Protect OWA using a reverse proxy #2

This is a follow up (2 years later) to the ‘protect owa using a reverse proxy‘ article.

I ditched apache, and now only use Squid. 2 layers of proxying is sometimes slow (never figured out why), difficult to troubleshoot, and not needed in my case. Instead of a single site with multiple subdirectories, I now use a single SSL binding (on one ip) with a wildcard certificate, and use different hostnames to proxy different applications.

So I use a self-signed wildcard certificate, and I use multiple subdomains like ‘home.hongens.nl’, ‘owa.hongens.nl’, and more. I also use the latest version of Squid 3.1, because it supports NTLM connection pinning (I think I still have some issues here and there, but it works fine for activesync and an occasional webmail session) and IPv6.

Here is my squid.conf (with some things removed). I’m serving OWA, Sharepoint, and a simple static app all through a single ssl entry point:

hierarchy_stoplist cgi-bin
acl QUERY urlpath_regex cgi-bin

cache_effective_user squid

shutdown_lifetime 1 second

visible_hostname home.hongens.nl

http_access allow all

#1GB disk cache
cache_dir ufs /var/spool/squid 1024 16 256

maximum_object_size 5 MB
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB

cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA

negative_ttl 0 seconds

https_port 443 cert=/etc/xxxxxxxxx_wildcard.pem key=/etc/xxxxxxxxx_wildcard.pem vhost vport

cache_peer hon-web-01.hongens.local parent 80 0 no-query originserver name=server_00 front-end-https login=PASS
cache_peer_domain server_00 dstdomain home.hongens.nl

cache_peer hon-sps-01.hongens.local parent 80 0 no-query originserver name=server_02 front-end-https login=PASS connection-auth=on
cache_peer_domain server_02 dstdomain sharepoint.hongens.nl

cache_peer hon-exch-01.hongens.local parent 443 0 no-query originserver name=server_03 ssl originserver sslflags=DONT_VERIFY_PEER front-end-https login=PASS connection-auth=on
cache_peer_domain server_03 dstdomain owa.hongens.nl

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 0
strip_query_terms off

acl Snmppublic snmp_community public
acl Adminhost src 127.0.0.1
snmp_port 3401
snmp_access allow Adminhost Snmppublic

Comments rss
Comments rss
Trackback
Trackback

Leave a comment

You can use these tags : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>