[squid-users] Squid Reverse Proxy to Exchange 2010 OWA

Amos Jeffries squid3 at treenet.co.nz
Wed Mar 11 23:54:05 UTC 2015 

On 12/03/2015 11:15 a.m., Alex Samad wrote:
> I have to admit this was built from a lot of googling for a working config.
> 
> 
> On 11 March 2015 at 19:09, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>> On 11/03/2015 7:16 p.m., Alex Samad wrote:
> [snip]
>>> # List of acceptable URLs to send to the Exchange server
>>> acl exch_url url_regex -i <o>/exchange
>>> acl exch_url url_regex -i <o>/exchweb
>>> acl exch_url url_regex -i <o>/public
>>> acl exch_url url_regex -i <o>/owa
>>> acl exch_url url_regex -i <o>/ecp
>>> acl exch_url url_regex -i <o>/microsoft-server-activesync
>>> acl exch_url url_regex -i <o>/rpc
>>> acl exch_url url_regex -i <o>/rpcwithcert
>>> acl exch_url url_regex -i <o>/exadmin
>>> acl exch_url url_regex -i <o>/oab
>>
>> I suggest you replace the above with ACLs:
>>
>>  acl exch_domain dstdomain <o>
>>  acl exch_path urlpath_regex -i /exch(ange|web)
>>  acl exch_path urlpath_regex -i /public
>>  acl exch_path urlpath_regex -i /owa
>>  ...
> I presume you ... means the other paths

Yes.

> 
> and this is for speed ?

Yes, and safety preventing matching against other non-path parts of the URL.

I forgot to start the paths with "^" characters in the above to make
sure they match only at the beginning of the path.

> 
>>
> [snip]
> 
>>> # Logging Configuration
>>> redirect_rewrites_host_header off
>>
>> Thats begging for abuse of the security hole it opens. If you can
>> operate without that setting please do so.
> I believe (and its been a while, that it was need for exchange), I can
> find some time and retest.
> 
>> NOTE: its not optional. You have disabled most of the HTTP features
>> which use the Squid hostname, but not all of them can be.
>>  For example "via off" contradicts this comment, by NOT adding Squid to
>> the relay path (Via header).
>>
>>
>>> visible_hostname <o>
>>> deny_info TCP_RESET all
>>>
>>> # ACL - required to allow
>>> #acl all src ALL
>>>
>>> # Allow everyone through, internal and external connections
>>> http_access allow all
>>> miss_access allow all
>>>
>>> icp_port 0
>>> snmp_port 0
>>>
>>> via off
> so you would suggest
> visibile <o>
> and no via off ?

Yes if you can. It is more HTTP compliant and helps detect some
potential nasty attacks.

Amos

More information about the squid-users mailing list