RE: [squid-users] SQUID + REVERSE PROXY + OWA

From: Ratti Michele <[email protected]>
Date: Thu, 23 Dec 2004 14:10:49 +0100

[root@moon root]# squid -v
Squid Cache: Version 2.5.STABLE6
configure options: i586-mandrake-linux-gnu --program-prefix=
--prefix=/usr --exec-prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin
--sysconfdir=/etc/squid --datadir=/usr/share --includedir=/usr/include
--libdir=/usr/lib --libexecdir=/usr/lib/squid --localstatedir=/var
--sharedstatedir=/usr/com --mandir=/usr/share/man
--infodir=/usr/share/info --enable-poll --enable-snmp
--enable-removal-policies=heap,lru
--enable-storeio=aufs,coss,diskd,ufs,null --enable-useragent-log
--enable-referer-log --enable-cachemgr-hostname=localhost
--enable-truncate --enable-underscores --enable-carp --enable-async-io
--enable-htcp --enable-delay-pools --enable-linux-netfilter --enable-ssl
--enable-arp-acl --enable-auth=basic,digest,ntlm
--enable-basic-auth-helpers=winbind,multi-domain-NTLM,getpwnam,YP,SMB,PA
M,NCSA,MSNT,LDAP
--enable-ntlm-auth-helpers=SMB,fakeauth,no_check,winbind
--enable-digest-auth-helpers=password
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group
,winbind_group --enable-follow-x-forwarded-for --with-pthreads
--with-winbind-auth-challenge --disable-dependency-tracking
--disable-ident-lookups

-----Original Message-----
From: Ratti Michele [mailto:Michele.Ratti@cim-italia.it]
Sent: Wednesday, December 22, 2004 7:50 PM
To: squid-users@squid-cache.org
Cc: Elsen Marc; Henrik Nordstrom
Subject: [squid-users] SQUID + REVERSE PROXY + OWA
Importance: High
Sensitivity: Confidential

I have:
1) Linux Mandrake v10.1
2) Linux Mandrake SQUID RPM v2.5-STABLE6
3) OutlookWebAccess on Windows Server 2003

Here you have my configuration files.

I'd like to use Squid as a reverse proxy in this way:
WEB -> SSL SQUID PROXY -> OWA (HTTP) (exchange)

Is my configuration OK!?

Can you help me?

Regards.
--------------------------
Michele Ratti

1) squid.conf

# TAG: https_port
# Usage: [ip:]port cert=certificate.pem [key=key.pem]
[options...]
#
# The socket address where Squid will listen for HTTPS client
# requests.
#
# This is really only useful for situations where you are running
# squid in accelerator mode and you want to do the SSL work at
the
# accelerator level.
#
# You may specify multiple socket addresses on multiple lines,
# each with their own SSL certificate and/or options.
#
# Options:
#
# cert= Path to SSL certificate (PEM format)
#
# key= Path to SSL private key file (PEM format)
# if not specified, the certificate file is
# assumed to be a combined certificate and
# key file
#
# version= The version of SSL/TLS supported
# 1 automatic (default)
# 2 SSLv2 only
# 3 SSLv3 only
# 4 TLSv1 only
#
# cipher= Colon separated list of supported ciphers
#
# options= Varions SSL engine options. The most important
# being:
# NO_SSLv2 Disallow the use of SSLv2
# NO_SSLv3 Disallow the use of SSLv3
# NO_TLSv1 Disallow the use of TLSv1
# See src/ssl_support.c or OpenSSL documentation
# for a more complete list.
#
#Default:
# none
https_port 443 cert=/etc/squid/key.crt key=/etc/squid/key.key
httpd_accel_host 89.0.4.128 httpd_accel_port 80 #httpd_accel_single_host
off httpd_accel_with_proxy on httpd_accel_uses_host_header off
redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
visible_hostname OwaMailMan

[THE REST IS DEFAULT]

2) squidGuard.conf
#----------------------------------------------------------------
# SquidGuard CONFIGURATION FILE
#----------------------------------------------------------------

# CONFIGURATION DIRECTORIES
dbhome /usr/share/squidGuard-1.2.0/db
logdir /var/log/squidGuard

# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

time workhours {
        weekly s 09:30-12:00 13:00-19:00
        weekly m 09:00-12:00 13:00-19:00
        weekly t 09:00-11:00 12:00-19:00
        weekly w 09:00-12:00 12:00-18:00
        weekly h 09:00-13:00 13:00-18:00
        weekly f 09:00-12:00 13:30-18:00
        weekly a 08:20-13:00 13:30-19:00 }

# SOURCE ADDRESSES:
src privilegedsource {
        iplist privilegedsource/ips
}

src bannedsource {
        iplist bannedsource/ips
}

src lansource {
        iplist lansource/lan
}

# DESTINATION CLASSES:
dest porn {
    domainlist porn/domains
    urllist porn/urls
    expressionlist porn/expressions
}

dest adult {
    domainlist adult/domains
    urllist adult/urls
    expressionlist adult/expressions
}

dest audio-video {
    domainlist audio-video/domains
    urllist audio-video/urls
}

dest forums {
    domainlist forums/domains
    urllist forums/urls
    expressionlist forums/expressions
}

dest hacking {
    domainlist hacking/domains
    urllist hacking/urls
}

dest redirector {
    domainlist redirector/domains
    urllist redirector/urls
    expressionlist redirector/expressions }

dest warez {
    domainlist warez/domains
    urllist warez/urls
}

dest ads {
    domainlist ads/domains
    urllist ads/urls
}

dest aggressive {
    domainlist aggressive/domains
    urllist aggressive/urls
}

dest drugs {
    domainlist drugs/domains
    urllist drugs/urls
}

dest gambling {
    domainlist gambling/domains
    urllist gambling/urls
}

dest publicite {
    domainlist publicite/domains
    urllist publicite/urls
    expressionlist publicite/expressions }

dest violence {
    domainlist violence/domains
    urllist violence/urls
    expressionlist violence/expressions }

dest banneddestination {
        domainlist banneddestination/domains
        urllist banneddestination/urls
        expressionlist banneddestination/expressions
}

dest advertising {
        domainlist advertising/domains
        urllist advertising/urls
        redirect http://127.0.0.1/cgi-bin/nulbanner.png
        log /var/log/squidGuard/advertising.log
 

}
dest exploit {
        expressionlist exploit/expressions
}

# ACLs
acl {
        privilegedsource {
                pass !advertising all
                redirect
http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&target
class=%t&url=%u

        }
        
# bannedsource {
# pass none
# redirect
http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&target
class=%t&url=%u
#
# }

        lansource {
                pass !adult !audio-video !forums !hacking !redirector
!warez !ads !aggressive !drugs !gambling !publicite !violence
!banneddestination !advertising all
                redirect
http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&target
class=%t&url=%u
        }

        
        default {
                pass !exploit all
                redirect
http://127.0.0.1:81/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&tar
getclass=%t&url=%u

        }
}
Received on Thu Dec 23 2004 - 06:10:09 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:03 MST