[squid-users] squid reverse proxy infront of exchange 2010

Amos Jeffries squid3 at treenet.co.nz
Tue Dec 8 08:34:10 UTC 2015


On 8/12/2015 7:35 p.m., Alex Samad wrote:
> Hi
> 
> Any suggestions on how to debug this... I wouldn't mind rolling
> forward to 3.5 again
> 

Some ideas inline. The main ones are:

* re-enable cache.log. It is not optional.

* try an upgrade to 3.5.12. There were some regressions in the .10/.11
releases that can lead to really weird behaviour.


> On 2 December 2015 at 20:39, Alex Samad wrote:
>> Just to add to this I have a lot of these in the log file
>>
>> TCP_MISS_ABORTED/000 0 RPC_IN_DATA
>> TCP_MISS_ABORTED/200 4322 RPC_OUT_DATA
>> TCP_MISS_ABORTED/000 0 RPC_IN_DATA https:
>>
>>
>>
>> On 2 December 2015 at 17:24, Alex Samad wrote:
>>> Hi
>>>
>>> recently upgraded to squid-3.5.11-1.el6.x86_64 from the centos 6.7  squid 3.1
>>>
>>>
>>> I am now having problems with people who use active sync via this
>>> connection . seems like emails with attachments aren't making it
>>> through .
>>>
>>> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
>>> originserver login=PASS front-end-https=on ssl
>>> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.yx.com.crt
>>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=exchangeServer

You could try changing these from login=PASS to login=PASSTHRU

>>>
>>>
>>> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
>>> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
>>> sslcert=/etc/httpd/conf.d/office.yx.com.crt
>>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=webServer
>>> c
>>>
>>> # List of acceptable URLs to send to the Exchange server
>>> acl exch_url url_regex -i office.yieldbroker.com/exchange
>>> acl exch_url url_regex -i office.yieldbroker.com/exchweb
>>> acl exch_url url_regex -i office.yieldbroker.com/public
>>> acl exch_url url_regex -i office.yieldbroker.com/owa
>>> acl exch_url url_regex -i office.yieldbroker.com/ecp
>>> acl exch_url url_regex -i office.yieldbroker.com/microsoft-server-activesync
>>> acl exch_url url_regex -i office.yieldbroker.com/rpc
>>> acl exch_url url_regex -i office.yieldbroker.com/rpcwithcert
>>> acl exch_url url_regex -i office.yieldbroker.com/exadmin
>>> acl exch_url url_regex -i office.yieldbroker.com/oab
>>> # added after
>>> acl exch_url url_regex -i office.yieldbroker.com/ews
>>> # Not configured on exchange 2010
>>> #acl exch_url url_regex -i office.yieldbroker.com/autodiscover
>>>
>>> # Send the Exchange URLs to the Exchange server
>>> cache_peer_access exchangeServer allow exch_url
>>>
>>> # Send everything else to the Apache
>>> cache_peer_access webServer deny exch_url
>>>
>>> # This is to protect Squid
>>> never_direct allow exch_url
>>>
>>> # Logging Configuration
>>> redirect_rewrites_host_header off
>>> cache_mem 32 MB
>>> maximum_object_size_in_memory 128 KB
>>> cache_log none

You should re-enable cache.log and fix any of the issues that are logged
there.


>>> cache_store_log none
>>>
>>> access_log stdio:/var/log/squid/office-access.log squid
>>> #access_log none
>>> cache_log /var/log/squid/office-cache.log
>>> #cache_log none
>>> pid_filename /var/run/squid-office.pid
>>>
>>>
>>> # Set the hostname so that we can see Squid in the path (Optional)
>>> visible_hostname yieldbroker.com
>>> deny_info TCP_RESET all

This could lead to strange behaviour. Particularly since "deny all" is
not being used in your http_access rules ...


>>>
>>> # Allow everyone through, internal and external connections
>>> http_access allow all
>>> miss_access allow all
>>>
>>> icp_port 0
>>> snmp_port 0
>>>
>>> via off
>>>
>>>
>>> The previous setup had worked for at least 18 months.
>>>
>>> Alex
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list