Hello, I'm a Slackware box running Squid/3/PRE3 and Samba-3.0.0. The box functions as an ssl reverse proxy for a backend Lotus Domino R6.52 box running iNotes webmail. Incoming https web traffic goes to squid https_port 443. The backend connection is also encrypted and goes to the Notes box on port 443.
Internet -- (ssl) -- SQUID -- (ssl) -- Lotus Domino server Ordinary iNotes webmail works very well. My only issue arises when trying to access attachments within iNotes webmail. When I click on an attached file I receive the browser error "Error : Unable to download <filename> from https://portal.oursite.com";. It is only when we are using ssl (back and front end) that this issue arises. When we use unencrypted back and front ends everything (including attachments) works fine. The access.log shows something like this (the last line is when I tried to access an attached zip file). No error gets shown in the access.log, it's only in the browser that the error shows up. 1096974715.709 24 x.y.195.236 TCP_MISS/304 286 GET https://portal.oursite.com/icons/vwicn150.gif user1 FIRST_UP_PARENT/201.1.1.220 image/gif 1096974718.945 80 x.y.195.236 TCP_MISS/200 7670 GET https://portal.oursite.com/mail/jguiney.nsf/d551aa968989f38680256d6b0031c210/ED62487316343F1F80256ED3003EF506/? user1 FIRST_UP_PARENT/201.1.1.220 text/html 1096974720.205 24 x.y.195.236 TCP_MISS/304 286 GET https://portal.oursite.com/icons/vwicn178.gif user1 FIRST_UP_PARENT/201.1.1.220 image/gif 1096974725.708 60 x.y.195.236 TCP_MISS/200 60811 GET https://portal.oursite.com/mail/jguiney.nsf/0/ED62487316343F1F80256ED3003EF506/$File/OS%5FNetBIOSCfgUtil%2Ezip? user1 FIRST_UP_PARENT/201.1.1.220 application/x-zip The relevant bits of the config file look like this: ## ACLs set on directories so need to set squid to run under this account cache_effective_user squid cache_effective_group squidadm ## We dont use ICP icp_port 0 ### Sets up external SSL with Internet CA certificate https_port 443 cert=/usr/local/squid/etc/oursite.crt key=/usr/local/squid/etc/oursite.key defaultsite=portal.oursite.com ## In Squid 3 configure the accelerator settings using cache_peer # See squid.conf.default for Squid3 for full explanation of all options. # "ssl sslflags=DONT_VERIFY_PEER" are important options - allow the use of a self-cert cert in Notes, otherwise # squid would choke on SSL cert errors # Other options are standard for a reverse proxy cache_peer 201.1.1.220 parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER ## Set up auth_param. Src was built with --enable-auth="basic" auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Langford Lodge iNotes auth_param basic credentialsttl 2 hours ## define our ACL's. Safe ports, cache manager and authenticated users acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl password proxy_auth REQUIRED http_access allow CONNECT ## map acl with access ## Note new access for cache_peer for reverse proxy cache_peer_access 201.1.1.220 allow all http_access allow localhost http_access deny to_localhost http_access allow all password http_access deny all My gut reaction is that it might be an issue with the redirector code in the new Squid3 ssl functionality, but I'd be perfectly happy with a dirty workaround for this one.... it's a bit of a showstopper not to have attachments working. Thanks in advance for any insights. Geoffrey.
