Comments on: Protect OWA using a reverse proxy

By: Kyle

Kyle — Wed, 10 Feb 2010 17:34:41 +0000

I figured out the record too long thing

And the answer was……?

By: Arch Willingham

Arch Willingham — Wed, 27 Jan 2010 10:52:11 +0000

Oh well….thanks anyway!
Arch

By: angelo

angelo — Tue, 26 Jan 2010 18:52:13 +0000

I don’t use RPC over http, I only use OWA.. Can’t help you with that, sorry.

By: Arch Willingham

Arch Willingham — Tue, 26 Jan 2010 16:28:43 +0000

I figured out the record too long thing….now I’m stuck with the certificate problems (or whatever ever is keeping them from talking). OWA works but Outlook HTTP/RPC flat will not work How did you do your certificates?.

Arch

By: angelo

angelo — Tue, 26 Jan 2010 14:35:22 +0000

don’t know, try http://www.google.com/search?q=squid+ssl_error_rx_record_too_long

By: Arch Willingham

Arch Willingham — Tue, 26 Jan 2010 01:41:20 +0000

I have tried this and I can’t get it to work. I get errors about

An error occurred during a connection to owa.oursite.com.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

Then the /var/log/httpd/error_log shows these errors:

[Mon Jan 25 20:36:05 2010] [error] [client 68.60.30.212] Invalid method in request \x16\x03\x01
[Mon Jan 25 20:36:05 2010] [error] [client 68.60.30.212] Invalid method in request \x16\x03\x01
[Mon Jan 25 20:36:22 2010] [error] [client 68.186.192.18] Invalid method in request \x16\x03\x01
[Mon Jan 25 20:36:26 2010] [error] [client 68.60.30.212] Invalid method in request \x16\x03\x01
[Mon Jan 25 20:36:26 2010] [error] [client 68.60.30.212] Invalid method in request \x16\x03\x01

Any ideas?

Arch

By: Frederick

Frederick — Thu, 19 Nov 2009 00:41:12 +0000

Hey man thanks for the tutorial.
Just wondering do you know of any ways of getting any better performance out of squid? It seems pretty darn slow.

Any help with fine-tuning it’s performance would be appreciated.

In the meantime I’ll be RTFM’ing

By: Mike

Mike — Mon, 26 Oct 2009 21:06:07 +0000

Wow… After banging my head against a wall for hours, I finally realized why I was getting that error. I will write it down here in hopes that it will help someone else.

I needed the ‘sslflags=DONT_VERIFY_PEER’ because I used an IP instead of a FQDN in the cache_peer line. (I changed ‘cache_peer 10.10.10.10 parent…’ to ‘cache_peer yoursite.yourdomain.com parent….’ (Where yoursite.yourdomain.com = the FQDN of the server you want to reverse proxy) and then added an entry for that site in my /etc/hosts file (with the real IP for the server I wanted to reverse proxy))

Again, I hope that the above gets picked up by the search engines and saves someone else a bit of pain.

By: Mike

Mike — Mon, 26 Oct 2009 20:34:10 +0000

Can you explain why you had to use ‘sslflags=DONT_VERIFY_PEER’

I have a valid SSL cert on my exchange server but for some reason, squid doesn’t like it. (It threw a whole lot of errors (fwdNegotiateSSL: Error negotiating SSL connection on FD 17: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)

I was eventually able to make it work by adding it to my squid.conf file too… but I don’t understand why I had to do it. The cert is valid and my browser doesn’t complain about it when I connect directly to OWA on the exchange server. Thoughts?

By: angelo

angelo — Thu, 23 Jul 2009 11:20:02 +0000

Lucas, the certificate you have installed on your exchange box does not have anything to do with squid, it’s just for internal use.

The squid acts as a client to your exchange box, that’s it.