[squid-users] squid reverse proxy (accelerator) for MS Exchange OWA

Vieri rentorbuy at yahoo.com
Tue Jan 24 08:02:05 UTC 2017 




----- Original Message -----
From: Amos Jeffries <squid3 at treenet.co.nz>
>
> You could try with a newer Squid version since the bio.cc code might be
> making something else happen in 3.5.23. If that still fails the 4.0 beta

> has different logic and far better debug info in this area.

Hi again,

I'm still struggling with my reverse proxy setup. As stated in my previous post, after upgrading to squid 3.5.23, I successfully connected with a web browser FROM an external location (internet) to the Squid proxy which in turn connected via https on port 443 to an internal MS Exchange OWA server.
Apparently, all I was missing was sslcafile in cache_peer.

However, I'm now trying (but failing) to do the same thing locally. I'm connecting from a web browser in the local network to the Squid reverse proxy and that, in turn, is trying to connect to the OWA server on the same LAN.
I set up the client's hosts file to point webmail2.mydomain.org to Squid's IP address.

Here's squid.conf:

https_port 0.0.0.0:443 accel cert=/etc/ssl/squid/accel_cert.cer key=/etc/ssl/squid/accel_key.pem defaultsite=webmail2.mydomain.org

cache_peer 10.215.144.21 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/ssl/squid/client_cert.cer sslkey=/etc/ssl/squid/client_key.pem sslcafile=/etc/ssl/CA/cacert.pem front-end-https=on name=owaServer

acl OWA dstdomain webmail2.mydomain.org
cache_peer_access owaServer allow OWA
never_direct allow OWA

http_access allow OWA
http_access deny all

Since it didn't work with Squid 3, I updated to the latest Squid 4 version.

I get this in the log when trying to connect: 

2017/01/24 07:58:57.075 kid1| 83,5| bio.cc(116) write: FD 18 wrote 312 <= 312
2017/01/24 07:58:57.075 kid1| 83,5| bio.cc(139) read: FD 18 read -1 <= 65535
2017/01/24 07:58:57.076 kid1| 83,5| bio.cc(144) read: error: 11 ignored: 1
2017/01/24 07:58:57.076 kid1| 5,3| comm.cc(559) commSetConnTimeout: local=10.215.144.92:56236 remote=10.215.144.21:443 FD 18 flags=1 timeout 30
2017/01/24 07:58:57.076 kid1| 5,5| ModEpoll.cc(117) SetSelect: FD 18, type=1, handler=1, client_data=0xb7cf8be8, timeout=0
2017/01/24 07:58:57.076 kid1| 93,5| AsyncJob.cc(154) callEnd: Security::BlindPeerConnector status out: [ FD 18 job60]
2017/01/24 07:58:57.076 kid1| 93,5| AsyncCallQueue.cc(57) fireNext: leaving AsyncJob::start()
2017/01/24 07:58:57.076 kid1| 83,5| bio.cc(139) read: FD 18 read 0 <= 65535
2017/01/24 07:58:57.076 kid1| 83,5| NegotiationHistory.cc(83) retrieveNegotiatedInfo: SSL connection info on FD 18 SSL version NONE/0.0 negotiated cipher
2017/01/24 07:58:57.076 kid1| Error negotiating SSL on FD 18: error:00000000:lib(0):func(0):reason(0) (5/0/0)
2017/01/24 07:58:57.076 kid1| TCP connection to 10.215.144.21/443 failed
2017/01/24 07:58:57.077 kid1| 15,2| neighbors.cc(1246) peerConnectFailedSilent: TCP connection to 10.215.144.21/443 dead

# squid -v
Squid Cache: Version 4.0.17-20170122-r14968
Service Name: squid
configure options:  '--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--docdir=/usr/share/doc/squid-4.0.17_beta_p2017012214968' '--htmldir=/usr/share/doc/squid-4.0.17_beta_p2017012214968/html' '--libdir=/usr/lib' '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid' '--localstatedir=/var' '--with-pidfile=/run/squid.pid' '--datadir=/usr/share/squid' '--with-logdir=/var/log/squid' '--with-default-user=squid' '--enable-removal-policies=lru,heap' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-disk-io' '--enable-auth-basic=NCSA,POP3,getpwnam,SMB,LDAP,PAM,RADIUS' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-ntlm=SMB_LM' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=file_userip,session,unix_group,wbinfo_group,LDAP_group,eDirectory_userip,kerberos_ldap_group' '--enable-log-daemon-helpers' '--enable-url-rewrite-helpers' '--enable-cache-digests' '--enable-delay-pools' '--enable-eui' '--enable-icmp' '--enable-follow-x-forwarded-for' '--with-large-files' '--disable-strict-error-checking' '--disable-arch-native' '--with-ltdl-includedir=/usr/include' '--with-ltdl-libdir=/usr/lib' '--with-libcap' '--enable-ipv6' '--disable-snmp' '--with-openssl' '--with-nettle' '--with-gnutls' '--disable-ssl-crtd' '--disable-ecap' '--disable-esi' '--enable-htcp' '--enable-wccp' '--enable-wccpv2' '--enable-linux-netfilter' '--with-mit-krb5' '--without-heimdal-krb5' 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CC=i686-pc-linux-gnu-gcc' 'CFLAGS=-O2 -march=i686 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 'CXXFLAGS=-O2 -march=i686 -pipe' 'PKG_CONFIG_PATH=/usr/lib/pkgconfig'

# openssl version
OpenSSL 1.0.2j  26 Sep 2016

Unfortunately, Squid's or OpenSSL's log message isn't too informative, even in Squid 4.
Also, I'm not sure why the SSL version isn't picked up (NONE/0.0) but I don't think it changes anything.

What else can I try?

Thanks,

Vieri

More information about the squid-users mailing list