Squid as a reverse proxy for Exchange
Posted: 05 Dec 2016 16:47
Hello all,
I am attempting to set up Squid as a reverse proxy for Outlook Web Access to my Exchange 2013 server.
I have struggled a lot with the certificates from Exchange to Squid.
Has anyone done this? Figuring out the SSL cert conversion is especially painful for a newby. I used our internal Windows Active Directory Certification Authority to create the Exchange cert.
At this time, I am getting this:
2016/12/05 11:19:11| fwdNegotiateSSL: Error negotiating SSL connection on FD 12: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
Here is my squid.conf:
[root@mailproxy squid]# more /etc/squid/squid.conf
https_port 192.168.47.156:8443 accel cert=/certificates/priv.key defaultsite=mail.mydomain.org
cache_peer 192.168.47.12 parent 443 0 no-query originserver login=PASS ssl sslcert=/certificates/priv.key name=owaServer
acl OWA dstdomain mail.mydomain.org
cache_peer_access owaServer allow OWA
never_direct allow OWA
# lock down access to only query the OWA server!
http_access allow OWA
#http_access deny all
miss_access allow OWA
miss_access deny all
I am attempting to set up Squid as a reverse proxy for Outlook Web Access to my Exchange 2013 server.
I have struggled a lot with the certificates from Exchange to Squid.
Has anyone done this? Figuring out the SSL cert conversion is especially painful for a newby. I used our internal Windows Active Directory Certification Authority to create the Exchange cert.
At this time, I am getting this:
2016/12/05 11:19:11| fwdNegotiateSSL: Error negotiating SSL connection on FD 12: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
Here is my squid.conf:
[root@mailproxy squid]# more /etc/squid/squid.conf
https_port 192.168.47.156:8443 accel cert=/certificates/priv.key defaultsite=mail.mydomain.org
cache_peer 192.168.47.12 parent 443 0 no-query originserver login=PASS ssl sslcert=/certificates/priv.key name=owaServer
acl OWA dstdomain mail.mydomain.org
cache_peer_access owaServer allow OWA
never_direct allow OWA
# lock down access to only query the OWA server!
http_access allow OWA
#http_access deny all
miss_access allow OWA
miss_access deny all