Re: [squid-users] EXCHANGE - RPC over HTTPS not handled?

From: Nicola Bucci <n.bucci_at_gmde.it>
Date: Thu, 6 Oct 2011 15:21:20 +0200

I've now installed the 3.2.0.8 with the following switches:
Squid Cache: Version 3.2.0.8
configure options: '--prefix=/usr/local/squid3beta' '--datadir=/usr/share/squid3beta' '--sysconfdir=/etc/squid3beta' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-ssl' '--with-logdir=/var/log/squid3beta' '--with-pidfile=/var/run/squid3beta.pid' '--with-default-user=proxy'

Log says:

1317906993.050 17 10.100.9.29 TCP_MISS/401 315 RPC_IN_DATA https://external.address.com/rpc/rpcproxy.dll? - FIRSTUP_PARENT/exchangeServer text/html
1317906993.051 9 10.100.9.29 TCP_MISS_ABORTED/000 0 RPC_OUT_DATA https://external.address.com/rpc/rpcproxy.dll? - FIRSTUP_PARENT/exchangeServer -
1317907005.165 9 10.100.9.29 TCP_MISS/401 315 RPC_IN_DATA https://external.address.com/rpc/rpcproxy.dll? - FIRSTUP_PARENT/exchangeServer text/html
1317907005.166 0 10.100.9.29 TCP_MISS_ABORTED/000 0 RPC_OUT_DATA https://external.address.com/rpc/rpcproxy.dll? - FIRSTUP_PARENT/exchangeServer -

Nicola

On 6Oct, 2011, at 2:22 PM, Amos Jeffries wrote:

> On 06/10/11 23:12, Nicola Bucci wrote:
>> Thanks for the quick reply, OWA works fine for me... is RPC the problem. Anyway, here is my squid.conf:
>>
>> acl all src all
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>> acl EXCH dstdomain .gmde.it
>> acl SSL_ports port 443 # https
>> acl SSL_ports port 563 # snews
>> acl SSL_ports port 873 # rsync
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 631 # cups
>> acl Safe_ports port 873 # rsync
>> acl Safe_ports port 901 # SWAT
>> acl purge method PURGE
>> acl CONNECT method CONNECT
>>
>>
>> http_access allow SSL_ports
>>
>> ssl_unclean_shutdown on
>>
>> #Allow ICP queries from local networks only
>>
>> icp_access allow all all
>>
>> #http_port 3128
>>
>> ###LISTEN ON ###
>> https_port 443 cert=/etc/squid3/exchange.pem key=/etc/squid3/nopassexchange.key defaultsite=external.address.com
>>
>> ###CACHE PEER###
>> #cache_peer 10.0.0.3 parent 443 0 no-query proxy-only connection-auth=on originserver front-end-https=on login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/squid3/exchange.pem sslkey=/etc/squid3/nopassexchange.key
>> #cache_peer 10.0.0.3 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/squid/exchange.pem sslkey=/etc/squid/nopassexchange.key
>> cache_peer 10.0.0.3 parent 443 0 connection-auth=off ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/squid3/exchange.pem sslkey=/etc/squid3/nopassexchange.key proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver login=PASS name=exchangeServer
>>
>>
>> #We recommend you to use at least the following line.
>> hierarchy_stoplist cgi-bin ?
>>
>> access_log /var/log/squid3/access.log squid
>>
>> cache_effective_user proxy
>> cache_effective_group root
>> never_direct allow all all
>> miss_access allow EXCH
>> miss_access deny all
>> cache_peer_access exchangeServer allow EXCH
>> cache_peer_access exchangeServer deny all
>> never_direct allow EXCH
>>
>>
>> and "squid3 -v":
>>
>> configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-ssl' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_
> auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -Wall -O2' --with-squid=/usr/src/squid3-3.1.6
>>
>>
>> Is there something wrong i'm doing?
>
> Maybe. The more recent Squid require mode to be configured explicitly
> after the port. Or it defaults to forward-proxy.
>
> https_port 443 accel cert=...
>
> I think that was done after .6 but its worth doing anyway just to be ready.
>
>> Or simply squid don't handle RPC over HTTP with exchange? My goal will be to use squid instead other commercial products. Obviously :)
>> Thanks
>>
>> On 6Oct, 2011, at 12:06 PM, Jakob Curdes wrote:
>>
>>> Am 06.10.2011 11:58, schrieb Nicola Bucci:
>>>> Hi all,
>>>> i'm trying to publish exchange web services on the web trough squid 3.1 on Debian. From my mac it works fine (mail and outlook for mac, OWA is working fine too) but from windows machines outlook asks me every time for the authentication credentials. The reason is because it use on mac a normal web service (hos/EWS/exchange.asmx), but from windows, outlook uses RPC over HTTP (in my case HTTPS). Suggestions?
>>> http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess ?
>>>
>
> Some other possibilities:
> some of the recent MS products (ActiveSync and AD 2010 being the most
> noticable) don't handle talking through squid-3.1 very well due to its
> being HTTP/1.0 on the client-facing side and HTTP/1.1 on the
> server-facing side. They prefer same HTTP version facing both server and
> client across the link, so squid-3.2 is needed as the relay for reliable
> transactions.
> 3.2.0.8 seems to be the most production-usable so far of the 3.2 betas
> if you want to try it.
>
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.15
> Beta testers wanted for 3.2.0.12
Received on Thu Oct 06 2011 - 13:21:25 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 07 2011 - 12:00:03 MDT