[squid-users] RE : [squid-users] SQUID3 + Reverse proxy + OWA: strange error

Just for your information, my config is running smoothly,

Here are the keys for the config of squid:

acl webmail_domains dstdomain webmail.xxx.fr
acl www_domains dstdomain www.xxx.fr

http_access allow webmail_domains
http_access allow www_domains
http_access deny all
http_reply_access allow all

https_port 443 accel vhost cert=/certificats/server.pem key=/certificats/key.pem cafile=/certificats/ca-cert defaultsite=www.xxx.fr

cache_peer 172.21.0.63 parent 80 0 no-query originserver login=PASS front- end-https=auto proxy-only name=webmail

cache_peer_access webmail allow webmail_domains

cache_peer 172.21.0.66 parent 80 0 no-query originserver login=PASS front-end-https=auto proxy-only name=www

cache_peer_access www allow www_domains

Did someone know if I can have two different ssl certs if I only have one socket for squid ? If no, I have to setup 2 ip on my squid-box and rewrite my nat rules.

_________________________________
 
David LIMA
Professional Services
www.scc.com
 
 

-----Message d'origine-----
De�: LIMA David
Envoy�: lundi 15 novembre 2004 19:39
��: squid-users@squid-cache.org
Objet�: [squid-users] SQUID3 + Reverse proxy + OWA: strange error

Hi all,

I'm trying to setup a squid3 to do reverse proxy for OWA running on Exchange 2000 but I can't success: (I have read all posts about OWA + squid but unable to find a clue...)

Here is my setup

---------- ------------- ----------------
- CLIENT - ==> :443 - SQUID3 - ==> :80 - OWA@exch2000 -
---------- ------------- ----------------

When I go to http://webmail.xxx.fr/exchange/ it works, auth + browsing etc ...

When I go to https://webmail.xxx.fr/exchange the auth box comes (I use basic auth on OWA), I put my login and password, then the 2 frames of the OWA web site appear but they are blank. When I go to my log files (exchange) I can't find the problem.

 Here is my setup for squid:
______________________________

http_port 3128
ssl_unclean_shutdown on
no_cache deny QUERY
acl all src 0.0.0.0/0.0.0.0
acl all-dst dst 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 80
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
acl owa-exchange urlpath_regex \/exchange(\/|$)
acl owa-webid urlpath_regex \/WebID\/
acl owa-host dst 172.21.0.63/255.255.255.255
http_access allow owa-host owa-exchange
http_access allow owa-host owa-webid
http_reply_access allow all-dst
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all ==> !!!! for testing purpose only !!!!
http_access deny all
visible_hostname webmail.xxx.fr
https_port 443 cert=/certificats/server.pem key=/certificats/key.pem cafile=/certificats/ca-cert defaultsite=webmail.xxx.fr
cache_peer webmail.xxx.fr parent 80 0 no-query originserver login=PASS front-end-https=auto proxy-only

Here is a sample of my access.log during an unsuccess attempt
_____________________________

4 172.21.1.4 TCP_MISS/401 333 GET https://webmail.xxx.fr/exchange/ - FIRST_UP_PARENT/webmail.xxx.fr text/html
19 172.21.1.4 TCP_MISS/200 1518 GET https://webmail.xxx.fr/exchange/ - FIRST_UP_PARENT/webmail.xxx.fr text/html

==> When I run squid in console mode (squid -d1 -N), I see that an error occur, but after googling and browsing the squid-archive-list I can't find out why: "ClientNegotiateSSL: Error negotiating SSL connection on FD 16"

I have a second question: I want that squid serves https://www.xxx.fr on a host, and https://www.xxx.fr/exchange/ or https://webmail.xxx.fr or https://webmail.xxx.fr/exchange/ on a second host ==> it is possible to do that with squid? And if yes, how ?

Any help would be greatly appreciated. Thanks a lot.

David LIMA
Professional Services
www.scc.com
�
�

------------------------------------------------------------------------------------------

Ce message contient des informations dont le contenu est susceptible d'�tre confidentiel.
Il est destin� au(x) destinataire(s) indiqu�(s) exclusivement.

A moins que vous ne fassiez partie de la liste des destinataires, ou que vous soyez
habilit� � recevoir le mail � leur place, il vous est interdit de le copier, de l'utiliser
ou de d�voiler son contenu � un tiers.

Si vous avez re�u cet email par erreur, merci de prendre contact avec l'�metteur.

Les opinions exprim�es dans cet e-mail sont celles de l'�metteur et ne refl�tent pas
n�cessairement celles de l'entreprise.

Ce e-mail peut contenir des pi�ces jointes dont certaines pourraient contenir des virus
qui pourraient endommager votre syst�me informatique.

La compagnie a pris toutes dispositions afin de minimiser ce risque et d�cline toute
responsabilit� pour toute perte ou dommage r�sultant directement ou indirectement de
l'utilisation de cet email ou de son contenu.

Il vous appartient d'effectuer vos propres contr�les anti-virus avant d'ouvrir
la ou les pi�ces jointes.
------------------------------------------------------------------------------------------

-
Received on Wed Nov 17 2004 - 10:58:44 MST