Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
RE: [suse-security] OWA with squid 2.5 stable6, problem with connect
  • From: Dörfler Andreas <Andreas.Doerfler@xxxxxxxxxx>
  • Date: Wed, 23 Mar 2005 15:00:57 +0100
  • Message-id: <D73F884883CCED428D90FEAABBD166F03428@xxxxxxxxxxxxxxxxxxxxxxxxx>
> -----Original Message-----
> From: Philippe Vogel [mailto:filiaap@xxxxxxxxxx]
> Sent: Wednesday, March 23, 2005 1:05 PM

> What about port-acls?
>
> #Recommended minimum configuration:
> #acl all src 0.0.0.0/0.0.0.0
> #acl manager proto cache_object
> #acl localhost src 127.0.0.1/255.255.255.255
> #acl SSL_ports port 443 563
> #acl Safe_ports port 80 # http
> #acl Safe_ports port 21 # ftp
> #acl Safe_ports port 443 563 # https, snews
> #acl Safe_ports port 70 # gopher
> #acl Safe_ports port 210 # wais
> #acl Safe_ports port 1025-65535 # unregistered ports
> #acl Safe_ports port 280 # http-mgmt
> #acl Safe_ports port 488 # gss-http
> #acl Safe_ports port 591 # filemaker
> #acl Safe_ports port 777 # multiling http
> #acl CONNECT method CONNECT

sure my fool, added now to conf

> Point #1: Before getting access to any port it is useful to get
> correct acls for all used ports.
>
> Point #2: Is there a listen-port configured to let your squid run on
> https-port?

sure:
https_port 443 cert=/etc/squid/server.crt key=/etc/squid/server.key

> Point #3: Is there a reason in caching https-content as this is
> insecure as https should not be cached!?

now my english have an break ...

> Point #4: I would do this with safe ports:
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

right ...


added to squid.conf:
extension_methods SEARCH PROPFIND PROPATCH MKCOL MOVE BMOVE DELETE BDELETE BPROPFIND BPROPATCH REPORT

the connect now works but i dont recieve the formular login on 443 from
outlook web access.
clients moves to https://host.domain.tld/exchange
request tp accept certificate (from squid), long load following
and after a while it breaks with:

While trying to retrieve the URL: http://srv066:443/exchange
The following error was encountered:
* Connection Failed
The system returned:
(111) Connection refused
The remote host or network may be down. Please try the request again.

problem i see there: its http and not https, and https is needed

anyone knows if there if there changes on the owa to do ?

actual config looks like this:

visible_hostname host.domain.tld
https_port 443 cert=/etc/squid/server.crt key=/etc/squid/server.key
hosts_file /etc/squid/hosts
http_port 127.0.0.1:8080

httpd_accel_host srv066
httpd_accel_port 443
httpd_accel_uses_host_header off
httpd_accel_single_host on
httpd_accel_with_proxy off

acl acl_testmail dstdomain srv066
http_access allow acl_testmail

acl to_index urlpath_regex /$
acl to_favicon urlpath_regex /favicon.ico$ acl to_exchange urlpath_regex /exchange http_access allow to_index http_access allow to_favicon http_access allow to_exchange

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3401 # snmp
acl CONNECT method CONNECT

http_access allow all
http_access allow SSL_ports
http_access deny !Safe_ports

extension_methods SEARCH PROPFIND PROPATCH MKCOL MOVE BMOVE DELETE BDELETE BPROPFIND BPROPATCH REPORT

< Previous Next >