Configuring Squid as an accelerator/SSL offload for Outlook Web Access

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Outline

Squid can be easily used to provide SSL acceleration services for Outlook Web Access. It can also speak SSL to the backend Exchange server. Later versions of Squid-2.6 support all the methods used by WebDAV by default. Please consider upgrading to at least the latest Squid-2.6 STABLE release before attempting this.

Setup

The example situation involves a single Outlook Web Access server and a single Squid server. The following information is required:

  • The IP of the Squid server (ip_of_squid)
  • The 'public' domain used for Outlook Web Access (owa_domain_name)
  • The IP of the Outlook Web Access server (ip_of_owa_server)

Configuration

/!\

This configuration MUST appear at the top of squid.conf above any other forward-proxy configuration (http_access etc). Otherwise the standard proxy access rules block some people viewing the accelerated site.

Please note that the https_port and cache_peer lines may wrap in your browser!

https_port ip_of_squid:443 accel cert=/path/to/certificate/ defaultsite=owa_domain_name

cache_peer ip_of_owa_server parent 80 0 no-query originserver login=PASS front-end-https=on name=owaServer

acl OWA dstdomain owa_domain_name
cache_peer_access owaServer allow OWA
never_direct allow OWA

# lock down access to only query the OWA server!
http_access allow OWA
http_access deny all
miss_access allow OWA
miss_access deny all

If the connection to the OWA server requires SSL then the cache_peer line should be changed appropriately:

cache_peer ip_of_owa_server parent 443 0 no-query originserver login=PASS ssl sslcert=/path/to/client-certificate name=owaServer
  • (!) an apparent bug in Squid-3.1 means that https_port may also need to use the connection-auth=off option for now.

Troubleshooting

OWA works but ActiveSync fails

Windows Phone says "Connection error. Try again later." and current status shows "Unable to connect. Retrying."

PROBLEM:

  • The device sending Expect: 100-continue HTTP/1.1 headers, but being unable to retry correctly when presented with the 417 response.

SOLUTION:

  • Squid-2.7 and Squid-3.1 offer the ignore_expect_100 directive to skip the 417 and wait for the client to resume. There are potential DoS side effects to its use, please avoid unless you must.

    Squid-3.2 supports the HTTP/1.1 feature these clients depend on. This problem will not occur there.

See also

Thanks

Thanks to Tuukka Laurikainen <t.laurikainen@ibermatica.com> for providing the background information for this article.


CategoryConfigExample

ConfigExamples/Reverse/OutlookWebAccess (last edited 2012-01-04 07:19:15 by AmosJeffries)