[squid-users] Squid Reverse Proxy to Exchange 2010 OWA

Amos Jeffries squid3 at treenet.co.nz
Wed Mar 11 08:09:10 UTC 2015 

On 11/03/2015 7:16 p.m., Alex Samad wrote:
> This is mine against 2008. haven't had any issues with attachments up to 10M
> 
> 

Small audit with things to look at fixing to improve your security when
you have some time.

> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
> sslcert=/etc/httpd/conf.d/o.crt sslkey=/etc/httpd/conf.d/o.key
> name=webServer
> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
> originserver login=PASS front-end-https=on ssl
> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/o.crt
> sslkey=/etc/httpd/conf.d/o.key name=exchangeServer

Please locate the public cert/key for the exchange servers CA, load it
into Squid (aka ake Squid trust it) with cacert=X.pem and remove the
"DONT_VERIFY_PEER" debug flag.


> 
> # List of acceptable URLs to send to the Exchange server
> acl exch_url url_regex -i <o>/exchange
> acl exch_url url_regex -i <o>/exchweb
> acl exch_url url_regex -i <o>/public
> acl exch_url url_regex -i <o>/owa
> acl exch_url url_regex -i <o>/ecp
> acl exch_url url_regex -i <o>/microsoft-server-activesync
> acl exch_url url_regex -i <o>/rpc
> acl exch_url url_regex -i <o>/rpcwithcert
> acl exch_url url_regex -i <o>/exadmin
> acl exch_url url_regex -i <o>/oab

I suggest you replace the above with ACLs:

 acl exch_domain dstdomain <o>
 acl exch_path urlpath_regex -i /exch(ange|web)
 acl exch_path urlpath_regex -i /public
 acl exch_path urlpath_regex -i /owa
 ...

If you have a current 3.4+ Squid version:
 acl exch_url allof exch_domain exch_path

otherwise for older Squid replace the various access lines like so:
  cache_peer_access exchangeServer allow exch_domain exch_path


> 
> # Send the Exchange URLs to the Exchange server
> cache_peer_access exchangeServer allow exch_url
> 
> # Send everything else to the Apache
> cache_peer_access webServer deny exch_url
> 
> # This is to protect Squid
> never_direct allow exch_url
> 
> # Logging Configuration
> redirect_rewrites_host_header off

Thats begging for abuse of the security hole it opens. If you can
operate without that setting please do so.


> cache_mem 32 MB
> maximum_object_size_in_memory 128 KB
> cache_log none
> cache_store_log none
> 
> access_log /var/log/squid/office-access.log squid
> #access_log none
> cache_log /var/log/squid/office-cache.log
> #cache_log none
> pid_filename /var/run/squid-office.pid
> 
> 
> # Set the hostname so that we can see Squid in the path (Optional)

NOTE: its not optional. You have disabled most of the HTTP features
which use the Squid hostname, but not all of them can be.
 For example "via off" contradicts this comment, by NOT adding Squid to
the relay path (Via header).


> visible_hostname <o>
> deny_info TCP_RESET all
> 
> # ACL - required to allow
> #acl all src ALL
> 
> # Allow everyone through, internal and external connections
> http_access allow all
> miss_access allow all
> 
> icp_port 0
> snmp_port 0
> 
> via off
> 


Amos

More information about the squid-users mailing list