Microsoft Exchange OWA e Outlook Anywhere con Reverse Proxy Squid
Volendo realizzare un reverse proxy per Exchange 2016 OWA e Outlook Anywhere l’unica possibilità per avere il supporto RPC over HTTP è utilizzare squid come reverse proxy.
Squid pubblica un howto per configurare correttamente il servizio per questo compito, qui un link tuttavia la guia non è esaustiva.
Versione aggiornata 2017 con Centos7 e Squid 3.5 per Exchange 2016 e valutazione A su Qualsys ssl test.
client_persistent_connections off sslproxy_options NO_SSLv3,NO_SSLv2,SINGLE_DH_USE sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!IDEA workers 4 buffered_logs on forwarded_for on maximum_object_size 512 MB cache_mem 2 GB cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF #cache_replacement_policy GDSF #memory_replacement_policy lru memory_pools on http_port 0.0.0.0:80 accel https_port 0.0.0.0:443 accel \ cert=/etc/squid/ssl/<certificate>.cer \ key=/etc/squid/ssl/<key>.key \ cafile=/etc/squid/ssl/<ca>.pem \ options=NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE,CIPHER_SERVER_PREFERENCE \ cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \ dhparams=/etc/squid/ssl/dhparam.pem \ tls-dh=prime256v1:/etc/squid/ssl/dhparam.pem \ defaultsite=<domain> cache_peer <IP> parent 443 0 \ no-query originserver \ login=PASSTHRU connection-auth=on \ ssl sslflags=DONT_VERIFY_PEER \ front-end-https \ ssloptions=NO_SSLv2 \ name=exchangeServer ##acl manager proto cache_object (OPTIONAL) #for squidclient access #acl localhost src 127.0.0.1/32 #http_access allow manager localhost http_access deny manager # ACL to allow your FQDNs acl MS-OWA dstdomain <domain> autodiscover.<domain> # Redirect port 80 requests to port 443 acl port80 myport 80 http_access deny port80 MS-OWA # ecp acl ecp_eccezione urlpath_regex ^/ecp/MyGroups http_access allow ecp_eccezione acl ecp urlpath_regex ^/ecp deny_info https://<domain>/owa ecp http_access deny ecp deny_info https://<domain>/owa MS-OWA cache_peer_access exchangeServer allow MS-OWA cache_peer_access exchangeServer deny all never_direct allow MS-OWA cache deny all # Lock down access to just the Exchange Server! http_access allow MS-OWA http_access deny all miss_access allow MS-OWA miss_access deny all
Disable TLS Compression in /etc/sysconfig/squid add
export OPENSSL_NO_DEFAULT_ZLIB=1
Perfect Forward Secrecy
openssl dhparam -out /etc/squid/ssl/dhparams.pem 2048
CA Chain es.DigiCert SHA2 High Assurance Server CA
Sito: https://www.digicert.com/digicert-root-certificates.htm
wget https://www.digicert.com/CACerts/DigiCertSHA2HighAssuranceServerCA.crt openssl x509 -inform DER -in DigiCertSHA2HighAssuranceServerCA.crt -out DigiCertSHA2HighAssuranceServerCA.pem -outform PEM
Link utili:
<blockquote data-secret="5eVCDR9zto" class="wp-embedded-content"><a href="http://www.rawiriblundell.com/?p=1442">squid reverse proxy: improving your ssllabs score</a></blockquote> <iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" src="http://www.rawiriblundell.com/?p=1442&embed=true#?secret=5eVCDR9zto" data-secret="5eVCDR9zto" width="600" height="338" title="“squid reverse proxy: improving your ssllabs score” — rawiriblundell.com" frameborder="0" marginwidth="0" marginheight="0" scrolling="no"></iframe>
Vecchia versione, lasciata per questione storiche.
Nel configurare e testare questa configurazione abbiamo riscontrato alcuni problemi.
Il primo riguarda l’impossibilità di effettuare upload di dimensioni poco più che minime.
Il tentativo si risolve in un errore 502 sul server.
La spiegazione è data dallo strato SSL, utilizzando uno squid con il supporto per openssl 0.9.8 ad esempio il problema non si manifesta.
Analizzando il traffico abbiamo verificato che deve succedere qualcosa durante il rekey del certificato che fa chiudere la connessione al server Exchange.
Inserendo sslversion=3 nella direttiva cache_peer il problema è scomparso.
cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/server.crt sslversion=3 name=exchangeServer
Allo stesso modo per il supporto di alcune piattaforme OSX abbiamo inserito la direttiva:
client_persistent_connections off
Per finire la gestione dell’autodiscover:
acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com
Ecco qui il file di configurazione completo:
client_persistent_connections off http_port 80 accel https_port %SQUID_IP_ADDR%:443 accel cert=/etc/squid/your_ssl.crt defaultsite=webmail.domainname.com cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/ca01.crt sslversion=3 name=exchangeServer #acl manager proto cache_object (OPTIONAL) #for squidclient access acl localhost src 127.0.0.1/32 http_access allow manager localhost http_access deny manager # ACL to allow your FQDNs acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com # Redirect port 80 requests to port 443 acl port80 myport 80 http_access deny port80 MS-OWA deny_info https://webmail.domainname.com/%R MS-OWA cache_peer_access exchangeServer allow MS-OWA cache_peer_access exchangeServer deny all never_direct allow MS-OWA cache deny all # Lock down access to just the Exchange Server! http_access allow MS-OWA http_access deny all miss_access allow MS-OWA miss_access deny all
E una piccola modifica al file /etc/security/limits.conf
# SQUID squid soft nofile 32768 squid hard nofile 32768
andrea gagliardi
- Published in Sistemistica, Tips & Tricks, Windows