Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
So I have OWA and RPCoHTTPS accelerator working on 3.0, with forward proxy on a separate instance of 2.6. Now I'm building a new Redhat box and I would like to handle both my normal LAN proxy and reverse proxy for OWA, RPCoHTTPS and Activesync on one instance of Squid. It sounded like 2.6 should be able to handle the chunked encoding and NTLM auth required for Activesync. Can I/should I do all this on one instance of Squid? Am I asking too much? The latest Redhat comes with 2.6STABLE6, which I realize this is rather old. But I decided to forge ahead and try it. I am directing two different public domains to the same Exchange server. This basic configuration works on 3.0. Now trying to add it to the 2.6 forward proxy config, sometimes Squid seems to be redirecting forward proxy requests to my OWA server, and I get: The following error was encountered: * Socket Failure The system returned: (99) Cannot assign requested address Squid is unable to create a TCP socket, presumably due to excessive load. Please retry your request. Config follows... #OWA https_port domain1-owa:443 cert=/usr/share/ssl/combined.crt key=/usr/share/ssl/owa.key defaultsite=owa.domain1.com https_port domain2-owa:443 cert=/usr/share/ssl/domain2/domain2-owa.pem defaultsite=owa.domain2.com cache_peer ip_of_exchange parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/usr/share/ssl/exchange/exch-owa.pem name=owa-server acl OWA dstdomain owa.domain1.com acl OWA dstdomain owa.domain2.com cache_peer_access owa-server allow OWA never_direct allow OWA http_access allow OWA #rpc_http https_port domain1-rpc:443 cert=/usr/share/ssl/rpc/rpc.pem defaultsite=rpc.domain1.com https_port domain2-rpc:443 cert=/usr/share/ssl/domain2/domain2-rpc.pem defaultsite=rpc.domain2.com cache_peer ip_of_exchange parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/usr/share/ssl/exchange/exch-owa.pem name=rpc-server acl RPC dstdomain rpc.domain1.com acl RPC dstdomain rpc.domain2.com cache_peer_access rpc-server allow RPC never_direct allow RPC http_access allow RPC [typical stand-alone forward http proxy configuration follows] Any thoughts would be most appreciated. Thanks Alan Lehman
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
Alan Lehman wrote: My current config (which works for OWA, but not RPCoHTTP): extension_methods RPC_IN_DATA RPC_OUT_DATA https_port public_ip_for_owa:443 cert=/usr/share/ssl/owa/combined.crt key=/usr/share/ssl/owa/owa.key defaultsite=owa.tld.com https_port public_ip_for_rpc:443 cert=/usr/share/ssl/rpc/combined.crt key=/usr/share/ssl/rpc/rpc.key defaultsite=rpc.tld.com cache_peer ip_of_exchange parent 80 0 no-query originserver front-end-https=auto login=PASS You need a second entry for port 443 on the exchange server to handle the RPC requests. This is where the name= parameter becomes very important and needs to be unique for each entry and used in the cache_peer_access lines below. Thanks for the reply and clarification on the OWA config. My intention was to pass the RPC to Exchange unencrypted, on port 80. Previously, either you or Henrik had suggested eliminating one of the cache_peer lines, since both OWA and RPC would be going to port 80 on Eggchange. Oh yes, I'd overlooked that earlier mail (wasn't mine). I'm skeptical that Exchange will allow RPC over non-secure ports. Or if its listening there, that it would tell clients the port-80 on Squid. The squid config you had _should_ work for Squid under that setup. I think form teh non-working state you reported there is something missing at the Exchange end to get both on port-80. ... if you can get it going over port-80 great. I'd like to know how for the wiki. Amos -- Please use Squid 2.7.STABLE2 or 3.0.STABLE6
RE: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
I am trying to do the same thing. OWA works, but so far no joy with RPCoHTTP. Do I have to do something in OL to make it accept the certificate? The cert's are purchased from godaddy.com. For each, I appended the bundled gd_intermediate to the domain cert. Also, in the example config for OWA, I am confused by the following: acl OWA dstdomain owa_hostname cache_peer_access owa_hostname allow OWA Doesn't the 2nd line just grant access from owa_hostname to owa_hostname ?? My current config (which works for OWA, but not RPCoHTTP): extension_methods RPC_IN_DATA RPC_OUT_DATA https_port public_ip_for_owa:443 cert=/usr/share/ssl/owa/combined.crt key=/usr/share/ssl/owa/owa.key defaultsite=owa.tld.com https_port public_ip_for_rpc:443 cert=/usr/share/ssl/rpc/combined.crt key=/usr/share/ssl/rpc/rpc.key defaultsite=rpc.tld.com cache_peer ip_of_exchange parent 80 0 no-query originserver front-end-https=auto login=PASS acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl CONNECT method CONNECT acl OWA dstdomain owa.tld.com acl RPC dstdomain rpc.tld.com http_access allow manager localhost http_access allow OWA http_access allow RPC http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow localhost http_access deny all http_reply_access allow all icp_access deny all miss_access allow OWA miss_access allow RPC miss_access deny all cache_peer_access ip_of_exhcange allow OWA cache_peer_access ip_of_exhcange allow RPC cache_peer_access ip_of_exhcange deny all never_direct allow OWA never_direct allow RPC Thanks again, Alan Lehman -Original Message- From: Odhiambo Washington [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2008 11:41 AM To: Squid users Subject: Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator? On Mon, Jun 2, 2008 at 7:27 PM, Henrik Nordstrom [EMAIL PROTECTED] wrote: On mån, 2008-06-02 at 13:41 +0300, Odhiambo Washington wrote: (actually, this is supposed to be the only entry for cache_peer I am goingto have?) If you only have one server, and that server is only talking http then yes there is only a single cache_peer.. Understood. That has worked. It also requied a PEM passphrase. I hope this is not supposed to be another problem. These ssl stuff! You can configure the password in squid.conf if the PEM key is encrypted, or easily decrypt it with the openssl rsa command. Understood as well. In my case, I don't have a certificate for the external hostname, which brings me back to the confusing issue regarding the certificate: I can make a self-signed certificate for the external hostname. Not a problem. However, does this mean I really don't need the internal certifcate Exchange is using? Correct. Pooh! That was so confusing:-) Suppose: My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4) My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of 192.168.0.26) Given that both OWA and RPCoHTTPS are directed at these... What values should I use for the following variables (from the wiki): (a) owa_hostname? In https_port defaultsite you should use mail.odhiambo.COM as this is what the clients are expected to connect to. (b) ip_of_owa_server? The ip of your exchange/owa server. (c) rpcohttp.url.com? Ignore. That example uses a setup with more Exchange servers, where OWA is running on a separarate server from Exchange. (d) the_exchange_server? Ignore as above. From there, I believe I will only get stuck at the ssl certificates step, which is where I am still a bit confused. Since you are not going to use a real certificate then issue yourself a self-signed one using OpenSSL. openssl req -new -x509 -days 1 -nodes -out mail.odhiambo.COM_selfsigned.pem -keyout mail.odhiambo.COM_key.pem Everything is all clear now. Will find good time to test this out and see how well it goes. Thank you very much, Amos and Henrik! That was quite some hand-holding. I really appreciate. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
Alan Lehman wrote: I am trying to do the same thing. OWA works, but so far no joy with RPCoHTTP. Do I have to do something in OL to make it accept the certificate? The cert's are purchased from godaddy.com. For each, I appended the bundled gd_intermediate to the domain cert. Also, in the example config for OWA, I am confused by the following: acl OWA dstdomain owa_hostname cache_peer_access owa_hostname allow OWA Doesn't the 2nd line just grant access from owa_hostname to owa_hostname ?? The two are independent things. The ACL dstdomain 'owa_hostname' is meant to be replaced by the FQDN of your public OWA which clients use to get to the service. The cache_peer_access owa_hostname is meant to be a seperate unique string 'X' exactly matching the value of the cache_peer name=X option. I've tweaked the wiki demo config a little to make that clear. My current config (which works for OWA, but not RPCoHTTP): extension_methods RPC_IN_DATA RPC_OUT_DATA https_port public_ip_for_owa:443 cert=/usr/share/ssl/owa/combined.crt key=/usr/share/ssl/owa/owa.key defaultsite=owa.tld.com https_port public_ip_for_rpc:443 cert=/usr/share/ssl/rpc/combined.crt key=/usr/share/ssl/rpc/rpc.key defaultsite=rpc.tld.com cache_peer ip_of_exchange parent 80 0 no-query originserver front-end-https=auto login=PASS You need a second entry for port 443 on the exchange server to handle the RPC requests. This is where the name= parameter becomes very important and needs to be unique for each entry and used in the cache_peer_access lines below. acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl CONNECT method CONNECT acl OWA dstdomain owa.tld.com acl RPC dstdomain rpc.tld.com http_access allow manager localhost http_access allow OWA http_access allow RPC http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow localhost http_access deny all http_reply_access allow all icp_access deny all miss_access allow OWA miss_access allow RPC miss_access deny all cache_peer_access ip_of_exhcange allow OWA cache_peer_access ip_of_exhcange allow RPC cache_peer_access ip_of_exhcange deny all never_direct allow OWA never_direct allow RPC Thanks again, Alan Lehman -Original Message- From: Odhiambo Washington [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2008 11:41 AM To: Squid users Subject: Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator? On Mon, Jun 2, 2008 at 7:27 PM, Henrik Nordstrom [EMAIL PROTECTED] wrote: On mån, 2008-06-02 at 13:41 +0300, Odhiambo Washington wrote: (actually, this is supposed to be the only entry for cache_peer I am goingto have?) If you only have one server, and that server is only talking http then yes there is only a single cache_peer.. Understood. That has worked. It also requied a PEM passphrase. I hope this is not supposed to be another problem. These ssl stuff! You can configure the password in squid.conf if the PEM key is encrypted, or easily decrypt it with the openssl rsa command. Understood as well. In my case, I don't have a certificate for the external hostname, which brings me back to the confusing issue regarding the certificate: I can make a self-signed certificate for the external hostname. Not a problem. However, does this mean I really don't need the internal certifcate Exchange is using? Correct. Pooh! That was so confusing:-) Suppose: My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4) My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of 192.168.0.26) Given that both OWA and RPCoHTTPS are directed at these... What values should I use for the following variables (from the wiki): (a) owa_hostname? In https_port defaultsite you should use mail.odhiambo.COM as this is what the clients are expected to connect to. (b) ip_of_owa_server? The ip of your exchange/owa server. (c) rpcohttp.url.com? Ignore. That example uses a setup with more Exchange servers, where OWA is running on a separarate server from Exchange. (d) the_exchange_server? Ignore as above. From there, I believe I will only get stuck at the ssl certificates step, which is where I am still a bit confused. Since you are not going to use a real certificate then issue yourself a self-signed one using OpenSSL. openssl req -new -x509 -days 1 -nodes -out mail.odhiambo.COM_selfsigned.pem -keyout mail.odhiambo.COM_key.pem Everything is all clear now. Will find good time to test this out and see how well it goes. Thank you very much, Amos and Henrik! That was quite some hand-holding. I really appreciate. Amos -- Please use Squid 2.7.STABLE2 or 3.0.STABLE6
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
On Mon, Jun 2, 2008 at 2:37 AM, Amos Jeffries [EMAIL PROTECTED] wrote: Odhiambo Washington wrote: On Sun, Jun 1, 2008 at 1:38 PM, Amos Jeffries [EMAIL PROTECTED] wrote: Odhiambo Washington wrote: Hello gurus, I have been trying the whole day to get Squid to work as a reverse proxy/accelerator for OWA and RPC-over-https with no sucess. I believe I've come to my /etc on this! I have read the Wiki entries and this thread: http://www.nabble.com/Forwarding-Denied-when-using-dst-cache_peer-in-acl-td15123146.html Not that the article references two Squid wiki articles. All the configs doing OWA using dst ACL were relevant only up to 2.5 and fatally flawed with a required but unstated DNS hack. The wiki presently has updated configs which work with all current Squid. Thank you for informing me about that. All my thinking was that those wiki entries are still relevant. I actually wasn't looking at the above thread per se, but only for the comments and the challenges the poster faced, but within it there are references to the wiki entries, which is what I was following keenly. However, I seem to still miss a critical point. My Squid (2.7RC) is first and foremost being used as a LAN proxy. This in itself has posed a challenge to me in terms of specifying who is allowed to use it as a proxy. I have an M$ Exchange server which is is self-contained, with self-signed certificate. Can I configure Squid as a proxy for the LAN as well as an accelerator for several backend website(s)? I've found this challenging in terms of ordering the ACLs. Yes. With some access control tweaking two 'components' can be kept seperate. see below. That's nice for the ears! I can see from the above thread that Wouter de Jong-2 actually/finally managed to configure Squid to accelerate OWA as well as do the RPC-over-HTTP(s) but he does not mention is th squid instance is also being used as a proxy. Does someone have a sample config for squid being used as LAN proxy and accelerator, especially for M$ Exchange OWA and RPCoHTTPS? Should be no need. All the current squid releases support multiple http_port entries. That is the first important part. Near the top of your config above your ALL of your regular proxy port and _access controls. Setup the OWA/RPC acceleration as listed in the wiki. Omitting the controls which do blanket 'deny all'. Noted, and thank you for that valuable information. Not heading to the wiki again. But I have two last hurdles: 1. My Exchange OWA is accessible as either https://192.168.0.26/exchange or https://mxech.msexch.ourdomain.tld/exchange 2. (a bit OT) The use of a non-commercial certificate on the Exchange server Q1. How do I tell Squid to access the /exchange bit in the url? Does it have to be added in squid? or can squid be left only knowing the '192.168.0.26'/'mxech.msexch.ourdomain.tld' bits? I ask this because while squid can do url-rewriting, that method does not cover all possible uses of the URL, just the request and Host: ones. If your exchange server can accept the /exchange/* URI that would be much better. After reading some Microshit articles, I managed to do make the URI simpler, so M$ Exchange can now be accessed simply as https://msexch.msexch.ourdomain.tld/ or https://192.168.0.26. The /exchange is now not necessary as the redirection is now done within IIS (yes, the Windows web server) so I am one step ahead. I am also NOT enforcing SSL on the exchange now, but that is a small switch that I can easily re-enable if this RPCoHTTPS stuff requires it, especially because Outlook needs the https:// URI. However, as we are going to do the SSL offloading on the accelerator, I believe http:// would suffice. The way to do it without headaches is to get a unique domain/subdomain for the exchange URL and the exchange server handling the entire path of the URI. And squid only switching on the domain. This is now done as a result of the change above. Q2. Do I have to export the cerificate from the Exchange server to be used with Squid in the accel configuration? If you require clients to SSL auth, yes you will need whatever certificate squid presents to them to be your official one. The certificate required in the Squid config MUST be in pem format?? That is where my problem is. When I read about exporting the certificate used in the exchange server, all I was able to get is a .pfx certificate. Not sure if squid will accept this as-is, or should I just blindly try?:-) Anyone has an idea how I can surmount these two Being so much used to doing everything with Open Source apps, this Microsohit Exchange thing is the biggest challenge I've ever faced in my SysAdmin life! I must take some leave as soon as I get this OWA/PRCoHTTPS thing running. I therefore highly appreciate any help I can get towards this goal. http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
On mån, 2008-06-02 at 11:09 +0300, Odhiambo Washington wrote: it, especially because Outlook needs the https:// URI. However, as we are going to do the SSL offloading on the accelerator, I believe http:// would suffice. It will, but you need to configure Squid cache_peer with the front-end-https=auto option to let OWA know there is an SSL frontend doing https-http translation. The certificate required in the Squid config MUST be in pem format?? Yes. That is where my problem is. When I read about exporting the certificate used in the exchange server, all I was able to get is a .pfx certificate. Not sure if squid will accept this as-is, or should I just blindly try?:-) pfx archives is binary encrypted archives of both the certificate and private key. Used for transferring a certificate from one server to another is a reasonably secure manner. It can be converted to PEM files by using the openssl tool. openssl pkcs12 -in file.pfx -out file.pem it will ask you for the export password (encryption key). Let me take another stub at this question, so as to be clear: In both config examples, there is the following specification: https_port ip_of_squid:443 cert=/path/to/certificate/ defaultsite=owa_hostname (the OWA example) https_port ip_of_squid:443 cert=/path/to/certificate defaultsite=rpcohttp.url.com (the RPCoHTTPS example) defaultsite SHOULD be the external hostname the clients connect to, which usually is the same name as the certificate is issued to. If unsure use vhost instead.. Note: There can only be one https_port per ip:port combination. But quite likely the same can be used both for OWA and RPCoHTTP even if you have OWA and Exchange on different servers... (which you don't, you have them both on the same server) Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
On Mon, Jun 2, 2008 at 12:39 PM, Henrik Nordstrom [EMAIL PROTECTED] wrote: On mån, 2008-06-02 at 11:09 +0300, Odhiambo Washington wrote: it, especially because Outlook needs the https:// URI. However, as we are going to do the SSL offloading on the accelerator, I believe http:// would suffice. Thanks for chipping in, Henrik. It will, but you need to configure Squid cache_peer with the front-end-https=auto option to let OWA know there is an SSL frontend doing https-http translation. So, for OWA, is the following correct: cache_peer 192.168.0.26 parent 443 0 no-query originserver login=PASS ssl front-end-https=auto sslcert=/opt/squid27/etc/certs/msexch_w3svc1_cert.pem name=msexch.msexch.ourdomain.tld (actually, this is supposed to be the only entry for cache_peer I am goingto have?) The certificate required in the Squid config MUST be in pem format?? Yes. That is where my problem is. When I read about exporting the certificate used in the exchange server, all I was able to get is a .pfx certificate. Not sure if squid will accept this as-is, or should I just blindly try?:-) pfx archives is binary encrypted archives of both the certificate and private key. Used for transferring a certificate from one server to another is a reasonably secure manner. It can be converted to PEM files by using the openssl tool. openssl pkcs12 -in file.pfx -out file.pem it will ask you for the export password (encryption key). That has worked. It also requied a PEM passphrase. I hope this is not supposed to be another problem. These ssl stuff! Let me take another stub at this question, so as to be clear: In both config examples, there is the following specification: https_port ip_of_squid:443 cert=/path/to/certificate/ defaultsite=owa_hostname (the OWA example) https_port ip_of_squid:443 cert=/path/to/certificate defaultsite=rpcohttp.url.com (the RPCoHTTPS example) defaultsite SHOULD be the external hostname the clients connect to, which usually is the same name as the certificate is issued to. If unsure use vhost instead.. In my case, I don't have a certificate for the external hostname, which brings me back to the confusing issue regarding the certificate: I can make a self-signed certificate for the external hostname. Not a problem. However, does this mean I really don't need the internal certifcate Exchange is using? Note: There can only be one https_port per ip:port combination. But quite likely the same can be used both for OWA and RPCoHTTP even if you have OWA and Exchange on different servers... (which you don't, you have them both on the same server) Suppose: My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4) My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of 192.168.0.26) Given that both OWA and RPCoHTTPS are directed at these... What values should I use for the following variables (from the wiki): (a) owa_hostname? (b) ip_of_owa_server? (c) rpcohttp.url.com? (d) the_exchange_server? From there, I believe I will only get stuck at the ssl certificates step, which is where I am still a bit confused. Thank you in advance. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Oh My God! They killed init! You Bastards! --from a /. post
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
On mån, 2008-06-02 at 13:41 +0300, Odhiambo Washington wrote: (actually, this is supposed to be the only entry for cache_peer I am goingto have?) If you only have one server, and that server is only talking http then yes there is only a single cache_peer.. That has worked. It also requied a PEM passphrase. I hope this is not supposed to be another problem. These ssl stuff! You can configure the password in squid.conf if the PEM key is encrypted, or easily decrypt it with the openssl rsa command. In my case, I don't have a certificate for the external hostname, which brings me back to the confusing issue regarding the certificate: I can make a self-signed certificate for the external hostname. Not a problem. However, does this mean I really don't need the internal certifcate Exchange is using? Correct. Suppose: My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4) My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of 192.168.0.26) Given that both OWA and RPCoHTTPS are directed at these... What values should I use for the following variables (from the wiki): (a) owa_hostname? In https_port defaultsite you should use mail.odhiambo.COM as this is what the clients are expected to connect to. (b) ip_of_owa_server? The ip of your exchange/owa server. (c) rpcohttp.url.com? Ignore. That example uses a setup with more Exchange servers, where OWA is running on a separarate server from Exchange. (d) the_exchange_server? Ignore as above. From there, I believe I will only get stuck at the ssl certificates step, which is where I am still a bit confused. Since you are not going to use a real certificate then issue yourself a self-signed one using OpenSSL. openssl req -new -x509 -days 1 -nodes -out mail.odhiambo.COM_selfsigned.pem -keyout mail.odhiambo.COM_key.pem Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
On Mon, Jun 2, 2008 at 7:27 PM, Henrik Nordstrom [EMAIL PROTECTED] wrote: On mån, 2008-06-02 at 13:41 +0300, Odhiambo Washington wrote: (actually, this is supposed to be the only entry for cache_peer I am goingto have?) If you only have one server, and that server is only talking http then yes there is only a single cache_peer.. Understood. That has worked. It also requied a PEM passphrase. I hope this is not supposed to be another problem. These ssl stuff! You can configure the password in squid.conf if the PEM key is encrypted, or easily decrypt it with the openssl rsa command. Understood as well. In my case, I don't have a certificate for the external hostname, which brings me back to the confusing issue regarding the certificate: I can make a self-signed certificate for the external hostname. Not a problem. However, does this mean I really don't need the internal certifcate Exchange is using? Correct. Pooh! That was so confusing:-) Suppose: My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4) My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of 192.168.0.26) Given that both OWA and RPCoHTTPS are directed at these... What values should I use for the following variables (from the wiki): (a) owa_hostname? In https_port defaultsite you should use mail.odhiambo.COM as this is what the clients are expected to connect to. (b) ip_of_owa_server? The ip of your exchange/owa server. (c) rpcohttp.url.com? Ignore. That example uses a setup with more Exchange servers, where OWA is running on a separarate server from Exchange. (d) the_exchange_server? Ignore as above. From there, I believe I will only get stuck at the ssl certificates step, which is where I am still a bit confused. Since you are not going to use a real certificate then issue yourself a self-signed one using OpenSSL. openssl req -new -x509 -days 1 -nodes -out mail.odhiambo.COM_selfsigned.pem -keyout mail.odhiambo.COM_key.pem Everything is all clear now. Will find good time to test this out and see how well it goes. Thank you very much, Amos and Henrik! That was quite some hand-holding. I really appreciate. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Oh My God! They killed init! You Bastards! --from a /. post
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
Odhiambo Washington wrote: Hello gurus, I have been trying the whole day to get Squid to work as a reverse proxy/accelerator for OWA and RPC-over-https with no sucess. I believe I've come to my /etc on this! I have read the Wiki entries and this thread: http://www.nabble.com/Forwarding-Denied-when-using-dst-cache_peer-in-acl-td15123146.html Not that the article references two Squid wiki articles. All the configs doing OWA using dst ACL were relevant only up to 2.5 and fatally flawed with a required but unstated DNS hack. The wiki presently has updated configs which work with all current Squid. However, I seem to still miss a critical point. My Squid (2.7RC) is first and foremost being used as a LAN proxy. This in itself has posed a challenge to me in terms of specifying who is allowed to use it as a proxy. I have an M$ Exchange server which is is self-contained, with self-signed certificate. Can I configure Squid as a proxy for the LAN as well as an accelerator for several backend website(s)? I've found this challenging in terms of ordering the ACLs. Yes. With some access control tweaking two 'components' can be kept seperate. see below. I can see from the above thread that Wouter de Jong-2 actually/finally managed to configure Squid to accelerate OWA as well as do the RPC-over-HTTP(s) but he does not mention is the squid instance is also being used as a proxy. Does someone have a sample config for squid being used as LAN proxy and accelerator, especially for M$ Exchange OWA and RPCoHTTPS? Should be no need. All the current squid releases support multiple http_port entries. That is the first important part. Near the top of your config above your ALL of yoru regular proxy port and _access controls. Setup the OWA/RPC acceleration as listed in the wiki. Omitting the controls which do blanket 'deny all'. http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp Then following that setup your main proxy port and controls. Amos -- Please use Squid 2.7.STABLE1 or 3.0.STABLE6
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
On Sun, Jun 1, 2008 at 1:38 PM, Amos Jeffries [EMAIL PROTECTED] wrote: Odhiambo Washington wrote: Hello gurus, I have been trying the whole day to get Squid to work as a reverse proxy/accelerator for OWA and RPC-over-https with no sucess. I believe I've come to my /etc on this! I have read the Wiki entries and this thread: http://www.nabble.com/Forwarding-Denied-when-using-dst-cache_peer-in-acl-td15123146.html Not that the article references two Squid wiki articles. All the configs doing OWA using dst ACL were relevant only up to 2.5 and fatally flawed with a required but unstated DNS hack. The wiki presently has updated configs which work with all current Squid. Thank you for informing me about that. All my thinking was that those wiki entries are still relevant. I actually wasn't looking at the above thread per se, but only for the comments and the challenges the poster faced, but within it there are references to the wiki entries, which is what I was following keenly. However, I seem to still miss a critical point. My Squid (2.7RC) is first and foremost being used as a LAN proxy. This in itself has posed a challenge to me in terms of specifying who is allowed to use it as a proxy. I have an M$ Exchange server which is is self-contained, with self-signed certificate. Can I configure Squid as a proxy for the LAN as well as an accelerator for several backend website(s)? I've found this challenging in terms of ordering the ACLs. Yes. With some access control tweaking two 'components' can be kept seperate. see below. That's nice for the ears! I can see from the above thread that Wouter de Jong-2 actually/finally managed to configure Squid to accelerate OWA as well as do the RPC-over-HTTP(s) but he does not mention is th squid instance is also being used as a proxy. Does someone have a sample config for squid being used as LAN proxy and accelerator, especially for M$ Exchange OWA and RPCoHTTPS? Should be no need. All the current squid releases support multiple http_port entries. That is the first important part. Near the top of your config above your ALL of your regular proxy port and _access controls. Setup the OWA/RPC acceleration as listed in the wiki. Omitting the controls which do blanket 'deny all'. Noted, and thank you for that valuable information. Not heading to the wiki again. But I have two last hurdles: 1. My Exchange OWA is accessible as either https://192.168.0.26/exchange or https://mxech.msexch.ourdomain.tld/exchange 2. (a bit OT) The use of a non-commercial certificate on the Exchange server Q1. How do I tell Squid to access the /exchange bit in the url? Q2. Do I have to export the cerificate from the Exchange server to be used with Squid in the accel configuration? Anyone has an idea how I can surmount these two Being so much used to doing everything with Open Source apps, this Microsohit Exchange thing is the biggest challenge I've ever faced in my SysAdmin life! I must take some leave as soon as I get this OWA/PRCoHTTPS thing running. I therefore highly appreciate any help I can get towards this goal. http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp Then following that setup your main proxy port and controls. Do I require both entries for OWA and RPCoHTTPS or is there a way to kind of amalgamate the configurations? My OWA and RPCoHTTPS destination is one and the same. Thank you Amos! Let me see how far I can get with this on my own before I come back with further questions. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Oh My God! They killed init! You Bastards! --from a /. post
Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
Odhiambo Washington wrote: On Sun, Jun 1, 2008 at 1:38 PM, Amos Jeffries [EMAIL PROTECTED] wrote: Odhiambo Washington wrote: Hello gurus, I have been trying the whole day to get Squid to work as a reverse proxy/accelerator for OWA and RPC-over-https with no sucess. I believe I've come to my /etc on this! I have read the Wiki entries and this thread: http://www.nabble.com/Forwarding-Denied-when-using-dst-cache_peer-in-acl-td15123146.html Not that the article references two Squid wiki articles. All the configs doing OWA using dst ACL were relevant only up to 2.5 and fatally flawed with a required but unstated DNS hack. The wiki presently has updated configs which work with all current Squid. Thank you for informing me about that. All my thinking was that those wiki entries are still relevant. I actually wasn't looking at the above thread per se, but only for the comments and the challenges the poster faced, but within it there are references to the wiki entries, which is what I was following keenly. However, I seem to still miss a critical point. My Squid (2.7RC) is first and foremost being used as a LAN proxy. This in itself has posed a challenge to me in terms of specifying who is allowed to use it as a proxy. I have an M$ Exchange server which is is self-contained, with self-signed certificate. Can I configure Squid as a proxy for the LAN as well as an accelerator for several backend website(s)? I've found this challenging in terms of ordering the ACLs. Yes. With some access control tweaking two 'components' can be kept seperate. see below. That's nice for the ears! I can see from the above thread that Wouter de Jong-2 actually/finally managed to configure Squid to accelerate OWA as well as do the RPC-over-HTTP(s) but he does not mention is th squid instance is also being used as a proxy. Does someone have a sample config for squid being used as LAN proxy and accelerator, especially for M$ Exchange OWA and RPCoHTTPS? Should be no need. All the current squid releases support multiple http_port entries. That is the first important part. Near the top of your config above your ALL of your regular proxy port and _access controls. Setup the OWA/RPC acceleration as listed in the wiki. Omitting the controls which do blanket 'deny all'. Noted, and thank you for that valuable information. Not heading to the wiki again. But I have two last hurdles: 1. My Exchange OWA is accessible as either https://192.168.0.26/exchange or https://mxech.msexch.ourdomain.tld/exchange 2. (a bit OT) The use of a non-commercial certificate on the Exchange server Q1. How do I tell Squid to access the /exchange bit in the url? Does it have to be added in squid? or can squid be left only knowing the '192.168.0.26'/'mxech.msexch.ourdomain.tld' bits? I ask this because while squid can do url-rewriting, that method does not cover all possible uses of the URL, just the request and Host: ones. If your exchange server can accept the /exchange/* URI that would be much better. The way to do it without headaches is to get a unique domain/subdomain for the exchange URL and the exchange server handling the entire path of the URI. And squid only switching on the domain. Q2. Do I have to export the cerificate from the Exchange server to be used with Squid in the accel configuration? If you require clients to SSL auth, yes you will need whatever certificate squid presents to them to be your official one. Anyone has an idea how I can surmount these two Being so much used to doing everything with Open Source apps, this Microsohit Exchange thing is the biggest challenge I've ever faced in my SysAdmin life! I must take some leave as soon as I get this OWA/PRCoHTTPS thing running. I therefore highly appreciate any help I can get towards this goal. http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp Then following that setup your main proxy port and controls. Do I require both entries for OWA and RPCoHTTPS or is there a way to kind of amalgamate the configurations? My OWA and RPCoHTTPS destination is one and the same. Um, I would not think so. But I'm a relative newbie when it comes to SSL certificates. Amos -- Please use Squid 2.7.STABLE1 or 3.0.STABLE6
[squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?
Hello gurus, I have been trying the whole day to get Squid to work as a reverse proxy/accelerator for OWA and RPC-over-https with no sucess. I believe I've come to my /etc on this! I have read the Wiki entries and this thread: http://www.nabble.com/Forwarding-Denied-when-using-dst-cache_peer-in-acl-td15123146.html However, I seem to still miss a critical point. My Squid (2.7RC) is first and foremost being used as a LAN proxy. This in itself has posed a challenge to me in terms of specifying who is allowed to use it as a proxy. I have an M$ Exchange server which is is self-contained, with self-signed certificate. Can I configure Squid as a proxy for the LAN as well as an accelerator for several backend website(s)? I've found this challenging in terms of ordering the ACLs. I can see from the above thread that Wouter de Jong-2 actually/finally managed to configure Squid to accelerate OWA as well as do the RPC-over-HTTP(s) but he does not mention is the squid instance is also being used as a proxy. Does someone have a sample config for squid being used as LAN proxy and accelerator, especially for M$ Exchange OWA and RPCoHTTPS? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Oh My God! They killed init! You Bastards! --from a /. post