Re: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 16 Jun 2008 16:15:41 +1200

Alan Lehman wrote:
> I am trying to do the same thing. OWA works, but so far no joy with RPCoHTTP. Do I have to do something in OL to make it accept the certificate? The cert's are purchased from godaddy.com. For each, I appended the bundled gd_intermediate to the domain cert.
>
> Also, in the example config for OWA, I am confused by the following:
>
> acl OWA dstdomain owa_hostname
> cache_peer_access owa_hostname allow OWA
>
> Doesn't the 2nd line just grant access from owa_hostname to owa_hostname ??

The two are independent things.

The ACL dstdomain 'owa_hostname' is meant to be replaced by the FQDN of
your public OWA which clients use to get to the service.

The cache_peer_access owa_hostname is meant to be a seperate unique
string 'X' exactly matching the value of the cache_peer name=X option.

I've tweaked the wiki demo config a little to make that clear.

>
>
> My current config (which works for OWA, but not RPCoHTTP):
>
> extension_methods RPC_IN_DATA RPC_OUT_DATA
>
> https_port public_ip_for_owa:443 cert=/usr/share/ssl/owa/combined.crt key=/usr/share/ssl/owa/owa.key defaultsite=owa.tld.com
>
> https_port public_ip_for_rpc:443 cert=/usr/share/ssl/rpc/combined.crt key=/usr/share/ssl/rpc/rpc.key defaultsite=rpc.tld.com
>
> cache_peer ip_of_exchange parent 80 0 no-query originserver front-end-https=auto login=PASS

You need a second entry for port 443 on the exchange server to handle
the RPC requests.
This is where the name= parameter becomes very important and needs to be
unique for each entry and used in the cache_peer_access lines below.

>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl CONNECT method CONNECT
>
> acl OWA dstdomain owa.tld.com
> acl RPC dstdomain rpc.tld.com
>
> http_access allow manager localhost
> http_access allow OWA
> http_access allow RPC
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
>
> http_access allow localhost
> http_access deny all
>
> http_reply_access allow all
> icp_access deny all
>
> miss_access allow OWA
> miss_access allow RPC
> miss_access deny all
>
> cache_peer_access ip_of_exhcange allow OWA
> cache_peer_access ip_of_exhcange allow RPC
> cache_peer_access ip_of_exhcange deny all
>
> never_direct allow OWA
> never_direct allow RPC
>
>
> Thanks again,
> Alan Lehman
>
>
>> -----Original Message-----
>> From: Odhiambo Washington [mailto:odhiambo_at_gmail.com]
>> Sent: Monday, June 02, 2008 11:41 AM
>> To: Squid users
>> Subject: Re: [squid-users] Is it possible to have squid as do Proxy and
>> OWA/RPCoHTTPS accelerator?
>>
>> On Mon, Jun 2, 2008 at 7:27 PM, Henrik Nordstrom
>> <henrik_at_henriknordstrom.net> wrote:
>>> On mån, 2008-06-02 at 13:41 +0300, Odhiambo Washington wrote:
>>>> (actually, this is supposed to be the only entry for cache_peer I am
>>>> goingto have?)
>>> If you only have one server, and that server is only talking http
>> then
>>> yes there is only a single cache_peer..
>> Understood.
>>
>>>> That has worked. It also requied a PEM passphrase. I hope this is
>> not
>>>> supposed to be another problem. These ssl stuff!
>>> You can configure the password in squid.conf if the PEM key is
>>> encrypted, or easily decrypt it with the openssl rsa command.
>> Understood as well.
>>
>>>> In my case, I don't have a certificate for the external hostname,
>>>> which brings me back to the confusing issue regarding the
>> certificate:
>>>> I can make a self-signed certificate for the external hostname. Not
>> a
>>>> problem. However, does this mean I really don't need the internal
>>>> certifcate Exchange is using?
>>> Correct.
>> Pooh! That was so confusing:-)
>>
>>>> Suppose:
>>>>
>>>> My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4)
>>>> My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of
>> 192.168.0.26)
>>>> Given that both OWA and RPCoHTTPS are directed at these...
>>>>
>>>> What values should I use for the following variables (from the
>> wiki):
>>>> (a) owa_hostname?
>>> In https_port defaultsite you should use mail.odhiambo.COM as this is
>>> what the clients are expected to connect to.
>>>
>>>> (b) ip_of_owa_server?
>>> The ip of your exchange/owa server.
>>>
>>>> (c) rpcohttp.url.com?
>>> Ignore. That example uses a setup with more Exchange servers, where
>> OWA
>>> is running on a separarate server from Exchange.
>>>
>>>> (d) the_exchange_server?
>>> Ignore as above.
>>>
>>>> >From there, I believe I will only get stuck at the ssl certificates
>>>> step, which is where I am still a bit confused.
>>> Since you are not going to use a real certificate then issue yourself
>> a
>>> self-signed one using OpenSSL.
>>>
>>> openssl req -new -x509 -days 10000 -nodes -out
>> mail.odhiambo.COM_selfsigned.pem -keyout mail.odhiambo.COM_key.pem
>>
>> Everything is all clear now.
>>
>> Will find good time to test this out and see how well it goes.
>>
>> Thank you very much, Amos and Henrik! That was quite some
>> hand-holding. I really appreciate.
>>

Amos

-- 
Please use Squid 2.7.STABLE2 or 3.0.STABLE6
Received on Mon Jun 16 2008 - 04:15:42 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 16 2008 - 12:00:03 MDT