RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

From: Clem <clemfree_at_free.fr>
Date: Wed, 13 Jun 2012 14:11:28 +0200

I made a mistake yesterday, in fact for windows7 (sp1) that works only with login=PASS in cache_peer ... and unfortunately, this doesn't work for XP clients now ...

I've noticed when I delete "originserver" option from cache_peer line (only with James "tweak"), I can connect with login:user:password and login=PASS on windows7, but not on XP, I've a 401 error.

I can't make this working for both xp and w7, still searching a solution ...

-----Message d'origine-----
De : Clem [mailto:clemfree_at_free.fr]
Envoyé : mardi 12 juin 2012 15:51
À : squid-users_at_squid-cache.org
Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

Hello,

With the help of James, I'm now able to connect with my W7 clients to my exchange 2007 IIS6 RPC proxy through squid, same squid config as before (3.2.x), but newly 3.1.20 version with "tweak patch" from James Harper.

OWA, RPC PROXY (outlook anywhere) + Activesync are OK.

Before compiling squid, go to "src" directory, edit client_side_reply.cc, go to
--------------------->
 void
 clientReplyContext::cloneReply()
 {
     assert(reply == NULL);
 
     HttpReply *rep = http->storeEntry()->getReply()->clone();
 
     reply = HTTPMSGLOCK(rep);
 
     if (reply->sline.protocol == PROTO_HTTP) {
         /* enforce 1.0 reply version (but only on real HTTP traffic) */
     }
 
     /* do header conversions */
     buildReplyHeader();
 }
<-----------------------

 and remove or comment
----------------->
if (reply->sline.protocol == PROTO_HTTP) {
    /* enforce 1.0 reply version (but only on real HTTP traffic) */ }
<-----------------

Then I compiled squid with --enable-ssl, and use my squid.conf that worked for XP only, and tested on my W7 clients, and YES that works for them too !

Windowsxp sp3 + outlook 2007 -> works with login=DOMAIN\Adminuser:password in cache_peer but not with login=PASS
Windows7 SP2 + outlook 2010 -> works with login=DOMAIN\Adminuser:password in cache_peer AND with login=PASS

Dunno why in XP I can't use login=PASS, in my IIS6 logs I can see user windows credentials are properly sent but I think there something wrong happens with the reply, that doesn't happen with windows7.

Anyway that works, and I'll be able to test my squid frontend (+postfix to forward mails), and then in July on my new Exchange 2007 server with IIS7 (I'll tell you if that works too) !

Regards,

Clem

-----Message d'origine-----
De : Clem [mailto:clemfree_at_free.fr]
Envoyé : lundi 14 mai 2012 13:33
À : 'Amos Jeffries'; squid-users_at_squid-cache.org Objet : RE: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

In the log, the exactly same sequence, on w7 it hangs, on xp it continues :

....:::::::::::::::::: Win7

2012/05/14 10:14:15.090| ctx: enter level 0: 'https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002'
2012/05/14 10:14:15.090| HTTP Server local=ip_squid:49014 remote=ip_exchange_server:443 FD 12 flags=1
2012/05/14 10:14:15.090| HTTP Server REPLY:
---------
HTTP/1.1 200 OK
Date: Mon, 14 May 2012 10:15:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length:20
Connection: Keep-Alive

----------
2012/05/14 10:14:15.091| ctx: exit level 0
2012/05/14 10:14:15.091| The reply for RPC_OUT_DATA https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002 is 1, because it matched 'all'
2012/05/14 10:14:15.091| HTTP Client local=ip_squid:443 remote=ip_wan_client:51556 FD 11 flags=1
2012/05/14 10:14:15.091| HTTP Client REPLY:
---------
HTTP/1.1 200 OK
Date: Mon, 14 May 2012 10:15:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length: 20
X-Cache: MISS from mail.x.fr
Via: 1.1 mail.x.fr (squid/3.2.0.17-20120415-r11555)
Connection: keep-alive

----------
2012/05/14 10:14:15.092| FilledChecklist.cc(100) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x8dff1c8
2012/05/14 10:14:15.092| ACLChecklist::~ACLChecklist: destroyed 0x8dff1c8

And it hangs there ...

....:::::::::::::::::: Win7

....:::::::::::::::::: WinXP

2012/05/11 13:22:33.452| ctx: enter level 0: 'https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002'
2012/05/11 13:22:33.452| HTTP Server local=ip_squid:46111 remote=ip_exchange_server:443 FD 12 flags=1
2012/05/11 13:22:33.452| HTTP Server REPLY:
---------
HTTP/1.1 200 OK
Date: Fri, 11 May 2012 13:23:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length:20
Connection: Keep-Alive

----------
2012/05/11 13:22:33.452| ctx: exit level 0
2012/05/11 13:22:33.452| The reply for RPC_OUT_DATA https://mail.x.fr/rpc/rpcproxy.dll?fqdn_exchange_server:6002 is 1, because it matched 'all'
2012/05/11 13:22:33.452| HTTP Client local=ip_squid:443 remote=ip_wan_client:1162 FD 11 flags=1
2012/05/11 13:22:33.452| HTTP Client REPLY:
---------
HTTP/1.1 200 OK
Date: Fri, 11 May 2012 13:23:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/rpc
Content-Length: 20
X-Cache: MISS from mail.x.fr
Via: 1.1 mail.x.fr (squid/3.2.0.17-20120415-r11555)
Connection: keep-alive

----------
2012/05/11 13:22:33.454| FilledChecklist.cc(100) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x8dccea8
2012/05/11 13:22:33.454| ACLChecklist::~ACLChecklist: destroyed 0x8dccea8
2012/05/11 13:22:33.512| HTTP Client local= ip_squid:443 remote=ip_wan_client:1160 FD 8 flags=1
2012/05/11 13:22:33.512| HTTP Client REQUEST:
---------
RPC_IN_DATA /rpc/rpcproxy.dll? fqdn_exchange_server:6002 HTTP/1.1
Accept: application/rpc
User-Agent: MSRPC
Host: mail.x.fr
Content-Length: 1073741824
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

................ and that continues ...

....:::::::::::::::::: WinXP

And no more infos why It's hanging

Clem

-----Message d'origine-----
De : Amos Jeffries [mailto:squid3_at_treenet.co.nz] Envoyé : lundi 14 mai 2012 12:17 À : squid-users_at_squid-cache.org Objet : Re: [squid-users] https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

On 14/05/2012 7:42 p.m., Clem wrote:
> Hi Amos,
>
> Thx for your answer.
>
> I'm still searching why my solution works with XP and only when I change 2 settings (lanmanager level, and disable msstd) on Windows7.
> So I use a cache.log with debug options to analyze more precisely, to see the difference between these two OS.
>
> When that doesn’t work on windows7, the request is "stuck" on RPC_OUT_DATA with a 200 success HTTP, sort of time out, and no infos, I've sniffed all I can, and nothing ...
>
> The only thing I can see in logs is the cookie header and the pragma "sessionid" on windows7. In XP there is no cookie header and pragma is "no-cache" only, no other values.

Hmm. Hanging usually means something somewhere is waiting expecting data somewhere.

Could be an HTTP object sent with wrong body size. Or another side channel somewhere expected to be working but not operating. Things like unexpected side channels seem to happen a lot with MS software IME.

>> Also, request_header_replace requires a previous "request_header_access deny ..." giving permission to remove existng header details before it can replace the content.
> Thx for this info, I'll test it today.
> If I write :
> request_header_access Cookie deny all
> request_header_replace Cookie none
>
> Does this disable cookie header ?

It erases all existing Cookie values and creates the header "Cookie: none".

Amos
Received on Wed Jun 13 2012 - 12:11:45 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 13 2012 - 12:00:04 MDT