# Squid as a reverse proxy and client certificate authentication



## back2base (Sep 29, 2011)

Guys, please help me with the following:
I want to allow some users to access exchange owa from the internet. for this reason I installed squid 3.0 on FreeBSD 8.1 release. I configured squid as follows:


```
visible_hostname external.domain
cache_mgr squid
https_port 172.16.1.3:9070 accel defaultsite=10.200.210.25 cert=/etc/ssl/crt/server-cert.crt key=/etc/ssl/key/server-key.key 
cache_peer 10.200.210.25 parent 443 0 proxy-only no-query originserver name=owa.internal.domain ssl sslflags=DONT_VERIFY_DOMAIN front-end-https
cache_dir ufs /var/squid/cache 100 16 256
cache_access_log /var/squid/logs/access.log squid
cache_log /var/squid/logs/cache.log squid
cache_store_log /var/squid/logs/store.log squid
logfile_rotate 100
pid_filename /var/squid/squid.pid
extension_methods RPC_IN_DATA RPC_OUT_DATA
acl OWA dstdomain owa.internal.domain
acl OWA-DIRS urlpath_regex (\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/exchange\/)
acl OWA-SITE url_regex ^https://owa.internal.domain
cache_peer_access owa.internal.domain allow OWA
http_access allow OWA OWA-DIRS OWA-SITE
http_access deny all
deny_info https://owa.internal.domain/owa/ all
```

172.16.1.3 is the DMZ ip of squid box
10.200.210.25 is LAN ip of Exchange server

This config works and OWA is accessible from the web.

What is needed is to control who can access the OWA server by having squid demand client certificate.
If the certificate is the one issued by my CA on the squeed box then connection is allowed.
Can anyone suggest how squid's config should look like in order to achieve it ?


----------



## back2base (Sep 30, 2011)

I managed to solve my issue. Now squid asks for client certificate and if correct certificate presented it allows client to OWA server. here is my config:


```
visible_hostname external.domain
cache_mgr squid
https_port 172.16.1.3:1234 accel defaultsite=10.200.210.25 cert=/etc/ssl/crt/server-cert.crt key=/etc/ssl/key/server-key.key sslflags=DONT_VERIFY_DOMAIN clientca=/etc/ssl/CA/cacert.pem cafile=/etc/ssl/CA/cacert.pem capath=/etc/ssl/CA/ sslcontext=id
cache_peer 10.200.210.25 parent 443 0 proxy-only no-query originserver name=owa.internal.domain ssl sslflags=DONT_VERIFY_DOMAIN front-end-https
cache_dir ufs /var/squid/cache 100 16 256
cache_access_log /var/squid/logs/access.log squid
cache_log /var/squid/logs/cache.log squid
cache_store_log /var/squid/logs/store.log squid
logfile_rotate 100
pid_filename /var/squid/squid.pid
acl OWA dstdomain owa.internal.domain
acl OWA-DIRS urlpath_regex (\/owa\/)
acl OWA-SITE url_regex ^https://owa.internal.domain
cache_peer_access owa.internal.domain allow OWA
http_access allow OWA OWA-DIRS OWA-SITE
http_access deny all
deny_info https://owa.internal.domain/owa/ all
```

Now the question is how can I restrict in squid the allowed directories which client can access on OWA e.g. after access to OWA is received I can change https://owa.internal.domain/owa to lets say https://owa.internal.domain/rpc and I get a login prompt. What I want is to allow only https://owa.internal.domain/owa to be accessed. 
Any suggestions please?


----------

