[squid-users] Exchange OWA 2016 behind squid

Amos Jeffries squid3 at treenet.co.nz
Wed Jul 11 14:04:32 UTC 2018 

On 11/07/18 23:50, Mike Surcouf wrote:
> I am sure Amos wont mind me saying but nginx is the right tool for that scenario.

I don't mind the saying, but I disagree. The HTTP behaviour bugs I keep
hearing about NGinX having tend to make other non-Squid proxies /
servers be better when Squid itself is not top of the list.

The only situation I recommend NGinX is when the admin in question
already has a strong preference for using it. eg, being more trouble to
learn something different to solve the problem at hand.



That aside, the trouble with OWA is that it is email / SMTP software
which grew limited HTTP capabilities, and is proprietary so nobody in
our FOSS world actually knows what is intending to do with its messages
and connections.

Since HTTP and SMTP share message syntax but require very different
behaviour decrypting the TLS is a bit risky and may break rather badly
if the wrong connection happens to terminate at an HTTP proxy. Bugs and
limitations in the OWA HTTP(S) code make for a rather tricky situation
unless you can see exactly what is going on down to the TCP/IP level
when troubleshooting.



> -----Original Message-----
> From: Pedro Guedes
> 
> Hi
> 
> I have been reading some material on this and
> trying to reverse proxying squid on a diferent ssl port
> like 2020 an then connect to port 443 on the exchange.
> 
> Al the examples follow the configs on the 443 port, same
> on squid and exchange.
> 
> Looks like is no possible to putsquid  listening on a diferent
> port than 443 and then connecting to port 443 on
> exchange.
> 
> Is this true?

No. Squid can easily do that. Just setup the http(s)_port [OWA
client->Squid] and cache_peer [Squid->Exchange/OWA server] directives
however you want. Whether it "works" in context of what OWA is doing is
the questionable part, and not related to Squid.

The problem is what the OWA server can do, what the client software can
do - and what they tell each other in their messages. All of which has
to cope perfectly with the custom port you told Squid to use. Otherwise
you just see "broken".

 * Absolutely avoid URL-rewrite. This will only break things. Use proper
HTTP redirect if you really have to, and avoid changing anything at the
proxy if you can.

 * Avoid TPROXY and NAT intercept of the traffic. It can be coped with,
but adds MANY problems that are best to avoid here.

 * Be careful of the TLS settings on the proxy. OWA has some odd and
quite Microsoft specific things that is requires, and prefers.


As you found OWA itself does not permit port changes (easily?). I'm not
sure if it has improved in recent years with the "365" software
conversions, used to be not possible at all.

HTH
Amos

More information about the squid-users mailing list