linux, squid server
in my company i have squid proxy server which redirects requests to our exchange server.
we had squid 2.6 earlier and we installed squid 3.2 but squid 3.2 is not working, through RCA we found out port 443 is getting denied.
i got checked our firewall through engineer no connection are denied.
i am attaching both the old (squid config1 )and new squid file(squid config 2) for review
is there any wording difference in file, i should check
we had squid 2.6 earlier and we installed squid 3.2 but squid 3.2 is not working, through RCA we found out port 443 is getting denied.
i got checked our firewall through engineer no connection are denied.
i am attaching both the old (squid config1 )and new squid file(squid config 2) for review
is there any wording difference in file, i should check
In the new you are missing the 10.2.2.66 reference that exists in the first.
You need to isolate and identify which component you have issues with. Simply comparing configurations is ........
You need to isolate and identify which component you have issues with. Simply comparing configurations is ........
ASKER
arnold
extension_methods not valid for 3.3
extension_methods not valid for 3.3
ASKER
do i need to rephrase the line
ASKER
where to find rpc domain name
When you are testing the 3.3 setup what do you see in the logs?
Did you just copy the 2.6 version config onto the 3.2/3.3 version and trying to make it work?
If not mistaken, usually you need to start with the versions config, then add the items you need.
Does the new squid accept the config, or it errors out/discarding entries?
Did you just copy the 2.6 version config onto the 3.2/3.3 version and trying to make it work?
If not mistaken, usually you need to start with the versions config, then add the items you need.
Does the new squid accept the config, or it errors out/discarding entries?
ASKER
new squid is accepting the config it shows started but when we check through remote connectivity analyzer for active sync, we get 443 error
ASKER
yes we just copied the 2.6 version to 3.2 and added some more lines to it as per 3.3 articles
Configuration
/!\
This configuration MUST appear at the top of squid.conf above any other forward-proxy configuration (http_access etc). Otherwise the standard proxy access rules block some people viewing the accelerated site.
# Publish the RPCoHTTP service via SSL
https_port ip_of_squid:443 accel cert=/path/to/clientcertif
cache_peer ip_of_exchange_server parent 443 0 no-query originserver login=PASS ssl sslcert=/path/to/certifica
acl EXCH dstdomain .rpc_domain_name
cache_peer_access exchangeServer allow EXCH
cache_peer_access exchangeServer deny all
never_direct allow EXCH
Configuration
/!\
This configuration MUST appear at the top of squid.conf above any other forward-proxy configuration (http_access etc). Otherwise the standard proxy access rules block some people viewing the accelerated site.
# Publish the RPCoHTTP service via SSL
https_port ip_of_squid:443 accel cert=/path/to/clientcertif
cache_peer ip_of_exchange_server parent 443 0 no-query originserver login=PASS ssl sslcert=/path/to/certifica
acl EXCH dstdomain .rpc_domain_name
cache_peer_access exchangeServer allow EXCH
cache_peer_access exchangeServer deny all
never_direct allow EXCH
Look at reverse proxy config for 3.2 and then add things in.
ASKER
can you share an article as to exact steps, looks to me i am missing something
ASKER
how will i know my certificate is working fine which i copied
did you copy both the certificate and the private key? and the paths referenced in the config are the paths where those files are?
try openssl s_client -connect servername:443
see what you get.
It just does not seem right because of the version changes. Best way to determine what is going on or not going on is to look at the logs to see whether there are issues....
You can not simply copy one config from an older version onto a newer version and expect it to work.
Are you configuring your squid proxy in dual mode, one it will function is a proxy for lan users and the other portion it will function as a reverse proxy?
If you need dual use, I would recommend to setup two separate start scripts that will use/reference its own config for the services in needs to provide.
The only thing I can do is refer you to the configexamples.
I suggest you start the configuration of the 3.2/3.3 from the beginning. And if it is only a reverse proxy use the reverse proxy example for the version you have as a starting point, and then add the items.
While writing, double check whether on your prior system you had hosts used in the squid.conf file also defined in the /etc/hosts file but have not gotten to the point of adding those references on the new system's /etc/hosts file.
http://wiki.squid-cache.org/ConfigExamples
try openssl s_client -connect servername:443
see what you get.
It just does not seem right because of the version changes. Best way to determine what is going on or not going on is to look at the logs to see whether there are issues....
You can not simply copy one config from an older version onto a newer version and expect it to work.
Are you configuring your squid proxy in dual mode, one it will function is a proxy for lan users and the other portion it will function as a reverse proxy?
If you need dual use, I would recommend to setup two separate start scripts that will use/reference its own config for the services in needs to provide.
The only thing I can do is refer you to the configexamples.
I suggest you start the configuration of the 3.2/3.3 from the beginning. And if it is only a reverse proxy use the reverse proxy example for the version you have as a starting point, and then add the items.
While writing, double check whether on your prior system you had hosts used in the squid.conf file also defined in the /etc/hosts file but have not gotten to the point of adding those references on the new system's /etc/hosts file.
http://wiki.squid-cache.org/ConfigExamples
ASKER
Are you configuring your squid proxy in dual mode, one it will function is a proxy for lan users and the other portion it will function as a reverse proxy?- we are proxing into exchange server which is on lan
ASKER
what do you mean by add items?
ASKER
Try openssl s_client -connect servername:443 from where?
ASKER
Try openssl s_client -connect servername:443 from where?
ASKER
can you share an article how to install and run
ASKER
also how do i check cert and key
ASKER
I want to reopen this question as it has not been solved.
we thought it is tlsv1.1 which is causing the failure but it is not.
we thought it is tlsv1.1 which is causing the failure but it is not.
ASKER
also how do i check cert and key
I requested attention to have this question reopened.
openssl is a unix command line tool that you can use to check certificates, mimic SSL type of connections, etc. all discribed/covered at https://www.openssl.org/docs/
the instruction provided will use openssl to attempt a connection to the proxy which will include the display of the certificate, etc.
You cited the placing the reverse config above the forward config....
The squid-cache.org/ConfigExam
Then add items from your old configuration to the new one.
The problem to provide information, I am trying to figure out, guesstimate the state of your proxy setup/config
openssl is a unix command line tool that you can use to check certificates, mimic SSL type of connections, etc. all discribed/covered at https://www.openssl.org/docs/
the instruction provided will use openssl to attempt a connection to the proxy which will include the display of the certificate, etc.
You cited the placing the reverse config above the forward config....
The squid-cache.org/ConfigExam
Then add items from your old configuration to the new one.
The problem to provide information, I am trying to figure out, guesstimate the state of your proxy setup/config
ASKER
thanks for the reply, ssl connect command works on the new 3.2 squid .
the only difference I thought was master key in certificate is different in 3.2 as compared to 2.6 version of squid
but since ssl connect is working there should not be any problem in certs?
the only difference I thought was master key in certificate is different in 3.2 as compared to 2.6 version of squid
but since ssl connect is working there should not be any problem in certs?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Note the top of first config page, your old had the RPC extension enabled, while on the sevond it is disabled.
The log should tell you what is going on I.e. Where the failure is.