[squid-users] squid reverse proxy (accelerator) for MS Exchange OWA
Vieri
rentorbuy at yahoo.com
Fri Jan 20 00:03:59 UTC 2017
Hi,
I'm trying to set up Squid as a reverse proxy on a host with IP address 10.215.144.91 so that web browsers can connect to it on port 443 and request pages from an OWA server at 10.215.144.21:443.
I have this in my squid.conf:
https_port 10.215.144.91:443 accel cert=/etc/ssl/squid/owa_cert.cer key=/etc/ssl/squid/owa_key.pem defaultsite=webmail2.mydomain.org
cache_peer 10.215.144.21 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/ssl/squid/client.cer sslkey=/etc/ssl/squid/client_key.pem ssloptions=ALL sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=owaServer
# cache_peer 10.215.144.21 parent 80 0 no-query originserver login=PASS front-end-https=on name=owaServer
acl OWA dstdomain webmail2.mydomain.org
cache_peer_access owaServer allow OWA
never_direct allow OWA
http_access allow OWA
http_access deny all
miss_access allow OWA
miss_access deny all
Note that if I comment out the "cache_peer parent 443" line above and uncomment the "cache_peer parent 80" line then the web browser client successfully connects and can view the OWA pages after logging in.
However, the connection fails if I use 443 between squid at 10.215.144.91 and the OWA backend at 10.215.144.21. The client views a Squid error page with an SSL handshake error.
Here's the cache log when I try to connect with a client:
2017/01/20 00:10:42.284 kid1| Error negotiating SSL on FD 16: error:00000000:lib(0):func(0):reason(0) (5/0/0)
2017/01/20 00:10:42.284 kid1| TCP connection to 10.215.144.21/443 failed
2017/01/20 00:10:42.285 kid1| 5,5| comm.cc(1038) comm_remove_close_handler: comm_remove_close_handler: FD 16, AsyncCall=0x80d93a00*2
2017/01/20 00:10:42.285 kid1| 9,5| AsyncCall.cc(56) cancel: will not call Ssl::PeerConnector::commCloseHandler [call453] because comm_remove_close_handler
2017/01/20 00:10:42.285 kid1| 17,4| AsyncCall.cc(93) ScheduleCall: PeerConnector.cc(742) will call FwdState::ConnectedToPeer(0x80d8b9f0, local=10.215.144.91:55948 remote=10.215.144.21:443 FD 16 flags=1, 0x809d49a0/0x809d49a0) [call451]
2017/01/20 00:10:42.285 kid1| 93,5| AsyncJob.cc(137) callEnd: Ssl::PeerConnector::negotiateSsl() ends job [ FD 16 job42]
2017/01/20 00:10:42.285 kid1| 83,5| PeerConnector.cc(58) ~PeerConnector: Peer connector 0x80d8b590 gone
2017/01/20 00:10:42.285 kid1| 93,5| AsyncJob.cc(40) ~AsyncJob: AsyncJob destructed, this=0x80d8b5b4 type=Ssl::PeerConnector [job42]
2017/01/20 00:10:42.285 kid1| 17,4| AsyncCallQueue.cc(55) fireNext: entering FwdState::ConnectedToPeer(0x80d8b9f0, local=10.215.144.91:55948 remote=10.215.144.21:443 FD 16 flags=1, 0x809d49a0/0x809d49a0)
2017/01/20 00:10:42.285 kid1| 17,4| AsyncCall.cc(38) make: make call FwdState::ConnectedToPeer [call451]
2017/01/20 00:10:42.285 kid1| 17,3| FwdState.cc(415) fail: ERR_SECURE_CONNECT_FAIL "Service Unavailable"
https://webmail2.mydomain.org/Exchange2/
2017/01/20 00:10:42.285 kid1| TCP connection to 10.215.144.21/443 failed
I don't understand the "Service Unavailable" bit above.
I can connect just fine from the command line on the squid server at 10.215.144.91 as you can see below.
# wget --no-check-certificate -O - https://10.215.144.21
--2017-01-20 00:41:10-- https://10.215.144.21/
Connecting to 10.215.144.21:443... connected.
WARNING: cannot verify 10.215.144.21's certificate, issued by '/C=xx/ST=xx/O=xx/OU=xx/CN=xxx/emailAddress=xx at xx.xxx':
Unable to locally verify the issuer's authority.
WARNING: certificate common name 'XYZ' doesn't match requested host name '10.215.144.21'.
HTTP request sent, awaiting response... 200 OK
Length: 1546 (1.5K) [text/html]
What can I try?
Thanks,
Vieri
More information about the squid-users
mailing list