Re: [squid-users] Reverse proxy for Outlook 2010 anywhere with NTLM

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 04 Mar 2013 16:31:32 +1300

On 4/03/2013 9:08 a.m., Damir Reic wrote:
> I am trying to use squid as outlook reverse proxy but popup on outlook is
> apearing all the time and i don't know how to solve the problem. Also for
> some unknown reason with this config squid won't start at boot time and when
> i start it manually it take long time to start. I am using squid 3.1.19 .
> Rest of stuff that i configured over squid works fine.
>
> Is my config good for reverse proxying multiple servers? Kinda strange that
> i can't specify multiple FQDNS inside ACL?

Yes very strange. Separate them with a single space in dstdomain type
ACLs and listing multiple FQDN should be working perfectly.

> #debug_options ALL,3
> logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

I am assuming that you have an old Squid version. If you are on the
current supported releases please remove the log format re-definition.

> pid_filename /var/run/squidext.pid
> httpd_suppress_version_string on
> cache_mgr nomail_address_given
> #visible_hostname webmail.codimensions.com
> via off
> forwarded_for transparent
> ssl_unclean_shutdown on
> # Internet connectors
> https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=webmail.codimensions.com vhost
> https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=portal.codimensions.com vhost
> https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=crm.codimensions.com vhost
> https_port 444 accel cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=crm.codimensions.com vhost
> https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=autodiscover.codimensions.com vhost
> https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=meet.codimensions.com vhost
> https_port 443 accel cert=/etc/squid/certs/codimensions/codimensions.crt
> key=/etc/squid/certs/codimensions/codimensions.key
> defaultsite=ts.codimensions.com vhost

Um. No.

You can only open a listening socket once across all applications on a
machine. Your config above is trying to open *:443 several times. This
will be rejected by the OS.

Also, vhost does not work well when the port is configured with a single
static SSL certificate. Since the client requested FQDN is probably not
the one the certificate was created for. This is a sure way to flood
your users with certificate error popups.

For virtual hosted HTTPS sites you require at minimum the squid-3.2
series and the dynamic SSL certificate generator - to create
certificates taylored to the virtual host each client request is using.
With this feature you only need one port 443 opened.

> http_port 80 accel defaultsite=www.codimensions.com vhost
> http_port 80 accel defaultsite=www.continuitytrain.com vhost
> http_port 80 accel defaultsite=continuitytrain.com vhost
> http_port 80 accel defaultsite=codimensions.com vhost

Same problem. Only without the SSL hassles.
This would suffice:
   http_port 80 accel vhost defaultsite=codimensions.com

NP: defaultsite= is the FQDN to use on any requests which arrive without
specifying a Host: header containing the virtual host FQDN.

> # destination server
> cache_peer 10.10.20.33 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt proxy-only
> no-query no-digest front-end-https=on originserver login=PASS
> connection-auth=on name=exchange forceddomain=webmail.codimensions.com
> cache_peer 10.10.20.53 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=crm1
> cache_peer 10.10.20.53 parent 444 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=crm2
> cache_peer 10.10.20.37 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
> name=sharepoint
> cache_peer 10.10.20.41 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
> name=ts
> cache_peer 10.10.20.34 parent 443 0 ssl ssldomain=webmail.codimensions.com
> sslcafile=/etc/squid/certs/codimensions/codimensions.crt no-query
> originserver ssl sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=meet
> cache_peer 10.10.20.90 parent 80 0 no-query originserver name=apache
> acl CODOMmail dstdomain webmail.codimensions.com
> autodiscover.codimensions.com
> acl CODOMportal dstdomain portal.codimensions.com
> acl CODOMcrm dstdomain crm.codimensions.com
> acl CODOMts dstdomain ts.codimensions.com
> acl CODOMmeet dstdomain meet.codimensions.com
> acl CODOMapache1 dstdomain www.codimensions.com
> acl CODOMapache2 dstdomain www.continuitytrain.com
> acl CODOMapache3 dstdomain .continuitytrain.com
> acl CODOMapache4 dstdomain .codimensions.com

Are you perhapse suffering from the problem that when you write:
   acl CODOMapache dstdomain www.codimensions.com .codimensions.com

... it complains about duplicate or sub- domains?

That is because the '.' at the start of the second one means match all
subdomains of codimensions.com. Which includes www.codimensions.com. So
mentioning www.* form is useless and the different ways of matching one
domain screws up the ACL calculations and can cause inconsistent
pass/fail behaviour. Just remove the useless www.* form of the domain
from your config.

Amos
Received on Mon Mar 04 2013 - 03:31:44 MST

This archive was generated by hypermail 2.2.0 : Mon Mar 04 2013 - 12:00:04 MST