Re: [squid-users] Reverse and SSL cert

From: Andrea Gallazzi <andrea.gallazzi_at_live.com>
Date: Thu, 1 Apr 2010 11:11:08 +0200

Thanks Jakob for your reply.
As usual I do not agree with digital certificate. :-)

(in theory and with yours help) My goal is demonstrate wich is possible to
use squid for reverse proxy instead of ISA or TMG and write an article on my
blog.

I would get this topology:

Squid as reverse proxy for exchange 2010 owa and activesync.
Exchange 2010 have a certificate released from my internal CA.

I am following this example config:
http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess

On real world:
I must configure or request a new certificate to my internal CA for squid
reverse proxy or install the same certificate of exchange?

tnx
--------------------------------------------------
From: "Jakob Curdes" <jc_at_info-systems.de>
Sent: Wednesday, March 31, 2010 11:59 PM
To: "Squid Mailing List" <squid-users_at_squid-cache.org>
Cc: "Andrea Gallazzi" <andrea.gallazzi_at_live.com>
Subject: Re: [squid-users] Reverse and SSL cert

>
>> Is the certificate the same of exchange ?
>> (if yes) The same certificate will installed on squid and on exchange?
>> How to make the .pem certificate for squid?
>>
> You need to tell us more about your setup. Probably you want to terminate
> a SSL connection on the reverse-proxy and forward the request to an
> internal server that happens to run SSL. In this case the certificate the
> the external client will get is the one configured in the https_port
> directive. For the second SSL connection (presumably to Exchange) you need
> a second certificate, which is defined in the cache_peer directive. This
> cert is just used to identify squid the the exchange server. Another
> problem arises: if we are talking about OWA or RPCvia HTTP access to
> exchange, you need to make sure that the domain for the requests is the
> same all the time, i.e. the external client is requesting owa.domain.com
> which you are forwarding, say, to exchange.company.local. You must make
> sure that the these two domains map to one in DNS, otherwise the requests
> will fail. Plus the certificates need to reflect this ... there are
> commercial certificates where you can enter two different domain names
> into one cert.Look for "Subject Alternative Names (SAN)" certificates. You
> can use such a cert on squid and the exchange server.
>
> Remark, not sure if it applies: If using Outlook as RPCvia HTTPS client,
> you will have trouble with self-signed certs. Outlook does not display a
> warning but just rejects the connection unless a self-signed cert has been
> accepted into the certificate store of the operating system e.g. by going
> through an IE certificate dialogue.
>
> HTH,
> Jakob Curdes
>
>
Received on Thu Apr 01 2010 - 09:11:22 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 02 2010 - 12:00:04 MDT