Re: [squid-users] Squid as transparent proxy for Outlook Web Access

From: Patrick Tschackert <Killing-Time@dont-contact.us>
Date: Wed, 14 Nov 2007 15:10:21 +0100

Amos Jeffries wrote:

>I have a feeling we say you a while earlier. yes?

Yup.

>Does the OWA server really respond to "office-pc39:11994/exchange" normally?

No, the office-pc39 is supposed to listen on port 11994 and redirect everything to the owa server (internal IP: 300.200.80.254) as a transparent reverse proxy.

Henrik Nordstrom wrote:

>Why transparent? I would recomment you to configure the reverse proxy as
>a reverse proxy... a lot of sanity preserved that way..

I'm using the proxy as a transparent one because otherwise it keeps redirecting the client's requests instead of redirecting all of the data.
This fails because the outside client isn't allowed to make connections to the owa server (it isn't even supposed to know it's using a proxy for that matter).

Here's a visual:

INTERNET ||| Internal company network
Browser <------> Squid <---------------------------> OWA server
            (mycompany.dyndns.org) (internal ip: 300.200.80.254)

(Info: when anyone tries to access mycompany.dyndns.org on port 11994, they reach office-pc39 via port forwarding. This is how the it is intended to work when I finally set it up permanently. They are then supposed to reach the owa server through squid without knowing they're being proxied!).

When squid wasn't configured as a transparent proxy, the browser kept trying to bypass the squid proxy.
After I tried the "transparent" setting, the whole thing worked with a simple html test website (without http auth).
I managed to narrow the problem down a bit: everything which needs basic HTTP authentication fails with the squid error page I sent in my previous email.

A peek into the squid cache log revealed this:

>WARNING: Forwarding loop detected for: Client: 127.0.0.1 http_port: >127.0.0.1:11994
>GET http://localhost:11994/authsite HTTP/1.0 Accept: image/gif, >image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, >application/vnd.ms-excel, application/vnd.ms-powerpoint, >application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, >application/x-ms-xbap, application/x-ms-application, */* Accept-Language: >de-ch UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 >(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR >2.0.50727; .NET CLR 3.0.04506.30) Host: localhost:11994 Authorization: >Basic kzherfbIKKKghdiuegeeE= Via: 1.1 >office-pc39.local.mycompany.com:11994 (squid/2.6.STABLE16), 1.0 >office-pc39.local.mycompany.com:11994 (squid/2.6.STABLE16) >X-Forwarded-For: 127.0.0.1, 127.0.0.1 Cache-Control: max-age=259200 >Connection: keep-alive 2007/11/14 14:29:37| temporary disabling >(Unauthorized) digest from 300.200.80.254

This occurs when trying to access anything which needs authentication.

Amos Jeffries wrote:

> You have an open proxy. Yaya! free internet for the world.

I was planning to configure security issues once the thing works as it should, don't worry. At the moment it's only running about 5 mins at a time when I am testing it. But thanks for your concern! ;-)

> M$ don't like the color black?
I'm afraid I don't get it...

I'm sorry if I appear a bit stupid with resolving this issue, it's really giving me a hard time as I haven't worked a lot with proxies before...

Regards (and thx for trying to help),
-Patrick

-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
Received on Wed Nov 14 2007 - 07:10:31 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST