[squid-users] squid reverse proxy infront of exchange 2010

Alex Samad alex at samad.com.au
Fri Dec 11 00:06:21 UTC 2015


Hi

So I have taken this config done some slight customization for my site
and it appears to be working

Thanks for this ..

On 10 December 2015 at 23:44, dweimer <dweimer at dweimer.net> wrote:
> On 2015-12-09 11:29 pm, Alex Samad wrote:
>>
>> Hi
>>
>> config
>> https_port 22.4.2.5:443 accel
>> cert=/etc/httpd/conf.d/office.abc.com.crt
>> key=/etc/httpd/conf.d/office.abc.com.key defaultsite=office.abc.com
>> options=NO_SSLv2,NO_SSLv3
>> dhparams=/etc/squid/squid-office-dhparams.pem
>>
>> cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
>> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
>> sslcert=/etc/httpd/conf.d/office.abc.com.crt
>> sslkey=/etc/httpd/conf.d/office.abc.com.key name=webServer
>> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
>> originserver login=PASS front-end-https=on ssl
>> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.abc.com.crt
>> sslkey=/etc/httpd/conf.d/office.abc.com.key name=exchangeServer
>> acl exch_domain dstdomain office.abc.com
>> acl exch_path urlpath_regex -i /exch(ange|web)
>> acl exch_path urlpath_regex -i /public
>> acl exch_path urlpath_regex -i /owa
>> acl exch_path urlpath_regex -i /ecp
>> acl exch_path urlpath_regex -i /microsoft-server-activesync
>> acl exch_path urlpath_regex -i /rpc
>> acl exch_path urlpath_regex -i /rpcwithcert
>> acl exch_path urlpath_regex -i /exadmin
>> acl exch_path urlpath_regex -i /ews
>> acl exch_path urlpath_regex -i /oab
>> acl exch_path urlpath_regex -i /autodiscover
>> cache_peer_access exchangeServer allow exch_domain exch_path
>> cache_peer_access webServer deny exch_domain exch_path
>> never_direct allow exch_domain exch_path
>> cache_mem 32 MB
>> maximum_object_size_in_memory 128 KB
>> access_log stdio:/var/log/squid/office-access.log squid
>> cache_log /var/log/squid/office-cache.log
>> cache_store_log stdio:/var/log/squid/office-cache_store.log
>> pid_filename /var/run/squid-office.pid
>> visible_hostname office.abc.com
>> deny_info TCP_RESET all
>> http_access allow all
>> miss_access allow all
>> icp_port 0
>> snmp_port 0
>>
>>
>>
>> cache.log
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process ID 5631
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Process Roles: worker
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| With 1024 file descriptors
>> available
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Initializing IP Cache...
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| DNS Socket created at 0.0.0.0,
>> FD 6
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding domain
>> yieldbroker.com from /etc/resolv.conf
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
>> 10.32.20.100 from /etc/resolv.conf
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adding nameserver
>> 10.32.20.102 from /etc/resolv.conf
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
>> stdio:/var/log/squid/office-access.log
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Local cache digest enabled;
>> rebuild/rewrite every 3600/3600 sec
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Logfile: opening log
>> stdio:/var/log/squid/office-cache_store.log
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Swap maxSize 0 + 32768 KB,
>> estimated 2520 objects
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Target number of buckets: 126
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using 8192 Store buckets
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Mem  size: 32768 KB
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Max Swap size: 0 KB
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Using Least Load store dir
>> selection
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Current Directory is /etc/squid
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Finished loading MIME types and
>> icons.
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| HTCP Disabled.
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent
>> 127.0.0.1/443/0
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Configuring Parent
>> 10.32.69.11/443/0
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Squid plugin modules loaded: 0
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Adaptation support is off.
>> Jan 01 10:33:35 1970/12/10 16:15:42 kid1| Accepting reverse-proxy
>> HTTPS Socket connections at local=202.74.32.15:443 remote=[::] FD 11
>> flags=9
>> Jan 01 10:33:35 1970/12/10 16:15:43 kid1| storeLateRelease: released 0
>> objects
>>
>>
>> cache log
>> Dec 10 16:16:23 2015.225 RELEASE -1 FFFFFFFF
>> BE6736C8CD1A74A54575AF9880395D04   ?         ?         ?         ? ?/?
>> ?/? ? ?
>> Dec 10 16:16:34 2015.287 RELEASE -1 FFFFFFFF
>> 78C390A2D412F8E601035A2C1FD771C8   ?         ?         ?         ? ?/?
>> ?/? ? ?
>> Dec 10 16:16:34 2015.296 RELEASE -1 FFFFFFFF
>> A7D8B3751858C54225D29408B56FE42D   ?         ?         ?         ? ?/?
>> ?/? ? ?
>> Dec 10 16:16:37 2015.863 RELEASE -1 FFFFFFFF
>> 35992070307CD15EE743F71344E1C1AE   ?         ?         ?         ? ?/?
>> ?/? ? ?
>> Dec 10 16:16:37 2015.873 RELEASE -1 FFFFFFFF
>> 17EFD3BCAF4265B7CF7803AD0289DD7E   ?         ?         ?         ? ?/?
>> ?/? ? ?
>> Dec 10 16:16:49 2015.228 RELEASE -1 FFFFFFFF
>> 2666EC9714425D57FDC4CD15965D350B   ?         ?         ?         ? ?/?
>> ?/? ? ?
>>
>>
>>
>> access.logs
>> Dec 10 16:17:09 2015.706     13 192.168.56.1 TCP_MISS/200 6578 POST
>> https://office.abc.com/ews/exchange.asmx - FIRSTUP_PARENT/10.32.69.11
>> text/xml
>> Dec 10 16:19:36 2015.447 206818 192.168.56.1 TCP_MISS/200 16532
>> RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
>> FIRSTUP_PARENT/10.32.69.11 application/rpc
>> Dec 10 16:19:36 2015.449 206862 192.168.56.1 TCP_MISS_ABORTED/502 4493
>> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
>> FIRSTUP_PARENT/10.32.69.11 text/html
>> Dec 10 16:19:36 2015.453 207197 192.168.56.1 TCP_MISS_ABORTED/000 0
>> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
>> FIRSTUP_PARENT/10.32.69.11 -
>> Dec 10 16:19:36 2015.453 207087 192.168.56.1 TCP_MISS_ABORTED/200
>> 48056 RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
>> FIRSTUP_PARENT/10.32.69.11 application/rpc
>> Dec 10 16:20:07 2015.305  24688 192.168.56.1 TCP_MISS_ABORTED/000 0
>> RPC_IN_DATA https://office.abc.com/rpc/rpcproxy.dll? -
>> FIRSTUP_PARENT/10.32.69.11 -
>> Dec 10 16:20:07 2015.306  24654 192.168.56.1 TCP_MISS_ABORTED/200 2004
>> RPC_OUT_DATA https://office.abc.com/rpc/rpcproxy.dll? -
>> FIRSTUP_PARENT/10.32.69.11 application/rpc
>>
>>
>> This is when I try and send an email with an attachment. An email with
>> no attached goes through no problem...
>>
>>
>> this config works with 3.1, not with 3.5 ..
>>
>> still on .11 as I can't find centos 6 compile of .12
>>
>> I think there is some issue with rpc sending or receiving ..
>>
>> On 8 December 2015 at 19:34, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>>>
>>> On 8/12/2015 7:35 p.m., Alex Samad wrote:
>>>>
>>>> Hi
>>>>
>>>> Any suggestions on how to debug this... I wouldn't mind rolling
>>>> forward to 3.5 again
>>>>
>>>
>>> Some ideas inline. The main ones are:
>>>
>>> * re-enable cache.log. It is not optional.
>>>
>>> * try an upgrade to 3.5.12. There were some regressions in the .10/.11
>>> releases that can lead to really weird behaviour.
>>>
>>>
>>>> On 2 December 2015 at 20:39, Alex Samad wrote:
>>>>>
>>>>> Just to add to this I have a lot of these in the log file
>>>>>
>>>>> TCP_MISS_ABORTED/000 0 RPC_IN_DATA
>>>>> TCP_MISS_ABORTED/200 4322 RPC_OUT_DATA
>>>>> TCP_MISS_ABORTED/000 0 RPC_IN_DATA https:
>>>>>
>>>>>
>>>>>
>>>>> On 2 December 2015 at 17:24, Alex Samad wrote:
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> recently upgraded to squid-3.5.11-1.el6.x86_64 from the centos 6.7
>>>>>> squid 3.1
>>>>>>
>>>>>>
>>>>>> I am now having problems with people who use active sync via this
>>>>>> connection . seems like emails with attachments aren't making it
>>>>>> through .
>>>>>>
>>>>>> cache_peer 10.32.69.11 parent 443 0 proxy-only no-query no-digest
>>>>>> originserver login=PASS front-end-https=on ssl
>>>>>> sslflags=DONT_VERIFY_PEER sslcert=/etc/httpd/conf.d/office.yx.com.crt
>>>>>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=exchangeServer
>>>
>>>
>>> You could try changing these from login=PASS to login=PASSTHRU
>>>
>>>>>>
>>>>>>
>>>>>> cache_peer 127.0.0.1 parent 443 0 proxy-only no-query no-digest
>>>>>> originserver login=PASS ssl sslflags=DONT_VERIFY_PEER
>>>>>> sslcert=/etc/httpd/conf.d/office.yx.com.crt
>>>>>> sslkey=/etc/httpd/conf.d/office.yx.com.key name=webServer
>>>>>> c
>>>>>>
>>>>>> # List of acceptable URLs to send to the Exchange server
>>>>>> acl exch_url url_regex -i office.yieldbroker.com/exchange
>>>>>> acl exch_url url_regex -i office.yieldbroker.com/exchweb
>>>>>> acl exch_url url_regex -i office.yieldbroker.com/public
>>>>>> acl exch_url url_regex -i office.yieldbroker.com/owa
>>>>>> acl exch_url url_regex -i office.yieldbroker.com/ecp
>>>>>> acl exch_url url_regex -i
>>>>>> office.yieldbroker.com/microsoft-server-activesync
>>>>>> acl exch_url url_regex -i office.yieldbroker.com/rpc
>>>>>> acl exch_url url_regex -i office.yieldbroker.com/rpcwithcert
>>>>>> acl exch_url url_regex -i office.yieldbroker.com/exadmin
>>>>>> acl exch_url url_regex -i office.yieldbroker.com/oab
>>>>>> # added after
>>>>>> acl exch_url url_regex -i office.yieldbroker.com/ews
>>>>>> # Not configured on exchange 2010
>>>>>> #acl exch_url url_regex -i office.yieldbroker.com/autodiscover
>>>>>>
>>>>>> # Send the Exchange URLs to the Exchange server
>>>>>> cache_peer_access exchangeServer allow exch_url
>>>>>>
>>>>>> # Send everything else to the Apache
>>>>>> cache_peer_access webServer deny exch_url
>>>>>>
>>>>>> # This is to protect Squid
>>>>>> never_direct allow exch_url
>>>>>>
>>>>>> # Logging Configuration
>>>>>> redirect_rewrites_host_header off
>>>>>> cache_mem 32 MB
>>>>>> maximum_object_size_in_memory 128 KB
>>>>>> cache_log none
>>>
>>>
>>> You should re-enable cache.log and fix any of the issues that are logged
>>> there.
>>>
>>>
>>>>>> cache_store_log none
>>>>>>
>>>>>> access_log stdio:/var/log/squid/office-access.log squid
>>>>>> #access_log none
>>>>>> cache_log /var/log/squid/office-cache.log
>>>>>> #cache_log none
>>>>>> pid_filename /var/run/squid-office.pid
>>>>>>
>>>>>>
>>>>>> # Set the hostname so that we can see Squid in the path (Optional)
>>>>>> visible_hostname yieldbroker.com
>>>>>> deny_info TCP_RESET all
>>>
>>>
>>> This could lead to strange behaviour. Particularly since "deny all" is
>>> not being used in your http_access rules ...
>>>
>>>
>>>>>>
>>>>>> # Allow everyone through, internal and external connections
>>>>>> http_access allow all
>>>>>> miss_access allow all
>>>>>>
>>>>>> icp_port 0
>>>>>> snmp_port 0
>>>>>>
>>>>>> via off
>>>>>>
>>>>>>
>>>>>> The previous setup had worked for at least 18 months.
>>>>>>
>>>>>> Alex
>
>
> On our Reverse proxy I ran into an issue uploading attachments to Exchange
> back end, a while back, turned out the solution was to lock it down so that
> the proxy only used ssl version 3 to connect to the Exchange server. This
> however did recently break after a windows update in Novemeber. Further
> investigation led to the particular cipher that was in use. After
> discovering this I was able to use the same cipher with TLSv1.0
>
> Currently I am using TLSv1.0 with RC4-SHA cipher to talk to the Exchange
> server.
>
> cache_peer 10.20.10.161 parent 443 0 ssl no-query proxy-only no-digest
> originserver \
>  name=owa2010_parent sslcapath=/usr/local/share/certs
> sslflags=DONT_VERIFY_PEER  \
>  login=PASSTHRU front-end-https=on connection-auth=on sslcipher=RC4-SHA
> sslversion=4
>
> I am not however locking down the incoming connections to this setting, I am
> using the following for the https_port setting. This does pass PCI scans, in
> case anyone is wondering about the choice of cipher options, and you will
> notice the RC4 used to send traffic between the Proxy and Exchange is
> disabled as that doesn't meet current requirements.
>
> https_port 10.50.20.12:443 accel defaultsite=mail.mydomain.com \
>  cert=/certs/wildcard.certificate.crt \
>  key=/certs/wildcard.certificate.key \
>  options=NO_SSLv2:NO_SSLv3:NO_TLSv1:SINGLE_DH_USE:CIPHER_SERVER_PREFERENCE \
>  dhparams=/usr/local/etc/squid/dh.param \
>  cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:+HIGH:+MEDIUM:!SSLv2:!RC4 \
>  vhost
>
>
> --
> Thanks,
>    Dean E. Weimer
>    http://www.dweimer.net/


More information about the squid-users mailing list