Plus Ultra

This method was tested on Debian 5.0 Lenny in SBS 2003 and Server 2003 environments.

Why use Squid?

• It is free in most ways (GPL) – M$ ISA is not free
• Apache can’t do RPC Reverse Proxying (yet?)

The Basics

Install Lenny using the net install disc with internet access available, when it prompts for what type of installation, you only need the base package. You can add the “Desktop Environment”,  but I haven’t tested adding any other functions at base install. Installing the Desktop is not recommended as it will create overhead (if you let it start on boot).

Make sure that you set up the apt repositories to use the http and ftp resources before you try apt-get. (Uncomment the lines in “/etc/apt/sources.list”)

OWA and/or RPC should be tested and working before you try the proxy.

The certificate on the external interface of your Proxy machine needs to be signed by a recognized CA or RPC will not work properly (and you should do this anyway). The Certificates between the Exchange server and the Proxy do not need to be signed by a recognized CA (for it to work). I used an inexpensive cert from GoDaddy (~$30) for the working example.

This method uses TWO certificates.  RPC/Browser -> SSL -> proxy – SSL ->  Exchange

Update apt, install OpenSSL

As root, update the local apt database.

#apt-get update

Now, install OpenSSL and essential ssl development libraries.

#aptitude install build-essential openssl libssl-dev

You shouldn’t have to do this, but you can also make sure g++ is installed (this is a compiler).

#apt-get install g++

Installing Squid

Go to http://squid-cache.org and download the 3.0 Stable version in tar.gz format.

Move the file to a directory that you can remember the path to, in this document, I’m going to download to the /home/exampleuser/ directory because I have access to that directory without being root.

I will assume that you can download and move the file without instruction.

NOTE: While Squid is in the apt repository, the apt installer will not enable SSL support; this is why we are compiling from source. Please note this also means you will not be able to update Squid using the apt repositories.

Once the file is downloaded, open a console and login as root, change directory to where we downloaded Squid and unpack the tar.

# cd /home/exampleuser/

# tar xvfz squid-3.0.STABLE16.tar.gz

NOTE: “squid-3.0.STABLE16” is the name of the current Squid 3 stable release, yours may be a different number, so make sure to use the file name of your file, don’t assume it is still 16.

Now, lets get to the compiling, first we will change directories “cd”, then we will configure, compile, and install Squid.

# cd /home/exampleuser/squid-3.0.STABLE16

# ./configure –enable-ssl –with-openssl=/usr/include/openssl/

# make

# make install

After the Install, you will need to create the squid cache.

# /usr/local/squid/sbin/squid –z

Squid Configuration

Replace the text in squid.conf with the below template. (Use whatever editor you want, nano is just easiest for newbies).

# nano /usr/local/squid/etc/squid.conf

Squid.conf Template -  items in Green are specific to your environment and need to be assigned:

visible_hostname owa.examplecompany.net extension_methods RPC_IN_DATA RPC_OUT_DATA https_port 443 cert=/path/to/external/cert key=/path/to/external/cert.key defaultsite=external.owa.domain.name cache_peer ip.address.of.exchange parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/path/to/exchange/cert.crt sslkey=/path/to/exchange/certkey.pem name=owaServer acl OWA dstdomain external.owa.domain.name cache_peer_access owaServer allow OWA never_direct allow OWA http_access allow OWA http_access deny all miss_access allow OWA miss_access deny all

Certificate Notes

Getting the certificates organized and prepared is sometimes the most daunting part of the setup.

For the internet-facing certificate, you will need to get a certificate from a certificate authority. I used GoDaddy. If they ask you what type of server you want it for, choose “Apache”.Make sure the “Simple Name” is the same as the external web address to access the OWA server, in our case it is “owa.examplecompany.net”.

After you order it from GoDaddy and initiate the process per their directions, you will get to a point where it asks you to paste your certificate request.

Generate the request on the proxy server.

# mkdir /usr/local/squid/certs/

# cd /usr/local/squid/certs/

# openssl genrsa –des3 –out owa.examplecompany.net.key 1024

# openssl req –new –key owa.examplecompany.net.key –out owa.examplecompany.net.csr

Copy the contents of owa.examplecompany.net.csr to the request form.

Once you get the certificate files from the CA, you will most likely get a bundle or intermediate cert and the public cert.

You will need to add gd_bundle.crt to the owa.examplecompany.net.crt. First, backup the owa.examplecompany.crt file, then we will append it with gd_bundle.crt.

# cp /usr/local/squid/certs/owa.examplecompany.net.crt /usr/local/squid/certs/certsexampleuser/owa.examplecompany.net.backup

# cat /usr/local/squid/certs/gd_bundle.crt >> /usr/local/squid/certs/owa.examplecompany.net.crt

For the exchange server communication, you can use a self-signed certificate.

If you generate a self-signed certificate on your Exchange server, you can export it as a PFX and use openssl on your proxy to convert it into the usable format. First, move the PFX file to the proxy (this example assumes it is in “/usr/local/squid/certs/”.

# cd /usr/local/squid/certs/

# openssl pkcs12 –in exchangecert.pfx –nocerts –out exchange.key

# openssl rsa –in exchange.key –out nopassexchange.key

# openssl pkcs12 –in exchangecert.pfx –nokeys –out exchange.crt

Now you have the key and the crt;  move these to the path that you specify in the squid.conf file.

Final Notes:

You have to forward the 443 traffic from your router to the proxy for this to work, and you have to make sure that 443 traffic is being allowed to your proxy. This involves iptables, which I will not get into.

I tested in the live environment before changing the forwarding on my router by changing my local hosts file to forward owa.examplecompany.net to the local address of the proxy. This worked fine for OWA testing.

Also, you should either set the ip address on the proxy or create a reservation for its MAC on your DHCP server.

References/Bibliography/Special Thanks:

The Squid Cache Project – http://www.squid-cache.org

The Debian Project - http://www.debian.org

Owen Campbell – http://www.tanti.org.uk/index.php/blogs/owencampbell/3-tech/3-proxy

Squid Cache Wiki – http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess

Laurent Brichet - http://www.brichet.be/how-to-setup-a-reverse-proxy-server-over-ssl-squid-debian

This entry was posted on Tuesday, August 11th, 2009 at 22:20 and is filed under Linux, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.