[squid-users] squid reverse proxy infront of exchange 2010
Amos Jeffries
squid3 at treenet.co.nz
Thu Dec 10 08:30:41 UTC 2015
On 10/12/2015 6:29 p.m., Alex Samad wrote:
> Hi
>
> config
> https_port 22.4.2.5:443 accel
> cert=/etc/httpd/conf.d/office.abc.com.crt
> key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com
> options=NO_SSLv2,NO_SSLv3
> dhparams=/etc/squid/squid-office-dhparams.pem
> cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
None of those ECDHE entries will work properlyy. Squid does not have the
additional curve name support needed to configure them.
> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
> sslcert=/etc/httpd/conf.d/office.abc.com.crt
> sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer
> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
> originserver login=PASS front-end-https=on ssl
> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt
> sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer
Note that these cache_peer cert details are the "client certificate"
used to 2-way TLS authenticate Squid with the Office server.
I doubt the same certificate used on the https_port will work as both
server and client certificate. Perhapse that is why the verification has
to be fully disabled.
> acl exch_domain dstdomain office.abc.com
> acl exch_path urlpath_regex -i /exch(ange|web)
> acl exch_path urlpath_regex -i /public
> acl exch_path urlpath_regex -i /owa
> acl exch_path urlpath_regex -i /ecp
> acl exch_path urlpath_regex -i /microsoft-server-activesync
> acl exch_path urlpath_regex -i /rpc
> acl exch_path urlpath_regex -i /rpcwithcert
> acl exch_path urlpath_regex -i /exadmin
> acl exch_path urlpath_regex -i /ews
> acl exch_path urlpath_regex -i /oab
> acl exch_path urlpath_regex -i /autodiscover
> cache_peer_access exchangeServer allow exch_domain exch_path
> cache_peer_access webServer deny exch_domain exch_path
> never_direct allow exch_domain exch_path
> cache_mem 32 MB
> maximum_object_size_in_memory 128 KB
> access_log stdio:/var/log/squid/office-access.log squid
> cache_log /var/log/squid/office-cache.log
> cache_store_log stdio:/var/log/squid/office-cache_store.log
> pid_filename /var/run/squid-office.pid
> visible_hostname office.abc.com
> deny_info TCP_RESET all
> http_access allow all
> miss_access allow all
> icp_port 0
> snmp_port 0
>
>
>
> cache.log
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors available
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache...
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0, FD 6
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain
> yieldbroker.com from /etc/resolv.conf
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
> 10.32.20.100 from /etc/resolv.conf
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
> 10.32.20.102 from /etc/resolv.conf
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
> stdio:/var/log/squid/office-access.log
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled;
> rebuild/rewrite every 3600/3600 sec
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
> stdio:/var/log/squid/office-cache_store.log
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB,
> estimated 2520 objects
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem size: 32768 KB
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir selection
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and icons.
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled.
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 127.0.0.1/443/0
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent 10.32.69.11/443/0
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off.
> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy
> HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11
> flags=9
> Jan 01 10:33:35 1970/12/10 16:15:43 kid1| storeLateRelease: released 0 objects
>
>
> cache log
> Dec 10 16:16:23 2015.225 RELEASE -1 FFFFFFFF
> BE6736C8CD1A74A54575AF9880395D04 ? ? ? ? ?/?
> ?/? ? ?
> Dec 10 16:16:34 2015.287 RELEASE -1 FFFFFFFF
> 78C390A2D412F8E601035A2C1FD771C8 ? ? ? ? ?/?
> ?/? ? ?
> Dec 10 16:16:34 2015.296 RELEASE -1 FFFFFFFF
> A7D8B3751858C54225D29408B56FE42D ? ? ? ? ?/?
> ?/? ? ?
> Dec 10 16:16:37 2015.863 RELEASE -1 FFFFFFFF
> 35992070307CD15EE743F71344E1C1AE ? ? ? ? ?/?
> ?/? ? ?
> Dec 10 16:16:37 2015.873 RELEASE -1 FFFFFFFF
> 17EFD3BCAF4265B7CF7803AD0289DD7E ? ? ? ? ?/?
> ?/? ? ?
> Dec 10 16:16:49 2015.228 RELEASE -1 FFFFFFFF
> 2666EC9714425D57FDC4CD15965D350B ? ? ? ? ?/?
> ?/? ? ?
>
>
>
> access.logs
> Dec 10 16:17:09 2015.706 13 192.168.56.1 TCP_MISS/200 6578 POST
> https://office.abc.com/ews/exchange.asmx - FIRSTUP_PARENT/10.32.69.11
> text/xml
> Dec 10 16:19:36 2015.447 206818 192.168.56.1 TCP_MISS/200 16532
> RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 application/rpc
> Dec 10 16:19:36 2015.449 206862 192.168.56.1 TCP_MISS_ABORTED/502 4493
> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 text/html
> Dec 10 16:19:36 2015.453 207197 192.168.56.1 TCP_MISS_ABORTED/000 0
> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 -
> Dec 10 16:19:36 2015.453 207087 192.168.56.1 TCP_MISS_ABORTED/200
> 48056 RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 application/rpc
> Dec 10 16:20:07 2015.305 24688 192.168.56.1 TCP_MISS_ABORTED/000 0
> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 -
> Dec 10 16:20:07 2015.306 24654 192.168.56.1 TCP_MISS_ABORTED/200 2004
> RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
> FIRSTUP_PARENT/10.32.69.11 application/rpc
>
Can you enable "debug_options 11,2" and get a trace of the message
headers going through for those requests?
>
> This is when I try and send an email with an attachment. An email with
> no attached goes through no problem...
>
>
> this config works with 3.1, not with 3.5 ..
>
> still on .11 as I can't find centos 6 compile of .12
Okay. It seem Eliezer is only getting to it in a few days.
>
> I think there is some issue with rpc sending or receiving ..
>
I've been doing some work in the SSL/TLS code recently and found that
Squid is always sending "http/1.1" for the TLS NPN extension. I am a
little suspicious about the particular methods that are failing for you
are non-HTTP methods.
Are you able to try running the latest Squid with a patch?
Amos
More information about the squid-users
mailing list