[squid-users] squid reverse proxy infront of exchange 2010

dweimer dweimer at dweimer.net
Thu Dec 10 12:44:46 UTC 2015


On 2015-12-09 11:29 pm, Alex Samad wrote:
> Hi
> 
> config
> https_port 22.4.2.5:443 accel
> cert=/etc/httpd/conf.d/office.abc.com.crt
> key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com
> options=NO_SSLv2,NO_SSLv3
> dhparams=/etc/squid/squid-office-dhparams.pem
> cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
> sslcert=/etc/httpd/conf.d/office.abc.com.crt
> sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer
> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
> originserver login=PASS front-end-https=on ssl
> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt
> sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer
> acl exch_domain dstdomain office.abc.com
> acl exch_path urlpath_regex -i /exch(ange|web)
> acl exch_path urlpath_regex -i /public
> acl exch_path urlpath_regex -i /owa
> acl exch_path urlpath_regex -i /ecp
> acl exch_path urlpath_regex -i /microsoft-server-activesync
> acl exch_path urlpath_regex -i /rpc
> acl exch_path urlpath_regex -i /rpcwithcert
> acl exch_path urlpath_regex -i /exadmin
> acl exch_path urlpath_regex -i /ews
> acl exch_path urlpath_regex -i /oab
> acl exch_path urlpath_regex -i /autodiscover
> cache_peer_access exchangeServer allow exch_domain exch_path
> cache_peer_access webServer deny exch_domain exch_path
> never_direct allow exch_domain exch_path
> cache_mem 32 MB
> maximum_object_size_in_memory 128 KB
> access_log stdio:/var/log/squid/office-access.log squid
> cache_log /var/log/squid/office-cache.log
> cache_store_log stdio:/var/log/squid/office-cache_store.log
> pid_filename /var/run/squid-office.pid
> visible_hostname office.abc.com
> deny_info TCP_RESET all
> http_access allow all
> miss_access allow all
> icp_port 0
> snmp_port 0
> 
> 
> 
> cache.log
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors 
> available
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache...
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 
> 0.0.0.0, FD 6
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain
> yieldbroker.com from /etc/resolv.conf
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
> 10.32.20.100 from /etc/resolv.conf
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
> 10.32.20.102 from /etc/resolv.conf
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
> stdio:/var/log/squid/office-access.log
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled;
> rebuild/rewrite every 3600/3600 sec
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
> stdio:/var/log/squid/office-cache_store.log
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB,
> estimated 2520 objects
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem  size: 32768 KB
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir 
> selection
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is 
> /etc/squid
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types 
> and icons.
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled.
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 
> 127.0.0.1/443/0
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 
> 10.32.69.11/443/0
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 
> 0
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off.
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy
> HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11
> flags=9
> Jan 01 10:33:35 1970/12/10 16:15:43 kid1| storeLateRelease: released 0 
> objects
> 
> 
> cache log
> Dec 10 16:16:23 2015.225 RELEASE -1 FFFFFFFF
> BE6736C8CD1A74A54575AF9880395D04   ?         ?         ?         ? ?/?
> ?/? ? ?
> Dec 10 16:16:34 2015.287 RELEASE -1 FFFFFFFF
> 78C390A2D412F8E601035A2C1FD771C8   ?         ?         ?         ? ?/?
> ?/? ? ?
> Dec 10 16:16:34 2015.296 RELEASE -1 FFFFFFFF
> A7D8B3751858C54225D29408B56FE42D   ?         ?         ?         ? ?/?
> ?/? ? ?
> Dec 10 16:16:37 2015.863 RELEASE -1 FFFFFFFF
> 35992070307CD15EE743F71344E1C1AE   ?         ?         ?         ? ?/?
> ?/? ? ?
> Dec 10 16:16:37 2015.873 RELEASE -1 FFFFFFFF
> 17EFD3BCAF4265B7CF7803AD0289DD7E   ?         ?         ?         ? ?/?
> ?/? ? ?
> Dec 10 16:16:49 2015.228 RELEASE -1 FFFFFFFF
> 2666EC9714425D57FDC4CD15965D350B   ?         ?         ?         ? ?/?
> ?/? ? ?
> 
> 
> 
> access.logs
> Dec 10 16:17:09 2015.706     13 192.168.56.1 TCP_MISS/200 6578 POST
> https://office.abc.com/ews/exchange.asmx - FIRSTUP_PARENT/10.32.69.11
> text/xml
> Dec 10 16:19:36 2015.447 206818 192.168.56.1 TCP_MISS/200 16532
> RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 application/rpc
> Dec 10 16:19:36 2015.449 206862 192.168.56.1 TCP_MISS_ABORTED/502 4493
> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 text/html
> Dec 10 16:19:36 2015.453 207197 192.168.56.1 TCP_MISS_ABORTED/000 0
> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 -
> Dec 10 16:19:36 2015.453 207087 192.168.56.1 TCP_MISS_ABORTED/200
> 48056 RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 application/rpc
> Dec 10 16:20:07 2015.305  24688 192.168.56.1 TCP_MISS_ABORTED/000 0
> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 -
> Dec 10 16:20:07 2015.306  24654 192.168.56.1 TCP_MISS_ABORTED/200 2004
> RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 application/rpc
> 
> 
> This is when I try and send an email with an attachment. An email with
> no attached goes through no problem...
> 
> 
> this config works with 3.1, not with 3.5 ..
> 
> still on .11 as I can't find centos 6 compile of .12
> 
> I think there is some issue with rpc sending or receiving ..
> 
> On 8 December 2015 at 19:34, Amos Jeffries <squid3 at treenet.co.nz> 
> wrote:
>> On 8/12/2015 7:35 p.m., Alex Samad wrote:
>>> Hi
>>> 
>>> Any suggestions on how to debug this... I wouldn't mind rolling
>>> forward to 3.5 again
>>> 
>> 
>> Some ideas inline. The main ones are:
>> 
>> * re-enable cache.log. It is not optional.
>> 
>> * try an upgrade to 3.5.12. There were some regressions in the .10/.11
>> releases that can lead to really weird behaviour.
>> 
>> 
>>> On 2 December 2015 at 20:39, Alex Samad wrote:
>>>> Just to add to this I have a lot of these in the log file
>>>> 
>>>> TCP_MISS_ABORTED/000 0 RPC_IN_DATA
>>>> TCP_MISS_ABORTED/200 4322 RPC_OUT_DATA
>>>> TCP_MISS_ABORTED/000 0 RPC_IN_DATA https:
>>>> 
>>>> 
>>>> 
>>>> On 2 December 2015 at 17:24, Alex Samad wrote:
>>>>> Hi
>>>>> 
>>>>> recently upgraded to squid-3.5.11-1.el6.x86_64 from the centos 6.7  
>>>>> squid 3.1
>>>>> 
>>>>> 
>>>>> I am now having problems with people who use active sync via this
>>>>> connection . seems like emails with attachments aren't making it
>>>>> through .
>>>>> 
>>>>> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
>>>>> originserver login=PASS front-end-https=on ssl
>>>>> sslflags=DONT_VERIFY_PEER 
>>>>> sslcert=/etc/httpd/conf.d/office.yx.com.crt
>>>>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=exchangeServer
>> 
>> You could try changing these from login=PASS to login=PASSTHRU
>> 
>>>>> 
>>>>> 
>>>>> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
>>>>> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
>>>>> sslcert=/etc/httpd/conf.d/office.yx.com.crt
>>>>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=webServer
>>>>> c
>>>>> 
>>>>> # List of acceptable URLs to send to the Exchange server
>>>>> acl exch_url url_regex -i office.yieldbroker.com/exchange
>>>>> acl exch_url url_regex -i office.yieldbroker.com/exchweb
>>>>> acl exch_url url_regex -i office.yieldbroker.com/public
>>>>> acl exch_url url_regex -i office.yieldbroker.com/owa
>>>>> acl exch_url url_regex -i office.yieldbroker.com/ecp
>>>>> acl exch_url url_regex -i 
>>>>> office.yieldbroker.com/microsoft-server-activesync
>>>>> acl exch_url url_regex -i office.yieldbroker.com/rpc
>>>>> acl exch_url url_regex -i office.yieldbroker.com/rpcwithcert
>>>>> acl exch_url url_regex -i office.yieldbroker.com/exadmin
>>>>> acl exch_url url_regex -i office.yieldbroker.com/oab
>>>>> # added after
>>>>> acl exch_url url_regex -i office.yieldbroker.com/ews
>>>>> # Not configured on exchange 2010
>>>>> #acl exch_url url_regex -i office.yieldbroker.com/autodiscover
>>>>> 
>>>>> # Send the Exchange URLs to the Exchange server
>>>>> cache_peer_access exchangeServer allow exch_url
>>>>> 
>>>>> # Send everything else to the Apache
>>>>> cache_peer_access webServer deny exch_url
>>>>> 
>>>>> # This is to protect Squid
>>>>> never_direct allow exch_url
>>>>> 
>>>>> # Logging Configuration
>>>>> redirect_rewrites_host_header off
>>>>> cache_mem 32 MB
>>>>> maximum_object_size_in_memory 128 KB
>>>>> cache_log none
>> 
>> You should re-enable cache.log and fix any of the issues that are 
>> logged
>> there.
>> 
>> 
>>>>> cache_store_log none
>>>>> 
>>>>> access_log stdio:/var/log/squid/office-access.log squid
>>>>> #access_log none
>>>>> cache_log /var/log/squid/office-cache.log
>>>>> #cache_log none
>>>>> pid_filename /var/run/squid-office.pid
>>>>> 
>>>>> 
>>>>> # Set the hostname so that we can see Squid in the path (Optional)
>>>>> visible_hostname yieldbroker.com
>>>>> deny_info TCP_RESET all
>> 
>> This could lead to strange behaviour. Particularly since "deny all" is
>> not being used in your http_access rules ...
>> 
>> 
>>>>> 
>>>>> # Allow everyone through, internal and external connections
>>>>> http_access allow all
>>>>> miss_access allow all
>>>>> 
>>>>> icp_port 0
>>>>> snmp_port 0
>>>>> 
>>>>> via off
>>>>> 
>>>>> 
>>>>> The previous setup had worked for at least 18 months.
>>>>> 
>>>>> Alex

On our Reverse proxy I ran into an issue uploading attachments to 
Exchange back end, a while back, turned out the solution was to lock it 
down so that the proxy only used ssl version 3 to connect to the 
Exchange server. This however did recently break after a windows update 
in Novemeber. Further investigation led to the particular cipher that 
was in use. After discovering this I was able to use the same cipher 
with TLSv1.0

Currently I am using TLSv1.0 with RC4-SHA cipher to talk to the Exchange 
server.

cache_peer 10.20.10.161 parent 443 0 ssl no-query proxy-only no-digest 
originserver \
  name=owa2010_parent sslcapath=/usr/local/share/certs 
sslflags=DONT_VERIFY_PEER  \
  login=PASSTHRU front-end-https=on connection-auth=on sslcipher=RC4-SHA 
sslversion=4

I am not however locking down the incoming connections to this setting, 
I am using the following for the https_port setting. This does pass PCI 
scans, in case anyone is wondering about the choice of cipher options, 
and you will notice the RC4 used to send traffic between the Proxy and 
Exchange is disabled as that doesn't meet current requirements.

https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \
  cert=/certs/wildcard.certificate.crt \
  key=/certs/wildcard.certificate.key \
  
options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE 
\
  dhparams=/usr/local/etc/squid/dh.param \
  cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \
  vhost


-- 
Thanks,
    Dean E. Weimer
    http://www.dweimer.net/


More information about the squid-users mailing list