Dear Squid users,
I want your experts solution for having squid proxy server configured in the
cloud.
What I am planning to do is :
---[LAN]-[local_squid_proxy]{internet cloud}-[squid proxy in
cloud Amazon EC2 ]
what I want to setup is configure my local squid proxy with cache_peer
pointing to my squid proxy server in Amazon EC2 cloud.
cache_peer proxy.amazonec2.com parent 3128 3130 default
so that all my http request are forwarded from my local squid_proxy to the
proxyserver in the cloud.
Can anyone suggest me if above situation workable.
Thank you in advance.
-Original Message-
From: Fried Wil [mailto:wilfried.pasca...@gmail.com]
Sent: Wednesday,22 February , 2012 2:56 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Re: NTLM auth for RPC over HTTPS to outlook
everywhere
Hi Clem,
Did you test CAS Server as Frontal just to test NTLM authentication less
Reverse proxy ?
User -- FW -- NAT@CAS Server and not User -- FW -- NAT@Reverseproxy
-- CAS Server
Just to test NTLM Authentication mecanism if it will be ok
Thx
On Wed, Feb 22, 2012 at 12:33:09PM +0100, Clem wrote:
Hi Fried,
I know all this links !! :), but As you I've made squid to work like a
charm in front of my exchange for owa activesync and RPC too ... in
basic auth, not in NTLM auth, and I still stuck there.
Impossible to find a solution to make a linux front-end, neither with
squid nginx apach or pound ! That's it ! I think I'll give up.
BTW Thx !
-Message d'origine-
De : Fried Wil [mailto:wilfried.pasca...@gmail.com]
Envoyé : mercredi 22 février 2012 11:26 À :
squid-users@squid-cache.org Objet : Re: [squid-users] Re: NTLM auth
for RPC over HTTPS to outlook everywhere
Hi Clem,
I have test OWA RPC HTTPS and ..
Apache = fail. Apache sees this as a security leak. This is a raw
explanation :-). The problem is how apache and Exchange RPC use http
1.1 . Microsoft let bigger package pass over http 1.1.
Check these links :
https://issues.apache.org/bugzilla/show_bug.cgi?id=40029
http://forum.nginx.org/read.php?2,3511
http://httpd.apache.org/security/vulnerabilities_20.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088
Squid as RP = OK. I have the final configuration. If u're
interessted, tell me and i'll send u the squid.conf
Nginx = Not tested but I think it will be the same as Apache ...
Regards,
Wilfried
On Wed, Feb 22, 2012 at 11:19:31AM +0100, Clem wrote:
Hello,
Coming back after weeks of researches, gave up with squid, tried
with
pound
and nginx reverse proxy, and same issue, and the point is (getting
it from numbers of hints and searches in forums):
For pound (from a user in forum):
-- POUND
I looked into this when I first started using pound. This is a
rather simplified explanation of what I discovered (and could be
completely wrong - I don't know enough about RPC or HTTP). When
Outlook sends the first HTTP request it specifies a content-length
of 1GB. I think this is so the request stays open and RPC commands
get sent via this tunnel. Pound (being the good proxy that it is)
sits and waits for the 1GB of data to arrive and does not pass the
request to the BE until it does. Pound eventually times out waiting
for the promised 1GB of data and gives up.
Here's Microsoft's details of the protocol:
http://technet.microsoft.com/en-us/library/aa995784(EXCHG.65).aspx
http://technet.microsoft.com/en-us/library/aa996706(EXCHG.65).aspx
-- END POUND --
For NGINX (in logs) :
--- NGINX
2012/02/21 17:19:31 [error] 17072#0: *6 client intended to send too
large
body: 1073741824 bytes, client: x.x.x.x, server: mail.xx.fr, request:
RPC_IN_DATA /rpc/rpcproxy.dll?localmail.fr:6002 HTTP/1.1, host:
mail.xx.fr
-- END NGINX ---
IMHO, it's exactly the same issue I had with squid and rpc over
https with NTLM ...
Hope that can help, I'm now completely stucked !
Regards
Clémence
-Message d'origine-
De : Clem [mailto:clemf...@free.fr] Envoyé : jeudi 26 janvier 2012
13:12 À : 'squid-users@squid-cache.org'
Objet : RE: [squid-users] Re: NTLM auth for RPC over HTTPS to
outlook everywhere
On se second anormal I've sent, the certificate is sent.
The auth works on basic, I think the certificate is OK, however it
would
be
rejected, isn't it ?
-- ANORMAL2 (SQUID) --
2 0.001415192.168.3.15 192.168.1.10 TCP https
33043 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0
TSER=0
SACK_PERM=1
3 0.001457192.168.1.10 192.168.3.15 TCP 33043
https [ACK] Seq=1 Ack=1 Win=5856 Len=0 TSV=81334043 TSER=0
4 0.002583192.168.1.10 192.168.3.15 TLSv1
Client
Hello
5 0.003850192.168.3.15 192.168.1.10
