OWA with squid 2.5 stable6, problem with connect
hi there, after reading multible sites over a long time i hope im getting help via this list, im running crazy here sheme: client (www) -> squid (www - public ip) -> firewall -> owa (lan - private ip) squid.conf: visible_hostname host.domain.tld https_port 443 cert=/etc/squid/server.crt key=/etc/squid/server.key hosts_file /etc/squid/hosts http_port 127.0.0.1:8080 httpd_accel_host srv066 httpd_accel_port 80 httpd_accel_uses_host_header off httpd_accel_single_host on httpd_accel_with_proxy off acl acl_testmail dstdomain srv066 http_access allow acl_testmail acl to_index urlpath_regex /$ acl to_favicon urlpath_regex /favicon.ico$ acl to_exchange urlpath_regex /exchange http_access allow to_index http_access allow to_favicon http_access allow to_exchange acl all src 0.0.0.0/0.0.0.0 header_access Accept-Encoding deny all never_direct allow all http_access deny all when i try the connect via https://host.domain.tld, the following error ocoured: While trying to retrieve the URL: http://srv066 The following error was encountered: * Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that: * The cache administrator does not allow this cache to make direct connections to origin servers, and * All configured parent caches are currently unreachable. its an urgent problem, so i hope getting help here greetings andy --free your mind, use open source http://www.mono-project.com ASCII ribbon campaign ( ) - against HTML email X & vCards / \
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dörfler Andreas schrieb:
hi there,
after reading multible sites over a long time i hope im getting help via this list, im running crazy here
sheme:
client (www) -> squid (www - public ip) -> firewall -> owa (lan - private ip)
squid.conf:
visible_hostname host.domain.tld https_port 443 cert=/etc/squid/server.crt key=/etc/squid/server.key hosts_file /etc/squid/hosts http_port 127.0.0.1:8080
httpd_accel_host srv066 httpd_accel_port 80 httpd_accel_uses_host_header off httpd_accel_single_host on httpd_accel_with_proxy off
acl acl_testmail dstdomain srv066 http_access allow acl_testmail
acl to_index urlpath_regex /$ acl to_favicon urlpath_regex /favicon.ico$ acl to_exchange urlpath_regex /exchange http_access allow to_index http_access allow to_favicon http_access allow to_exchange
acl all src 0.0.0.0/0.0.0.0 header_access Accept-Encoding deny all never_direct allow all http_access deny all
when i try the connect via https://host.domain.tld, the following error ocoured:
While trying to retrieve the URL: http://srv066
The following error was encountered:
* Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:
* The cache administrator does not allow this cache to make direct connections to origin servers, and * All configured parent caches are currently unreachable.
its an urgent problem, so i hope getting help here
greetings andy
What about port-acls? #Recommended minimum configuration: #acl all src 0.0.0.0/0.0.0.0 #acl manager proto cache_object #acl localhost src 127.0.0.1/255.255.255.255 #acl SSL_ports port 443 563 #acl Safe_ports port 80 # http #acl Safe_ports port 21 # ftp #acl Safe_ports port 443 563 # https, snews #acl Safe_ports port 70 # gopher #acl Safe_ports port 210 # wais #acl Safe_ports port 1025-65535 # unregistered ports #acl Safe_ports port 280 # http-mgmt #acl Safe_ports port 488 # gss-http #acl Safe_ports port 591 # filemaker #acl Safe_ports port 777 # multiling http #acl CONNECT method CONNECT Point #1: Before getting access to any port it is useful to get correct acls for all used ports. Point #2: Is there a listen-port configured to let your squid run on https-port? Point #3: Is there a reason in caching https-content as this is insecure as https should not be cached!? Point #4: I would do this with safe ports: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQkFbcUNg1DRVIGjBAQK1LAb/UNn/P17y73w3Jz/j1a54u0yJPryuia+j U5TFbvm6kh3RUceCuUcDA7rSDZYkN6WxN6DHP7MH7AMdRoXDuRpWEjysWNOEijWm yujDzrBaDbPwsSBGCXmw2fy5z5QvwQ6nVQ+i7zrvm8jiV8YCylpnKH1ISW7rIplg gLbWX6v/FUBbg3ADoqgIKQJtnM1Nv7FtmjrWc484BZ2l1GQP5BPUi8ej2KT5lhEE RpihRUxV5SHZavdQLsEnRcm8m5pbYmdQ4YMWcHbkLLZJxasbGElS/6oTl1z7Fq/l VzTsG65+dbc= =pWIK -----END PGP SIGNATURE-----
On Wed, 23 Mar 2005 12:10:51 +0100, Dörfler Andreas wrote
hi there,
after reading multible sites over a long time i hope im getting help via this list, im running crazy here
sheme:
client (www) -> squid (www - public ip) -> firewall -> owa (lan - private ip)
its an urgent problem, so i hope getting help here
greetings andy
I implement same thing with no problem. What is firewall you use? Before go to squid.conf I think better to check the firewall. First you need to give the internal OWA private IP an IP address on your linux box so give it. ifconfig eth0:1 your_external_IP_but_different_from_proxy_IP after that you should forward all the request to your_external_IP_but_different_from_proxy_IP port https port forward it to your internal_OWA_IP port 80 or 443, set this on your firewall configuration Hope this help Regards, Edwin
participants (3)
-
Dörfler Andreas -
edwin -
Philippe Vogel