From 236fd6390a90e48a37a8c8eddec3cbdff94f26f0 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Wed, 4 Jun 2014 14:21:27 +0200 Subject: add MAPI over HTTP support MAPI over HTTP is supported on at lease Exchange 2013 SP1 --- config/squid3/33/squid_reverse.inc | 15 +++++++-------- config/squid3/33/squid_reverse.xml | 11 +++++++++-- config/squid3/33/squid_reverse_general.xml | 16 ++++++++++------ 3 files changed, 26 insertions(+), 16 deletions(-) (limited to 'config/squid3/33') diff --git a/config/squid3/33/squid_reverse.inc b/config/squid3/33/squid_reverse.inc index 34ff2366..53724fd6 100755 --- a/config/squid3/33/squid_reverse.inc +++ b/config/squid3/33/squid_reverse.inc @@ -89,9 +89,6 @@ function squid_resync_reverse() { if(!empty($settings['reverse_ip'])) { $reverse_ip = explode(";", ($settings['reverse_ip'])); foreach ($reverse_ip as $reip) { - //IPv6 Addresses need to be enclosed in brackets - if (strpos($reip, ':')) $reip = '[' . $reip . ']'; - //HTTP if (!empty($settings['reverse_http'])) $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; @@ -110,7 +107,7 @@ function squid_resync_reverse() { foreach ($reverse_peers as $rp){ if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !=""){ $conf_peer = "#{$rp['description']}\n"; - $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASS round-robin "; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASS "; if($rp['protocol'] == 'HTTPS') $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; $conf_peer .= "name=rvp_{$rp['name']}\n\n"; @@ -173,10 +170,12 @@ function squid_resync_reverse() { array_push($owa_dirs,'Microsoft-Server-ActiveSync'); if($settings['reverse_owa_rpchttp']) array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); - if($settings['reverse_owa_webservice']){ + if($settings['reverse_owa_mapihttp']) + array_push($owa_dirs,'mapi'); + if($settings['reverse_owa_webservice']){ array_push($owa_dirs,'EWS'); - //$conf .= "ignore_expect_100 on\n"; Obsolete on 3.3 - } + $conf .= "ignore_expect_100 on\n"; + } } if (is_array($owa_dirs)) foreach ($owa_dirs as $owa_dir) @@ -186,7 +185,7 @@ function squid_resync_reverse() { $reverse_external_domain = strstr($settings['reverse_external_fqdn'], '.'); $conf .= "acl OWA_URI_pfs url_regex -i ^https://autodiscover{$reverse_external_domain}/AutoDiscover/AutoDiscover.xml\n"; } - } + } //$conf .= "ssl_unclean_shutdown on"; if (is_array($reverse_maps)) foreach ($reverse_maps as $rm){ diff --git a/config/squid3/33/squid_reverse.xml b/config/squid3/33/squid_reverse.xml index 7c25c371..2e2124eb 100755 --- a/config/squid3/33/squid_reverse.xml +++ b/config/squid3/33/squid_reverse.xml @@ -165,7 +165,7 @@ reverse_https If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address") checkbox - reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_autodiscover,reverse_ssl_chain + reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain off @@ -214,7 +214,7 @@ reverse_owa If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App. checkbox - reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_webservice,reverse_owa_autodiscover + reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover OWA frontend IP address @@ -235,6 +235,13 @@ If this field is checked, RPC over HTTP will be enabled. checkbox + + Enable MAPI HTTP + reverse_owa_mapihttp + + This feature is only available with at least Exchange 2013 SP1]]> + checkbox + Enable Exchange WebServices reverse_owa_webservice diff --git a/config/squid3/33/squid_reverse_general.xml b/config/squid3/33/squid_reverse_general.xml index 374666d7..595bf497 100755 --- a/config/squid3/33/squid_reverse_general.xml +++ b/config/squid3/33/squid_reverse_general.xml @@ -149,7 +149,7 @@ reverse_https If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address") checkbox - reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_autodiscover,reverse_ssl_chain + reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain off @@ -200,12 +200,9 @@ Enable OWA reverse proxy reverse_owa -
- See also:
- How to configure SSL Offloading for Outlook Web Access in Exchange 2000 Server and in Exchange Server 2003 - ]]> + If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App. checkbox - reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_webservice,reverse_owa_autodiscover + reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover OWA frontend IP address @@ -226,6 +223,13 @@ If this field is checked, RPC over HTTP will be enabled. checkbox + + Enable MAPI HTTP + reverse_owa_mapihttp + + This feature is only available with at least Exchange 2013 SP1]]> + checkbox + Enable Exchange WebServices reverse_owa_webservice -- cgit v1.2.3 From ee145ac6f83563d78f362057433d6ca33320778e Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Wed, 4 Jun 2014 14:25:28 +0200 Subject: correct formatting --- config/squid3/33/squid_reverse.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/squid3/33') diff --git a/config/squid3/33/squid_reverse.inc b/config/squid3/33/squid_reverse.inc index 53724fd6..f438b4e3 100755 --- a/config/squid3/33/squid_reverse.inc +++ b/config/squid3/33/squid_reverse.inc @@ -172,7 +172,7 @@ function squid_resync_reverse() { array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); if($settings['reverse_owa_mapihttp']) array_push($owa_dirs,'mapi'); - if($settings['reverse_owa_webservice']){ + if($settings['reverse_owa_webservice']){ array_push($owa_dirs,'EWS'); $conf .= "ignore_expect_100 on\n"; } -- cgit v1.2.3 From 3156aabea6f8c49237c2f0bcf593dc0623cbdbae Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Wed, 4 Jun 2014 14:32:25 +0200 Subject: correct definition the CAS-Array is the server we want to reach... --- config/squid3/33/squid_reverse.xml | 4 ++-- config/squid3/33/squid_reverse_general.xml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'config/squid3/33') diff --git a/config/squid3/33/squid_reverse.xml b/config/squid3/33/squid_reverse.xml index 2e2124eb..28d8cbcf 100755 --- a/config/squid3/33/squid_reverse.xml +++ b/config/squid3/33/squid_reverse.xml @@ -217,9 +217,9 @@ reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover - OWA frontend IP address + CAS-Array / OWA frontend IP address reverse_owa_ip - This is the internal IP Address of the OWA frontend server. + This is the internal IP Address of the CAS-Array / OWA frontend server. input 15 diff --git a/config/squid3/33/squid_reverse_general.xml b/config/squid3/33/squid_reverse_general.xml index 595bf497..029072a6 100755 --- a/config/squid3/33/squid_reverse_general.xml +++ b/config/squid3/33/squid_reverse_general.xml @@ -205,9 +205,9 @@ reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover - OWA frontend IP address + CAS-Array / OWA frontend IP address reverse_owa_ip - This is the internal IP Address of the OWA frontend server. + This is the internal IP Address of the CAS-Array / OWA frontend server. input 15 -- cgit v1.2.3 From 9d1e12beb5196e721e92d98458371e3342182d7b Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Wed, 4 Jun 2014 16:34:03 +0200 Subject: do not revert the round-robin patch 1bcfd29 --- config/squid3/33/squid_reverse.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/squid3/33') diff --git a/config/squid3/33/squid_reverse.inc b/config/squid3/33/squid_reverse.inc index f438b4e3..92bef0fb 100755 --- a/config/squid3/33/squid_reverse.inc +++ b/config/squid3/33/squid_reverse.inc @@ -107,7 +107,7 @@ function squid_resync_reverse() { foreach ($reverse_peers as $rp){ if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !=""){ $conf_peer = "#{$rp['description']}\n"; - $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASS "; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASS round-robin"; if($rp['protocol'] == 'HTTPS') $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; $conf_peer .= "name=rvp_{$rp['name']}\n\n"; -- cgit v1.2.3 From 60725ba2a9ec8b1b84c0008643c7cc7dc02499a1 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 6 Jun 2014 13:33:47 +0200 Subject: offload the whole auth process onto a backend peer. with squid-3.2+ you use login=PASSTHRU and *no* Squid auth setup to offload the whole auth process onto a backend peer. --- config/squid3/33/squid_reverse.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/squid3/33') diff --git a/config/squid3/33/squid_reverse.inc b/config/squid3/33/squid_reverse.inc index 92bef0fb..fe94f394 100755 --- a/config/squid3/33/squid_reverse.inc +++ b/config/squid3/33/squid_reverse.inc @@ -100,7 +100,7 @@ function squid_resync_reverse() { //PEERS if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) - $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_pfs\n"; + $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_pfs\n"; $active_peers=array(); if (is_array($reverse_peers)) -- cgit v1.2.3 From 2768bbb36a730449c51654172c14ef87f9c2ea67 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 6 Jun 2014 13:48:24 +0200 Subject: offload reverse auth to backend --- config/squid3/33/squid_reverse.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/squid3/33') diff --git a/config/squid3/33/squid_reverse.inc b/config/squid3/33/squid_reverse.inc index fe94f394..eca216a1 100755 --- a/config/squid3/33/squid_reverse.inc +++ b/config/squid3/33/squid_reverse.inc @@ -107,7 +107,7 @@ function squid_resync_reverse() { foreach ($reverse_peers as $rp){ if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !=""){ $conf_peer = "#{$rp['description']}\n"; - $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASS round-robin"; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin"; if($rp['protocol'] == 'HTTPS') $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; $conf_peer .= "name=rvp_{$rp['name']}\n\n"; -- cgit v1.2.3