Re: [squid-users] Squid as transparent proxy for Outlook Web Access

From: Amos Jeffries <[email protected]>
Date: Sat, 10 Nov 2007 14:48:39 +1300

Killing-Time@gmx.de wrote:
> Hi everyone,
>
> After a long period of trying and testing, i got squid to work as a transparent reverse proxy.
> The final goal is to place it in front of our company outlook web access server, and I'm trying to get there in small steps.
>
> My current problem:
>
> Squid works exactly as it should when connecting to a simple html test site with only text, but when I try to connect to our OWA server through squid, I get the following error message:
>
>> ERROR
>> The requested URL could not be retrieved
>>
>> --------------------------------------------------------------------------------
>>
>> While trying to retrieve the URL: http://office-pc39:11994/exchange
>>
>> The following error was encountered:
>>
>> Unable to forward this request at this time.
>> This request could not be forwarded to the origin server or to any parent >caches. The most likely cause for this error is that:
>
>> The cache administrator does not allow this cache to make direct >connections to origin servers, and
>> All configured parent caches are currently unreachable.
>> Your cache administrator is webmaster.
>> --------------------------------------------------------------------------------
>>
>> Generated Fri, 09 Nov 2007 17:20:00 GMT by office-pc39.local.company.com (squid/2.6.STABLE16)

I have a feeling we say you a while earlier. yes?

Does the OWA server really respond to "office-pc39:11994/exchange" normally?

>
> The html test site is located on the same machine as the OWA server.
>
> My current squid.conf:
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl Safe_ports port 11994
> acl CONNECT method CONNECT
... none of which are used for anything. nice.

> http_access allow all

You have an open proxy. Yaya! free internet for the world.

> http_port 11994 transparent
> cache_peer 300.200.80.254 parent 80 0 default
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> access_log c:/squid/var/logs/access.log squid
> coredump_dir c:/squid/var/cache
>
> ---END of squid.conf
>
> Does anyone have an idea why this works with normal html, but not with the OWA server?

M$ don't like the color black?

Oh well, you need:

- acl + http_access to block world requesting external websites,
restricting it to the ones you are providing, and/or to internal users only.

  - acl + cache_peer_access to restrict the requests going to the OWA
server to ones it knows about and can handle.

  - defaultsite on the http_port to fix from all the broken clients out
there.

  - check squid is the one listening on the domain OWA is being
provided. OWA server only need to know what the domain is, to be
resolved from it.

Amos
Received on Fri Nov 09 2007 - 18:48:41 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST