[squid-users] squid reverse proxy infront of exchange 2010
Alex Samad
alex at samad.com.au
Thu Dec 10 05:29:25 UTC 2015
Hi
config
https_port 22.4.2.5:443 accel
cert=/etc/httpd/conf.d/office.abc.com.crt
key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com
options=NO_SSLv2,NO_SSLv3
dhparams=/etc/squid/squid-office-dhparams.pem
cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
sslcert=/etc/httpd/conf.d/office.abc.com.crt
sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer
cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
originserver login=PASS front-end-https=on ssl
sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt
sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer
acl exch_domain dstdomain office.abc.com
acl exch_path urlpath_regex -i /exch(ange|web)
acl exch_path urlpath_regex -i /public
acl exch_path urlpath_regex -i /owa
acl exch_path urlpath_regex -i /ecp
acl exch_path urlpath_regex -i /microsoft-server-activesync
acl exch_path urlpath_regex -i /rpc
acl exch_path urlpath_regex -i /rpcwithcert
acl exch_path urlpath_regex -i /exadmin
acl exch_path urlpath_regex -i /ews
acl exch_path urlpath_regex -i /oab
acl exch_path urlpath_regex -i /autodiscover
cache_peer_access exchangeServer allow exch_domain exch_path
cache_peer_access webServer deny exch_domain exch_path
never_direct allow exch_domain exch_path
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
access_log stdio:/var/log/squid/office-access.log squid
cache_log /var/log/squid/office-cache.log
cache_store_log stdio:/var/log/squid/office-cache_store.log
pid_filename /var/run/squid-office.pid
visible_hostname office.abc.com
deny_info TCP_RESET all
http_access allow all
miss_access allow all
icp_port 0
snmp_port 0
cache.log
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors available
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache...
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0, FD 6
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain
yieldbroker.com from /etc/resolv.conf
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
10.32.20.100 from /etc/resolv.conf
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
10.32.20.102 from /etc/resolv.conf
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
stdio:/var/log/squid/office-access.log
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled;
rebuild/rewrite every 3600/3600 sec
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
stdio:/var/log/squid/office-cache_store.log
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB,
estimated 2520 objects
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem size: 32768 KB
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir selection
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and icons.
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled.
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 127.0.0.1/443/0
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 10.32.69.11/443/0
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off.
Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy
HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11
flags=9
Jan 01 10:33:35 1970/12/10 16:15:43 kid1| storeLateRelease: released 0 objects
cache log
Dec 10 16:16:23 2015.225 RELEASE -1 FFFFFFFF
BE6736C8CD1A74A54575AF9880395D04 ? ? ? ? ?/?
?/? ? ?
Dec 10 16:16:34 2015.287 RELEASE -1 FFFFFFFF
78C390A2D412F8E601035A2C1FD771C8 ? ? ? ? ?/?
?/? ? ?
Dec 10 16:16:34 2015.296 RELEASE -1 FFFFFFFF
A7D8B3751858C54225D29408B56FE42D ? ? ? ? ?/?
?/? ? ?
Dec 10 16:16:37 2015.863 RELEASE -1 FFFFFFFF
35992070307CD15EE743F71344E1C1AE ? ? ? ? ?/?
?/? ? ?
Dec 10 16:16:37 2015.873 RELEASE -1 FFFFFFFF
17EFD3BCAF4265B7CF7803AD0289DD7E ? ? ? ? ?/?
?/? ? ?
Dec 10 16:16:49 2015.228 RELEASE -1 FFFFFFFF
2666EC9714425D57FDC4CD15965D350B ? ? ? ? ?/?
?/? ? ?
access.logs
Dec 10 16:17:09 2015.706 13 192.168.56.1 TCP_MISS/200 6578 POST
https://office.abc.com/ews/exchange.asmx - FIRSTUP_PARENT/10.32.69.11
text/xml
Dec 10 16:19:36 2015.447 206818 192.168.56.1 TCP_MISS/200 16532
RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 application/rpc
Dec 10 16:19:36 2015.449 206862 192.168.56.1 TCP_MISS_ABORTED/502 4493
RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 text/html
Dec 10 16:19:36 2015.453 207197 192.168.56.1 TCP_MISS_ABORTED/000 0
RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 -
Dec 10 16:19:36 2015.453 207087 192.168.56.1 TCP_MISS_ABORTED/200
48056 RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 application/rpc
Dec 10 16:20:07 2015.305 24688 192.168.56.1 TCP_MISS_ABORTED/000 0
RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 -
Dec 10 16:20:07 2015.306 24654 192.168.56.1 TCP_MISS_ABORTED/200 2004
RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/10.32.69.11 application/rpc
This is when I try and send an email with an attachment. An email with
no attached goes through no problem...
this config works with 3.1, not with 3.5 ..
still on .11 as I can't find centos 6 compile of .12
I think there is some issue with rpc sending or receiving ..
On 8 December 2015 at 19:34, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 8/12/2015 7:35 p.m., Alex Samad wrote:
>> Hi
>>
>> Any suggestions on how to debug this... I wouldn't mind rolling
>> forward to 3.5 again
>>
>
> Some ideas inline. The main ones are:
>
> * re-enable cache.log. It is not optional.
>
> * try an upgrade to 3.5.12. There were some regressions in the .10/.11
> releases that can lead to really weird behaviour.
>
>
>> On 2 December 2015 at 20:39, Alex Samad wrote:
>>> Just to add to this I have a lot of these in the log file
>>>
>>> TCP_MISS_ABORTED/000 0 RPC_IN_DATA
>>> TCP_MISS_ABORTED/200 4322 RPC_OUT_DATA
>>> TCP_MISS_ABORTED/000 0 RPC_IN_DATA https:
>>>
>>>
>>>
>>> On 2 December 2015 at 17:24, Alex Samad wrote:
>>>> Hi
>>>>
>>>> recently upgraded to squid-3.5.11-1.el6.x86_64 from the centos 6.7 squid 3.1
>>>>
>>>>
>>>> I am now having problems with people who use active sync via this
>>>> connection . seems like emails with attachments aren't making it
>>>> through .
>>>>
>>>> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
>>>> originserver login=PASS front-end-https=on ssl
>>>> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.yx.com.crt
>>>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=exchangeServer
>
> You could try changing these from login=PASS to login=PASSTHRU
>
>>>>
>>>>
>>>> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
>>>> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
>>>> sslcert=/etc/httpd/conf.d/office.yx.com.crt
>>>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=webServer
>>>> c
>>>>
>>>> # List of acceptable URLs to send to the Exchange server
>>>> acl exch_url url_regex -i office.yieldbroker.com/exchange
>>>> acl exch_url url_regex -i office.yieldbroker.com/exchweb
>>>> acl exch_url url_regex -i office.yieldbroker.com/public
>>>> acl exch_url url_regex -i office.yieldbroker.com/owa
>>>> acl exch_url url_regex -i office.yieldbroker.com/ecp
>>>> acl exch_url url_regex -i office.yieldbroker.com/microsoft-server-activesync
>>>> acl exch_url url_regex -i office.yieldbroker.com/rpc
>>>> acl exch_url url_regex -i office.yieldbroker.com/rpcwithcert
>>>> acl exch_url url_regex -i office.yieldbroker.com/exadmin
>>>> acl exch_url url_regex -i office.yieldbroker.com/oab
>>>> # added after
>>>> acl exch_url url_regex -i office.yieldbroker.com/ews
>>>> # Not configured on exchange 2010
>>>> #acl exch_url url_regex -i office.yieldbroker.com/autodiscover
>>>>
>>>> # Send the Exchange URLs to the Exchange server
>>>> cache_peer_access exchangeServer allow exch_url
>>>>
>>>> # Send everything else to the Apache
>>>> cache_peer_access webServer deny exch_url
>>>>
>>>> # This is to protect Squid
>>>> never_direct allow exch_url
>>>>
>>>> # Logging Configuration
>>>> redirect_rewrites_host_header off
>>>> cache_mem 32 MB
>>>> maximum_object_size_in_memory 128 KB
>>>> cache_log none
>
> You should re-enable cache.log and fix any of the issues that are logged
> there.
>
>
>>>> cache_store_log none
>>>>
>>>> access_log stdio:/var/log/squid/office-access.log squid
>>>> #access_log none
>>>> cache_log /var/log/squid/office-cache.log
>>>> #cache_log none
>>>> pid_filename /var/run/squid-office.pid
>>>>
>>>>
>>>> # Set the hostname so that we can see Squid in the path (Optional)
>>>> visible_hostname yieldbroker.com
>>>> deny_info TCP_RESET all
>
> This could lead to strange behaviour. Particularly since "deny all" is
> not being used in your http_access rules ...
>
>
>>>>
>>>> # Allow everyone through, internal and external connections
>>>> http_access allow all
>>>> miss_access allow all
>>>>
>>>> icp_port 0
>>>> snmp_port 0
>>>>
>>>> via off
>>>>
>>>>
>>>> The previous setup had worked for at least 18 months.
>>>>
>>>> Alex
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list