Henrik Nordstrom <[EMAIL PROTECTED]> wrote on 03/09/2004 13:19:24: > On Fri, 3 Sep 2004 [EMAIL PROTECTED] wrote: > > > When users connect from the internet to https://our.portal.url/ they > > receive the usual password dialog box. This is Squid asking for windows > > authentication via Samba-3.0.0 to the Windows DC. After successful > > Windows authentication they are directed to the iNotes logon page for > > Notes authentication. > > > > The problem is that after authenticating in Notes, the browser brings up a > > redirect warning "You are about to be redirected to a connection that is > > not secure". The user can click OK, but the browser then times out. > > > > You then see that the requested URL was: > > > > http://our.portal.url/mail/gmoore.nsf/iNotes/Proxy/? > > This is a general problem of reverse proxies when the backend URL is > different from the external URL. There is no very easy solutions to this
> problem. > > The easiest solution is to make sure there is no difference on the two > sides of the proxy. This you can do by running https:// the whole way to > the server. You can do this with the SSL update by using a redirector > helper to rewrite the protocol back to https:// while it is forwarded by > Squid (SSL update patch required). In Squid-3 this can be done without the > help of a redirector. > > The other solution is to make the web server aware of what the externally > visible URL looks like. This is for example the case with the > "Front-End-Https" HTTP header used by MS OWA (and supported by the Squid > SSL update) which indicates to the web application that the externally > visible URL accessed by the end-user is using https:// even if the > connection to the internal web server was using http://. > > Regards > Henrik > Henrik, Thanks very much for your help. I upgraded to Squid 3, played for a while with the new options in squid.conf, and now iNotes works brilliantly. We also installed a new version of the iNotes redirector on Notes, but this only started working after the new Squid was set up. For the record, I ran ./configure with the following options: --enable-auth=?basic? --enable-basic-auth-helpers=?winbind? --enable-ssl --enable-auth-on-accel The important lines in the new squid.conf are: ### Sets up external SSL with Internet CA certificate https_port 443 cert=/usr/local/squid/etc/ourcert.crt key=/usr/local/squid/etc/ourcert.key defaultsite=our.portal.com ## In Squid 3 configure the accelerator settings using cache_peer # See squid.conf.default for Squid3 for full explanation of all options. # "ssl sslflags=DONT_VERIFY_PEER" are important options - allow the use of a self-cert cert in Notes, otherwise # squid would choke on SSL cert errors # Other options are fairly standard for a reverse proxy cache_peer <Notes server IP> parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER ## Set up auth_param. Src was built with --enable-auth="basic" auth_param basic program /usr/local/squid/libexec/wb_auth auth_param basic children 5 auth_param basic realm Our iNotes Proxy auth_param basic credentialsttl 2 hours ## map acl with access ## Note new access for cache_peer for reverse proxy cache_peer_access <Notes server IP> allow all http_access allow localhost http_access deny to_localhost http_access allow all password http_access deny all ## These are the old accelerator (or reverse proxy) settings - now not required. #httpd_accel_port 80 #httpd_accel_host <Notes server IP> # Notes IP #httpd_accel_single_host on # Only one backend. #httpd_accel_uses_host_header on Regards, Geoffrey.
