[squid-users] squid reverse proxy (accelerator) for MS Exchange OWA

Vieri rentorbuy at yahoo.com
Fri Jan 20 09:44:51 UTC 2017 




----- Original Message -----
From: Amos Jeffries <squid3 at treenet.co.nz>

> Firstly remove the ssloptions=ALL from your config.
> 

> Traffic should be able to go through at that point.

Thanks for the feedback.

I tried it again, but this time with a non-OWA IIS HTTPS server.

Here's the squid.conf:

https_port 10.215.144.91:35443 accel cert=/etc/ssl/squid/cert.cer key=/etc/ssl/squid/key.pem defaultsite=www.mydomain.org

cache_peer 10.215.144.66 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/ssl/squid/client.cer sslkey=/etc/ssl/squid/client_key.pem front-end-https=on name=httpsServer

acl HTTPSACL dstdomain www.mydomain.org
cache_peer_access httpsServer allow HTTPSACL
never_direct allow HTTPSACL

http_access allow HTTPSACL
http_access deny all

And here's the log when trying to connect from a web browser:

2017/01/20 10:31:06.724 kid1| 5,3| comm.cc(553) commSetConnTimeout: local=10.215.144.91:57753 remote=10.215.144.66:443 FD 14 flags=1 timeout 30
2017/01/20 10:31:06.724 kid1| 5,5| ModEpoll.cc(116) SetSelect: FD 14, type=1, handler=1, client_data=0x80cb86e0, timeout=0
2017/01/20 10:31:06.724 kid1| 93,5| AsyncJob.cc(152) callEnd: Ssl::PeerConnector status out: [ FD 14 job16]
2017/01/20 10:31:06.724 kid1| 93,5| AsyncCallQueue.cc(57) fireNext: leaving AsyncJob::start()
2017/01/20 10:31:06.724 kid1| 83,5| bio.cc(118) read: FD 14 read 0 <= 7
2017/01/20 10:31:06.724 kid1| Error negotiating SSL on FD 14: error:00000000:lib(0):func(0):reason(0) (5/0/0)
2017/01/20 10:31:06.724 kid1| TCP connection to 10.215.144.66/443 failed
2017/01/20 10:31:06.724 kid1| 5,5| comm.cc(1038) comm_remove_close_handler: comm_remove_close_handler: FD 14, AsyncCall=0x80cd0ff8*2
2017/01/20 10:31:06.724 kid1| 9,5| AsyncCall.cc(56) cancel: will not call Ssl::PeerConnector::commCloseHandler [call117] because comm_remove_close_handler
2017/01/20 10:31:06.724 kid1| 17,4| AsyncCall.cc(93) ScheduleCall: PeerConnector.cc(742) will call FwdState::ConnectedToPeer(0x80cae868, local=10.215.144.91:57753 remote=10.215.144.66:443 FD 14 flags=1, 0x80cd0ed0/0x80cd0ed0) [call115]
2017/01/20 10:31:06.724 kid1| 93,5| AsyncJob.cc(137) callEnd: Ssl::PeerConnector::negotiateSsl() ends job [ FD 14 job16]
2017/01/20 10:31:06.724 kid1| 83,5| PeerConnector.cc(58) ~PeerConnector: Peer connector 0x80cb86e0 gone
2017/01/20 10:31:06.724 kid1| 93,5| AsyncJob.cc(40) ~AsyncJob: AsyncJob destructed, this=0x80cb8704 type=Ssl::PeerConnector [job16]
2017/01/20 10:31:06.725 kid1| 17,4| AsyncCallQueue.cc(55) fireNext: entering FwdState::ConnectedToPeer(0x80cae868, local=10.215.144.91:57753 remote=10.215.144.66:443 FD 14 flags=1, 0x80cd0ed0/0x80cd0ed0)
2017/01/20 10:31:06.725 kid1| 17,4| AsyncCall.cc(38) make: make call FwdState::ConnectedToPeer [call115]
2017/01/20 10:31:06.725 kid1| 17,3| FwdState.cc(415) fail: ERR_SECURE_CONNECT_FAIL "Service Unavailable"

I'm not getting any useful debug information, at least not the one I can understand.

Maybe I should rebuild Squid?

# squid -v
Squid Cache: Version 3.5.14
Service Name: squid
configure options:  '--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--libdir=/usr/lib' '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid' '--localstatedir=/var' '--with-pidfile=/run/squid.pid' '--datadir=/usr/share/squid' '--with-logdir=/var/log/squid' '--with-default-user=squid' '--enable-removal-policies=lru,heap' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-disk-io' '--enable-auth-basic=MSNT-multi-domain,NCSA,POP3,getpwnam,SMB,LDAP,PAM,RADIUS' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-ntlm=smb_lm' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=file_userip,session,unix_group,wbinfo_group,LDAP_group,eDirectory_userip,kerberos_ldap_group' '--enable-log-daemon-helpers' '--enable-url-rewrite-helpers' '--enable-cache-digests' '--enable-delay-pools' '--enable-eui' '--enable-icmp' '--enable-follow-x-forwarded-for' '--with-large-files' '--disable-strict-error-checking' '--disable-arch-native' '--with-ltdl-includedir=/usr/include' '--with-ltdl-libdir=/usr/lib' '--with-libcap' '--enable-ipv6' '--disable-snmp' '--with-openssl' '--with-nettle' '--with-gnutls' '--enable-ssl-crtd' '--disable-ecap' '--disable-esi' '--enable-htcp' '--enable-wccp' '--enable-wccpv2' '--enable-linux-netfilter' '--with-mit-krb5' '--without-heimdal-krb5' 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CC=i686-pc-linux-gnu-gcc' 'CFLAGS=-O2 -march=i686 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 'CXXFLAGS=-O2 -march=i686 -pipe' 'PKG_CONFIG_PATH=/usr/lib/pkgconfig'

Thanks,

Vieri

More information about the squid-users mailing list