[squid-users] OWA reverse proxy with 2.6RC2

From: Laurent Grilli <laurent.grilli@dont-contact.us>
Date: Wed, 28 Jun 2006 14:44:58 +0200

Hello list,

(sended on behalf of B Constant)

I'm currently trying to reverse proxy an OWA from Exchange 2003 with
the CVS snapshot 20060628 without success. The idea is to perform SSL
offloading on the squid for traffic coming from Internet send back the
traffic to the Exchange front-end.
It basically: client <--HTTPS--> Squid <--HTTP--> Exchange FE.

Here are some details on my environment.

Squid version and compile options:

./squid -v
Squid Cache: Version 2.6.RC2-20060628
configure options: '--prefix=/usr/local/squid' '--with-pthreads'
'--enable-ssl' '--enable-useragent-log' '--enable-referer-log'
'--enable-ident-lookups' '--enable-cachemgr-hostname=localhost'
'--disable-dependency-tracking' '--enable-truncate'
'--enable-underscores'

/etc/hosts file on my Linux box:

10.2.1.5 exchange-fe.local.mysite exchange-frontend
10.2.1.5 exchange-fe.local.mysite.

exchange-fe.local.mysite is resolvable from squid box.

Squid configuration file:

https_port 10.1.1.2:443 defaultsite=exchange.mysite \
cert=/usr/local/squid/etc/exchange.mysite.crt \
key=/usr/local/squid/etc/exchange.mysite.key protocol=http

cache_peer exchange-fe.local.mysite parent 80 0 front-end-https=on \
originserver proxy-only connection-auth=off

cache_peer_access exchange-fe.local.mysite allow all

http_access allow all

The shell command './squid -k' parse doesn't report any error or
misconfiguration.

Now the problem is that I'm unable to authenticate to the Exchange
Front-end, I always get a 401 till the completely authentication
failed. The exchange front-end is configured with anonymous access and
basic authentication and I can see the request in the logs of the web
server.

If I sniff the session on the server running squid and using
tethereal, I can see the following traffic:

Traffic from client to Squid server:

/usr/sbin/tethereal host 10.1.1.2 and port 80 -d tcp.port==80,http
Capturing on eth0
  0.000000 10.1.1.1 -> 10.1.1.2 TCP 3178 > http [SYN] Seq=0 Len=0 MSS=1460
  0.001328 10.1.1.2 -> 10.1.1.1 TCP http > 3178 [SYN, ACK] Seq=0 Ack=1
Win=5840 Len=0 MSS=1460
  0.000310 10.1.1.1 -> 10.1.1.2 TCP 3178 > http [ACK] Seq=1 Ack=1
Win=65535 Len=0
  0.001366 10.1.1.1 -> 10.1.1.2 HTTP GET /exchange HTTP/1.1
  0.001407 10.1.1.2 -> 10.1.1.1 TCP http > 3178 [ACK] Seq=1 Ack=428
Win=6432 Len=0
  0.001827 10.1.1.2 -> 57.230.248.96 TCP 32849 > http [SYN] Seq=0
Len=0 MSS=1460 TSV=175445106 TSER=0 WS=2
  0.003363 57.230.248.96 -> 10.1.1.2 TCP http > 32849 [SYN, ACK] Seq=0
Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
  0.003397 10.1.1.2 -> 57.230.248.96 TCP 32849 > http [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSV=175445108 TSER=0
  0.003604 10.1.1.2 -> 57.230.248.96 HTTP GET /exchange HTTP/1.0
  0.009619 57.230.248.96 -> 10.1.1.2 HTTP HTTP/1.1 401 Unauthorized (text/html)
  0.009640 10.1.1.2 -> 57.230.248.96 TCP 32849 > http [ACK] Seq=544
Ack=330 Win=6912 Len=0 TSV=175445114 TSER=77610845
  0.009963 10.1.1.2 -> 10.1.1.1 HTTP HTTP/1.0 401 Unauthorized (text/html)
  0.010196 10.1.1.2 -> 10.1.1.1 TCP http > 3178 [FIN, ACK] Seq=447
Ack=428 Win=6432 Len=0
  0.010575 10.1.1.1 -> 10.1.1.2 TCP 3178 > http [ACK] Seq=428 Ack=448
Win=65089 Len=0
  0.010614 10.1.1.1 -> 10.1.1.2 TCP 3178 > http [FIN, ACK] Seq=428
Ack=448 Win=65089 Len=0
  0.010630 10.1.1.2 -> 10.1.1.1 TCP http > 3178 [ACK] Seq=448 Ack=429
Win=6432 Len=0
  5.358676 10.1.1.1 -> 10.1.1.2 TCP 3179 > http [SYN] Seq=0 Len=0 MSS=1460
  5.358708 10.1.1.2 -> 10.1.1.1 TCP http > 3179 [SYN, ACK] Seq=0 Ack=1
Win=5840 Len=0 MSS=1460
  5.359039 10.1.1.1 -> 10.1.1.2 TCP 3179 > http [ACK] Seq=1 Ack=1
Win=65535 Len=0
  5.359214 10.1.1.1 -> 10.1.1.2 HTTP GET /exchange HTTP/1.1
  5.359235 10.1.1.2 -> 10.1.1.1 TCP http > 3179 [ACK] Seq=1 Ack=479
Win=6432 Len=0
  5.359543 10.1.1.2 -> 57.230.248.96 HTTP GET /exchange HTTP/1.0
  5.361375 57.230.248.96 -> 10.1.1.2 HTTP HTTP/1.1 401 Unauthorized (text/html)
  5.361393 10.1.1.2 -> 57.230.248.96 TCP 32849 > http [ACK] Seq=1087
Ack=659 Win=7984 Len=0 TSV=175450466 TSER=77610899
  5.361721 10.1.1.2 -> 10.1.1.1 HTTP HTTP/1.0 401 Unauthorized (text/html)
  5.361984 10.1.1.2 -> 10.1.1.1 TCP http > 3179 [FIN, ACK] Seq=447
Ack=479 Win=6432 Len=0
  5.362381 10.1.1.1 -> 10.1.1.2 TCP 3179 > http [ACK] Seq=479 Ack=448
Win=65089 Len=0
 10.189259 10.1.1.1 -> 10.1.1.2 HTTP GET /exchange HTTP/1.1
 10.189289 10.1.1.2 -> 10.1.1.1 TCP http > 3179 [RST] Seq=448 Len=0
 10.189837 10.1.1.1 -> 10.1.1.2 TCP 3180 > http [SYN] Seq=0 Len=0 MSS=1460
 10.189865 10.1.1.2 -> 10.1.1.1 TCP http > 3180 [SYN, ACK] Seq=0 Ack=1
Win=5840 Len=0 MSS=1460
 10.190213 10.1.1.1 -> 10.1.1.2 TCP 3180 > http [ACK] Seq=1 Ack=1
Win=65535 Len=0 10.190890 10.1.1.1 -> 10.1.1.2 HTTP GET /exchange
HTTP/1.1
 10.190917 10.1.1.2 -> 10.1.1.1 TCP http > 3180 [ACK] Seq=1 Ack=479
Win=6432 Len=0
 10.191282 10.1.1.2 -> 57.230.248.96 HTTP GET /exchange HTTP/1.0
 10.192348 57.230.248.96 -> 10.1.1.2 HTTP HTTP/1.1 401 Unauthorized (text/html)
 10.192367 10.1.1.2 -> 57.230.248.96 TCP 32849 > http [ACK] Seq=1630
Ack=988 Win=9056 Len=0 TSV=175455298 TSER=77610947
 10.192688 10.1.1.2 -> 10.1.1.1 HTTP HTTP/1.0 401 Unauthorized (text/html)
 10.192937 10.1.1.2 -> 10.1.1.1 TCP http > 3180 [FIN, ACK] Seq=447
Ack=479 Win=6432 Len=0
 10.193208 10.1.1.1 -> 10.1.1.2 TCP 3180 > http [ACK] Seq=479 Ack=448
Win=65089 Len=0

Traffic from Squid server to Exchange FE:

/usr/sbin/tethereal host 10.2.1.5 -d tcp.port==80,http Capturing on eth0
  0.000000 10.1.1.2 -> 10.2.1.5 TCP 32849 > http [SYN] Seq=0 Len=0
MSS=1460 TSV=175445106 TSER=0 WS=2
  0.001536 10.2.1.5 -> 10.1.1.2 TCP http > 32849 [SYN, ACK] Seq=0
Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
  0.001570 10.1.1.2 -> 10.2.1.5 TCP 32849 > http [ACK] Seq=1 Ack=1
Win=5840 Len=0 TSV=175445108 TSER=0
  0.001777 10.1.1.2 -> 10.2.1.5 HTTP GET /exchange HTTP/1.0
  0.007792 10.2.1.5 -> 10.1.1.2 HTTP HTTP/1.1 401 Unauthorized (text/html)
  0.007813 10.1.1.2 -> 10.2.1.5 TCP 32849 > http [ACK] Seq=544 Ack=330
Win=6912 Len=0 TSV=175445114 TSER=77610845
  5.357716 10.1.1.2 -> 10.2.1.5 HTTP GET /exchange HTTP/1.0
  5.359548 10.2.1.5 -> 10.1.1.2 HTTP HTTP/1.1 401 Unauthorized (text/html)
  5.359566 10.1.1.2 -> 10.2.1.5 TCP 32849 > http [ACK] Seq=1087
Ack=659 Win=7984 Len=0 TSV=175450466 TSER=77610899
 10.189455 10.1.1.2 -> 10.2.1.5 HTTP GET /exchange HTTP/1.0
 10.190521 10.2.1.5 -> 10.1.1.2 HTTP HTTP/1.1 401 Unauthorized
(text/html) 10.190540 10.1.1.2 -> 10.2.1.5 TCP 32849 > http [ACK]
Seq=1630 Ack=988 Win=9056 Len=0 TSV=175455298 TSER=77610947

I made the same tests using MSIE or Mozilla Firefox and it seems the
credentials are not passed to Squid nor to the Exchange FE.

Another question maybe off topic but is Squid able to do reverse
proxying for multiple urls using different backend (peer cache)? How
is the link between the https_port and the cache_peer done in this
case? Using cache_peer_domain?

Thank you for you help!

Regards,
Benjamin Constant
Received on Wed Jun 28 2006 - 08:25:25 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Jul 01 2006 - 12:00:02 MDT