On 09.05.2012 10:42, Ruiyuan Jiang wrote:
> Hi, all
>
> I am new to Squid. I am trying to setup squid as a reverse proxy to
> for MS Exchange outlook client access. I compiled squid myself
> (v3.1.19, Solaris 10, SPARC). I followed the configuration example on
> the squid web page "ConfigExamples/Reverse/ExchangeRpc".
>
> # cat squid.conf
<snip>
> # Squid normally listens to port 3128
>
> https_port 156.146.1.133:443 accel
> cert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt
> defaultsite=webmail.fnpc.com
> cache_peer 10.105.10.20 parent 443 0 no-query originserver login=PASS
> ssl sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt
> name=exchangeServer
>
> acl EXCH dstdomain .fnpc.com
>
> cache_peer_access exchangeServer allow EXCH
> cache_peer_access exchangeServer deny all
> never_direct all EXCH
>
> http_access allow EXCH
> http_acces deny all
^^ typo "ss"
> miss_access allow EXCH
> miss_access deny all
>
<snip>
>
> The cerficate file webmail_fnpc_com.crt is a valid certificate that I
> got from a CA. Do I need to install two certificates on the server,
> one for client which I would guess the official certificate
> (webmail_fnpc_com.crt)? Can I present the same certificate to the
> internal exchange server? That is what I did to all my Apache reverse
> proxy servers for Exchange server.
The basics of it are that Squid is what interacts with the client. So
the public cert needs to be presented there on https_port.
What Exchange uses depends on what type of interactions happen there.
It is probably safest to have self-signed certs with the self-signing CA
trusted by Squid (on cache_peer) so it can verify Exchange, but this
only works if the clients are not interacting directly to Exchange via
other channels.
NP: Squid requires PEM format certificate files.
> When I ran 'squid -X', I got the
> below message stating 1. unrecognized: 'https_port', 2. FATAL:
> Bungled
> squid.conf line 64: cache_peer 156.146.16.198 parent 443 0 no-query
> originserver login=PASS ssl
> sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt
> name=exchangeServer
>
When you built squid you omitted --enable-ssl. Ensure you have openssl
development library to build against and rebuild your squid. It should
accept the SSL related config after that.
<snip>
> 2012/05/08 17:22:11.373| parse_peer: token='ssl'
...
> FATAL: Bungled squid.conf line 64: cache_peer 156.146.16.198 parent
> 443 0 no-query originserver login=PASS ssl
> sslcert=/opt/apache2.2.21/conf/ssl.crt/webmail_fnpc_com.crt
> name=exchangeServer
> Squid Cache (Version 3.1.19): Terminated abnormally.
Amos
Received on Wed May 09 2012 - 01:05:31 MDT
This archive was generated by hypermail 2.2.0 : Wed May 09 2012 - 12:00:02 MDT