RE: [squid-users] Is it possible to have squid as do Proxy and OWA/RPCoHTTPS accelerator?

From: Alan Lehman <alehman_at_gbutler.com>
Date: Sun, 15 Jun 2008 19:46:37 -0500

I am trying to do the same thing. OWA works, but so far no joy with RPCoHTTP. Do I have to do something in OL to make it accept the certificate? The cert's are purchased from godaddy.com. For each, I appended the bundled gd_intermediate to the domain cert.

Also, in the example config for OWA, I am confused by the following:

acl OWA dstdomain owa_hostname
cache_peer_access owa_hostname allow OWA

Doesn't the 2nd line just grant access from owa_hostname to owa_hostname ??

My current config (which works for OWA, but not RPCoHTTP):

extension_methods RPC_IN_DATA RPC_OUT_DATA

https_port public_ip_for_owa:443 cert=/usr/share/ssl/owa/combined.crt key=/usr/share/ssl/owa/owa.key defaultsite=owa.tld.com

https_port public_ip_for_rpc:443 cert=/usr/share/ssl/rpc/combined.crt key=/usr/share/ssl/rpc/rpc.key defaultsite=rpc.tld.com

cache_peer ip_of_exchange parent 80 0 no-query originserver front-end-https=auto login=PASS

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT

acl OWA dstdomain owa.tld.com
acl RPC dstdomain rpc.tld.com

http_access allow manager localhost
http_access allow OWA
http_access allow RPC
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost

http_access allow localhost
http_access deny all

http_reply_access allow all
icp_access deny all

miss_access allow OWA
miss_access allow RPC
miss_access deny all

cache_peer_access ip_of_exhcange allow OWA
cache_peer_access ip_of_exhcange allow RPC
cache_peer_access ip_of_exhcange deny all

never_direct allow OWA
never_direct allow RPC

Thanks again,
Alan Lehman

> -----Original Message-----
> From: Odhiambo Washington [mailto:odhiambo_at_gmail.com]
> Sent: Monday, June 02, 2008 11:41 AM
> To: Squid users
> Subject: Re: [squid-users] Is it possible to have squid as do Proxy and
> OWA/RPCoHTTPS accelerator?
>
> On Mon, Jun 2, 2008 at 7:27 PM, Henrik Nordstrom
> <henrik_at_henriknordstrom.net> wrote:
> > On m�n, 2008-06-02 at 13:41 +0300, Odhiambo Washington wrote:
> >> (actually, this is supposed to be the only entry for cache_peer I am
> >> goingto have?)
> >
> > If you only have one server, and that server is only talking http
> then
> > yes there is only a single cache_peer..
>
> Understood.
>
> >> That has worked. It also requied a PEM passphrase. I hope this is
> not
> >> supposed to be another problem. These ssl stuff!
> >
> > You can configure the password in squid.conf if the PEM key is
> > encrypted, or easily decrypt it with the openssl rsa command.
>
> Understood as well.
>
> >> In my case, I don't have a certificate for the external hostname,
> >> which brings me back to the confusing issue regarding the
> certificate:
> >> I can make a self-signed certificate for the external hostname. Not
> a
> >> problem. However, does this mean I really don't need the internal
> >> certifcate Exchange is using?
> >
> > Correct.
>
> Pooh! That was so confusing:-)
>
> >> Suppose:
> >>
> >> My Squid host is publicly known as mail.odhiambo.COM (IP of 1.2.3.4)
> >> My Exchange server is named msexch.msexch.odhiambo.BIZ (IP of
> 192.168.0.26)
> >>
> >> Given that both OWA and RPCoHTTPS are directed at these...
> >>
> >> What values should I use for the following variables (from the
> wiki):
> >>
> >> (a) owa_hostname?
> >
> > In https_port defaultsite you should use mail.odhiambo.COM as this is
> > what the clients are expected to connect to.
> >
> >> (b) ip_of_owa_server?
> >
> > The ip of your exchange/owa server.
> >
> >> (c) rpcohttp.url.com?
> >
> > Ignore. That example uses a setup with more Exchange servers, where
> OWA
> > is running on a separarate server from Exchange.
> >
> >> (d) the_exchange_server?
> >
> > Ignore as above.
> >
> >> >From there, I believe I will only get stuck at the ssl certificates
> >> step, which is where I am still a bit confused.
> >
> > Since you are not going to use a real certificate then issue yourself
> a
> > self-signed one using OpenSSL.
> >
> > openssl req -new -x509 -days 10000 -nodes -out
> mail.odhiambo.COM_selfsigned.pem -keyout mail.odhiambo.COM_key.pem
>
> Everything is all clear now.
>
> Will find good time to test this out and see how well it goes.
>
> Thank you very much, Amos and Henrik! That was quite some
> hand-holding. I really appreciate.
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254733744121/+254722743223
Received on Mon Jun 16 2008 - 00:46:47 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 16 2008 - 12:00:03 MDT