img4

Volendo realizzare un reverse proxy per Exchange 2016 OWA e Outlook Anywhere l’unica possibilità per avere il supporto RPC over HTTP è utilizzare squid come reverse proxy.

Squid pubblica un howto per configurare correttamente il servizio per questo compito, qui un link tuttavia la guia non è esaustiva.

Versione aggiornata 2017 con Centos7 e Squid 3.5 per Exchange 2016 e valutazione A su Qualsys ssl test.

client_persistent_connections off
sslproxy_options NO_SSLv3,NO_SSLv2,SINGLE_DH_USE
sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!IDEA
workers 4
buffered_logs on
forwarded_for on
maximum_object_size 512 MB
cache_mem 2 GB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
#cache_replacement_policy GDSF
#memory_replacement_policy lru
memory_pools on
http_port 0.0.0.0:80 accel
https_port 0.0.0.0:443 accel \
        cert=/etc/squid/ssl/<certificate>.cer \
        key=/etc/squid/ssl/<key>.key \
        cafile=/etc/squid/ssl/<ca>.pem \
        options=NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE,CIPHER_SERVER_PREFERENCE \
        cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS \
        dhparams=/etc/squid/ssl/dhparam.pem \
        tls-dh=prime256v1:/etc/squid/ssl/dhparam.pem \
        defaultsite=<domain>
cache_peer <IP> parent 443 0 \
        no-query originserver \
        login=PASSTHRU connection-auth=on \
        ssl sslflags=DONT_VERIFY_PEER \
        front-end-https \
        ssloptions=NO_SSLv2 \
        name=exchangeServer
##acl manager proto cache_object (OPTIONAL)
#for squidclient access
#acl localhost src 127.0.0.1/32
#http_access allow manager localhost
http_access deny manager
# ACL to allow your FQDNs
acl MS-OWA dstdomain <domain> autodiscover.<domain>
# Redirect port 80 requests to port 443
acl port80 myport 80
http_access deny port80 MS-OWA
# ecp
acl ecp_eccezione urlpath_regex ^/ecp/MyGroups
http_access allow ecp_eccezione
acl ecp urlpath_regex ^/ecp
deny_info https://<domain>/owa ecp
http_access deny ecp
deny_info https://<domain>/owa MS-OWA
cache_peer_access exchangeServer allow MS-OWA
cache_peer_access exchangeServer deny all
never_direct allow MS-OWA
cache deny all
# Lock down access to just the Exchange Server!
http_access allow MS-OWA
http_access deny all
miss_access allow MS-OWA
miss_access deny all

Disable TLS Compression in /etc/sysconfig/squid add

export OPENSSL_NO_DEFAULT_ZLIB=1

Perfect Forward Secrecy

openssl dhparam -out /etc/squid/ssl/dhparams.pem 2048

CA Chain es.DigiCert SHA2 High Assurance Server CA
Sito: https://www.digicert.com/digicert-root-certificates.htm

wget https://www.digicert.com/CACerts/DigiCertSHA2HighAssuranceServerCA.crt
openssl x509 -inform DER -in DigiCertSHA2HighAssuranceServerCA.crt -out DigiCertSHA2HighAssuranceServerCA.pem -outform PEM

Link utili:

<blockquote data-secret="5eVCDR9zto" class="wp-embedded-content"><a href="http://www.rawiriblundell.com/?p=1442">squid reverse proxy: improving your ssllabs score</a></blockquote>
<iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" src="http://www.rawiriblundell.com/?p=1442&#038;embed=true#?secret=5eVCDR9zto" data-secret="5eVCDR9zto" width="600" height="338" title="&#8220;squid reverse proxy: improving your ssllabs score&#8221; &#8212; rawiriblundell.com" frameborder="0" marginwidth="0" marginheight="0" scrolling="no"></iframe>

Vecchia versione, lasciata per questione storiche.

Nel configurare e testare questa configurazione abbiamo riscontrato alcuni problemi.

Il primo riguarda l’impossibilità di effettuare upload di dimensioni poco più che minime.
Il tentativo si risolve in un errore 502 sul server.
La spiegazione è data dallo strato SSL, utilizzando uno squid con il supporto per openssl 0.9.8 ad esempio il problema non si manifesta.
Analizzando il traffico abbiamo verificato che deve succedere qualcosa durante il rekey del certificato che fa chiudere la connessione al server Exchange.

Inserendo sslversion=3 nella direttiva cache_peer il problema è scomparso.

cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/server.crt sslversion=3 name=exchangeServer

Allo stesso modo per il supporto di alcune piattaforme OSX abbiamo inserito la direttiva:

client_persistent_connections off

Per finire la gestione dell’autodiscover:

acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com

Ecco qui il file di configurazione completo:

client_persistent_connections off
http_port 80 accel
https_port %SQUID_IP_ADDR%:443 accel cert=/etc/squid/your_ssl.crt defaultsite=webmail.domainname.com
cache_peer %EXCHANGE_SERVER_FQDN% parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER sslcafile=/etc/squid/ca01.crt sslversion=3 name=exchangeServer
#acl manager proto cache_object (OPTIONAL)
#for squidclient access
acl localhost src 127.0.0.1/32
http_access allow manager localhost
http_access deny manager
# ACL to allow your FQDNs
acl MS-OWA dstdomain webmail.domainname.com autodiscover.domainname.com
# Redirect port 80 requests to port 443
acl port80 myport 80
http_access deny port80 MS-OWA
deny_info https://webmail.domainname.com/%R MS-OWA
cache_peer_access exchangeServer allow MS-OWA
cache_peer_access exchangeServer deny all
never_direct allow MS-OWA
cache deny all
# Lock down access to just the Exchange Server!
http_access allow MS-OWA
http_access deny all
miss_access allow MS-OWA
miss_access deny all

E una piccola modifica al file /etc/security/limits.conf

# SQUID
squid soft nofile 32768
squid hard nofile 32768

andrea gagliardi