without the Squid server in line of traffic. Try this: httpd_accel_host the.externally.visible.name.of.owa /etc/hosts: ip.of.owa.server the.externally.visible.name.of.owa Do NOT use a redirector helper etc. Firewalling the OWA once you get this running is recommended. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED] ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: [squid-users] OWA and squid
OK I will get the latest source, compile test etc. and let you if the problem still exist. Thanks very much for the help! -- Jonathan Giles Sr. Unix Administrator Cline Davis Mann Quoting Henrik Nordstrom [EMAIL PROTECTED]: On Friday 01 August 2003 16.12, Jonathan Giles wrote: The version of squid I am running is squid-2.4.STABLE3-1.7.2 You should consider upgrading. Any advice given on this mailting list is for Sqiud-2.5 unless indicated otherwise. Regards Henrik -- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: [squid-users] OWA and squid
The version of squid I am running is squid-2.4.STABLE3-1.7.2 on a yellowdog ppc box running 2.4.19-4a kernel The /etc/nsswitch.conf is straight out of the box, and has the line hosts: files nisplus nis dns and appears to be working fine. Do you think running a source compile would fix this problem? Thanks again for the help! jg On Thursday, July 31, 2003, at 07:53 PM, Henrik Nordstrom wrote: On Friday 01 August 2003 00.32, Jonathan Giles wrote: As best as I can tell, squid never looks at /etc/hosts. It does, if you use a supported version of Squid. Regards Henrik ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: [squid-users] OWA and squid
I am sorry I wasn't clear in my last post. I am using Squid in httpd_accel_host mode to act as a buffer for the OWA server, not as a proxy for the web client through Squid to the internet. We are doing this for security reasons, as we do not want clients from the internet to contact OWA directly. The redirect looks like this in the html code. BASE href=http://exchange.server.com:8080/exchange/jong/ On Wednesday, July 30, 2003, at 10:43 AM, Marc Elsen wrote: It depends on what you mean by this redirection. Normally , proxy aware/configured browsers should always 'find' or use the proxy. Do you have examples, as to the redirection executed or enforced by OWA towards the user (browser) ? M. ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.