[squid-users] Reverse proxying Exchange OWA wembail with SSL offloading - not working on IE/Chrome

Scott 3m9n51s2ewut at thismonkey.com
Wed Oct 28 12:25:05 UTC 2020


On Wed, Oct 28, 2020 at 12:00:01PM +0000, squid-users-request at lists.squid-cache.org wrote:
> Date: Thu, 29 Oct 2020 00:08:34 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Reverse proxying Exchange OWA wembail with SSL
>  offloading - not working on IE/Chrome
> 
> On 28/10/20 5:25 pm, Scott wrote:
> > 
> > Here are the logs (first not working, followed by working).
> > 
> > Note this is the login attempt, not the loading of the initial page.  You'll
> > see in the NOT WORKING section that the browser does NOT return a cookie to
> > the server, which is where the problem may be.  Again, I'm not sure why - I'm
> > thinking perhaps the browser/javascript is rejecting the cookie as it's
> > missing the "secure" attribute (because the back-end is talking plain HTTP).
> > 
> 
> The complete absence of a cookie may be expected to break something.
> 
> The absence of a "secure" flag should only make the cookie vulnerable to 
> leaking. It should not affect anything depending on that cookies value.
> 
> 
> Amos
> 

My current theory is that the browser ignores the server-supplied cookie 
because it is missing the "secure" flag.  I could be completely wrong of 
course.  But that flag is one of the few differences between a working 
session and a not-working session.

I did find this site: 
https://support.kemptechnologies.com/hc/en-us/articles/202154165-How-to-Add-an-SSL-Secure-and-HTTP-only-flag-to-cookies-from-a-Real-Server 
that is in the same ball park of my suspicions.

I've tried building an ICAP server using the examples from PyICAP and have 
got as far as receiving the data and altering the header but I can't work out 
how to send the modified header and data back to Squid.

My code is:

   def cookie_RESPMOD(self):
       self.set_icap_response(200)

       self.set_enc_status(b' '.join(self.enc_res_status))
       for h in self.enc_res_headers:
           for v in self.enc_res_headers[h]:
               if h == "set-cookie" and re.search(r'HttpOnly', v) and not re.search(r'secure', v):
                   v = v.replace('; HttpOnly', '; secure; HttpOnly')
                   print("h: ", h, "v: ", v)
               self.set_enc_header(h, v)

       if not self.has_body:
           self.send_headers(False)
           return

       self.send_headers(True)
           return

I'm sure it's something simple like not sending the body.  I really need to read the ICAP docs/RFCs.

The script generates the following:
10.2.255.1 - - [28/Oct/2020 23:17:21] "OPTIONS icap://10.2.255.1:40000/cookie ICAP/1.0" 200 -
10.2.255.1 - - [28/Oct/2020 23:17:21] "RESPMOD icap://10.2.255.1:40000/cookie ICAP/1.0" 200 -
10.2.255.1 - - [28/Oct/2020 23:17:21] code 400, message B
10.2.255.1 - - [28/Oct/2020 23:17:31] "RESPMOD icap://10.2.255.1:40000/cookie ICAP/1.0" 200 -
10.2.255.1 - - [28/Oct/2020 23:17:31] code 400, message B
10.2.255.1 - - [28/Oct/2020 23:17:31] "RESPMOD icap://10.2.255.1:40000/cookie ICAP/1.0" 200 -
10.2.255.1 - - [28/Oct/2020 23:17:31] code 400, message B

I might look into a code hack as a means of testing.


More information about the squid-users mailing list