Reverse proxying Exchange OWA wembail with SSL offloading - not working on IE/Chrome

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Reverse proxying Exchange OWA wembail with SSL offloading - not working on IE/Chrome

Scott
Hi,

I've been trying to track down why, when reverse proxying Microsoft Exchange
OWA (Outlook Web Access), recent versions of IE and Chrome don't get past the
logon page.  Upon entering a username and password the browser just goes back
to the login page with no error displayed.  Firefox works fine.

It seems to be something to do with SSL offloading (when the cache peer is
HTTP/80).  Without SSL offloading (cache peer is HTTPS/443) everything works
as expected.

I did some debugging and noticed that the cookie sent from the server when
SSL offloading is ON (squid <-> OWA is HTTP) is missing the "secure"
attribute, whereas it is present when the data is HTTPS.

This makes perfect sense, and I'm wondering if that's the reason why some of
the browsers are not working.

Given that the browser <-> Squid traffic is HTTPS, is there a way to get
squid to add the "secure" attribute to cookies?  At least for testing it
clarify what's going on.

Thanks,
Scott
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxying Exchange OWA wembail with SSL offloading - not working on IE/Chrome

Alex Rousskov
On 10/27/20 5:24 AM, Scott wrote:

> Given that the browser <-> Squid traffic is HTTPS, is there a way to get
> squid to add the "secure" attribute to cookies?  At least for testing it
> clarify what's going on.

If Squid sees decrypted/plain HTTP messages, then it is possible to
adapt HTTP response headers. The following page has a good introduction:
https://wiki.squid-cache.org/SquidFaq/ContentAdaptation

* Custom eCAP or ICAP services can definitely do that.

* In some cases, it is also possible to adapt headers using squid.conf
directives like reply_header_replace , but those features may not have
enough support to add a Cookie attribute. If they do not, perhaps that
is something we can improve, but I did not investigate the details.

* Just for _testing_ your hypothesis, temporary hacking Squid code to
add the desired attribute may be the best solution.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxying Exchange OWA wembail with SSL offloading - not working on IE/Chrome

Eliezer Croitoru-3
In reply to this post by Scott
Hey Scott,

Can you attach any example cookie with and without the secure value?
(replace sensitive data)

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Scott
Sent: Tuesday, October 27, 2020 11:24 AM
To: [hidden email]
Subject: [squid-users] Reverse proxying Exchange OWA wembail with SSL offloading - not working on IE/Chrome

Hi,

I've been trying to track down why, when reverse proxying Microsoft Exchange OWA (Outlook Web Access), recent versions of IE and Chrome don't get past the logon page.  Upon entering a username and password the browser just goes back to the login page with no error displayed.  Firefox works fine.

It seems to be something to do with SSL offloading (when the cache peer is HTTP/80).  Without SSL offloading (cache peer is HTTPS/443) everything works as expected.

I did some debugging and noticed that the cookie sent from the server when SSL offloading is ON (squid <-> OWA is HTTP) is missing the "secure"
attribute, whereas it is present when the data is HTTPS.

This makes perfect sense, and I'm wondering if that's the reason why some of the browsers are not working.

Given that the browser <-> Squid traffic is HTTPS, is there a way to get squid to add the "secure" attribute to cookies?  At least for testing it clarify what's going on.

Thanks,
Scott
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxying Exchange OWA wembail with SSL offloading - not working on IE/Chrome

Scott
On Tue, Oct 27, 2020 at 09:30:16PM +0200, Eliezer Croitor wrote:

> Hey Scott,
>
> Can you attach any example cookie with and without the secure value?
> (replace sensitive data)
>
> Thanks,
> Eliezer
>
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: [hidden email]
>
> -----Original Message-----
> From: squid-users <[hidden email]> On Behalf Of Scott
> Sent: Tuesday, October 27, 2020 11:24 AM
> To: [hidden email]
> Subject: [squid-users] Reverse proxying Exchange OWA wembail with SSL offloading - not working on IE/Chrome
>
> Hi,
>
> I've been trying to track down why, when reverse proxying Microsoft Exchange OWA (Outlook Web Access), recent versions of IE and Chrome don't get past the logon page.  Upon entering a username and password the browser just goes back to the login page with no error displayed.  Firefox works fine.
>
> It seems to be something to do with SSL offloading (when the cache peer is HTTP/80).  Without SSL offloading (cache peer is HTTPS/443) everything works as expected.
>
> I did some debugging and noticed that the cookie sent from the server when SSL offloading is ON (squid <-> OWA is HTTP) is missing the "secure"
> attribute, whereas it is present when the data is HTTPS.
>
> This makes perfect sense, and I'm wondering if that's the reason why some of the browsers are not working.
>
> Given that the browser <-> Squid traffic is HTTPS, is there a way to get squid to add the "secure" attribute to cookies?  At least for testing it clarify what's going on.
>
> Thanks,
> Scott
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
>

Here are the logs (first not working, followed by working).

Note this is the login attempt, not the loading of the initial page.  You'll
see in the NOT WORKING section that the browser does NOT return a cookie to
the server, which is where the problem may be.  Again, I'm not sure why - I'm
thinking perhaps the browser/javascript is rejecting the cookie as it's
missing the "secure" attribute (because the back-end is talking plain HTTP).

As mentioned above Firefox has no issue with this.  I've fired up an iCAP
server but need to brush up on my Python before I can test what happens if I
add the "secure" attribute.

My cache peers are:
cache_peer exchange.domain.com parent  80 0 proxy-only no-query no-digest front-end-https originserver login=PASSTHRU connection-auth=on connect-timeout=3600 name=peer_exchange_80
cache_peer exchange.domain.com parent 443 0 proxy-only no-query no-digest front-end-https originserver login=PASSTHRU connection-auth=on connect-timeout=3600 ssl sslflags=DONT_VERIFY_PEER name=peer_exchange_443

Logs:

NOT WORKING

---------
2020/10/28 14:56:12.614 kid1| 11,2| client_side.cc(1306) parseHttpRequest: HTTP Client local=squid-external:443 remote=client-browser:22884 FD 19 flags=1
2020/10/28 14:56:12.614 kid1| 11,2| client_side.cc(1310) parseHttpRequest: HTTP Client REQUEST:
---------
POST /owa/auth.owa HTTP/1.1
Host: webmail.domain.com
Connection: keep-alive
Content-Length: 140
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://webmail.domain.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: sm_spd_caution=0LCGM6rKJqGWF; PrivateComputer=true; PBack=0


----------
2020/10/28 14:56:12.627 kid1| 11,2| http.cc(2263) sendRequest: HTTP Server local=squid-internal:42139 remote=exchange:80 FD 17 flags=1
2020/10/28 14:56:12.628 kid1| 11,2| http.cc(2264) sendRequest: HTTP Server REQUEST:
---------
POST /owa/auth.owa HTTP/1.1
Content-Length: 140
Upgrade-Insecure-Requests: 1
Origin: https://webmail.domain.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: sm_spd_caution=0LCGM6rKJqGWF; PrivateComputer=true; PBack=0
Host: webmail.domain.com
Surrogate-Capability: webmail.domain.com="Surrogate/1.0"
X-Forwarded-For: client-browser
Cache-Control: max-age=0
Connection: keep-alive
Front-End-Https: On


----------
2020/10/28 14:56:12.748 kid1| ctx: enter level  0: 'https://webmail.domain.com/owa/auth.owa'
2020/10/28 14:56:12.748 kid1| 11,2| http.cc(719) processReplyHeader: HTTP Server local=squid-internal:42139 remote=exchange:80 FD 17 flags=1
2020/10/28 14:56:12.748 kid1| 11,2| http.cc(723) processReplyHeader: HTTP Server RESPONSE:
---------
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: https://webmail.domain.com/owa
Server: Microsoft-IIS/8.5
request-id: 85e28b7c-5a4c-4e89-a740-116359551a19
X-AspNet-Version: 4.0.30319
Set-Cookie: cadata=<data>; path=/;SameSite=None; HttpOnly
Set-Cookie: cadataTTL=<data>; path=/;SameSite=None; HttpOnly
Set-Cookie: cadataKey=<data>; path=/;SameSite=None; HttpOnly
Set-Cookie: cadataIV=<data>; path=/;SameSite=None; HttpOnly
Set-Cookie: cadataSig=<data>; path=/;SameSite=None; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: exchange
Date: Wed, 28 Oct 2020 03:56:17 GMT
Content-Length: 151

----------
2020/10/28 14:56:12.748 kid1| ctx: exit level  0
2020/10/28 14:56:12.748 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP Client local=squid-external:443 remote=client-browser:22884 FD 19 flags=1
2020/10/28 14:56:12.748 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: https://webmail.domain.com/owa
Server: Microsoft-IIS/8.5
request-id: 85e28b7c-5a4c-4e89-a740-116359551a19
X-AspNet-Version: 4.0.30319
Set-Cookie: cadata=<data>; path=/;SameSite=None; HttpOnly
Set-Cookie: cadataTTL=<data>; path=/;SameSite=None; HttpOnly
Set-Cookie: cadataKey=<data>; path=/;SameSite=None; HttpOnly
Set-Cookie: cadataIV=<data>; path=/;SameSite=None; HttpOnly
Set-Cookie: cadataSig=<data>; path=/;SameSite=None; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: exchange
Date: Wed, 28 Oct 2020 03:56:17 GMT
Content-Length: 151
X-Cache: MISS from webmail.domain.com
X-Cache-Lookup: MISS from webmail.domain.com:443
Connection: keep-alive


----------
2020/10/28 14:56:12.838 kid1| 11,2| client_side.cc(1306) parseHttpRequest: HTTP Client local=squid-external:443 remote=client-browser:22884 FD 19 flags=1
2020/10/28 14:56:12.838 kid1| 11,2| client_side.cc(1310) parseHttpRequest: HTTP Client REQUEST:
---------
GET /owa HTTP/1.1
Host: webmail.domain.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: sm_spd_caution=0LCGM6rKJqGWF; PrivateComputer=true; PBack=0


----------
2020/10/28 14:56:12.838 kid1| 11,2| http.cc(2263) sendRequest: HTTP Server local=squid-internal:42139 remote=exchange:80 FD 17 flags=1
2020/10/28 14:56:12.838 kid1| 11,2| http.cc(2264) sendRequest: HTTP Server REQUEST:
---------
GET /owa HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: sm_spd_caution=0LCGM6rKJqGWF; PrivateComputer=true; PBack=0
Host: webmail.domain.com
Surrogate-Capability: webmail.domain.com="Surrogate/1.0"
X-Forwarded-For: client-browser
Cache-Control: max-age=0
Connection: keep-alive
Front-End-Https: On


----------
2020/10/28 14:56:12.847 kid1| ctx: enter level  0: 'https://webmail.domain.com/owa'
2020/10/28 14:56:12.847 kid1| 11,2| http.cc(719) processReplyHeader: HTTP Server local=squid-internal:42139 remote=exchange:80 FD 17 flags=1
2020/10/28 14:56:12.847 kid1| 11,2| http.cc(723) processReplyHeader: HTTP Server RESPONSE:
---------
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: https://webmail.domain.com/owa/auth/logon.aspx?url=https%3a%2f%2fwebmail.domain.com%2fowa&reason=0
Server: Microsoft-IIS/8.5
request-id: 8c3318c8-2eee-40bf-bfe0-dd94b20a5197
X-Powered-By: ASP.NET
X-FEServer: exchange
Date: Wed, 28 Oct 2020 03:56:17 GMT
Content-Length: 227

----------
2020/10/28 14:56:12.848 kid1| ctx: exit level  0
2020/10/28 14:56:12.848 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP Client local=squid-external:443 remote=client-browser:22884 FD 19 flags=1
2020/10/28 14:56:12.848 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: https://webmail.domain.com/owa/auth/logon.aspx?url=https%3a%2f%2fwebmail.domain.com%2fowa&reason=0
Server: Microsoft-IIS/8.5
request-id: 8c3318c8-2eee-40bf-bfe0-dd94b20a5197
X-Powered-By: ASP.NET
X-FEServer: exchange
Date: Wed, 28 Oct 2020 03:56:17 GMT
Content-Length: 227  
X-Cache: MISS from webmail.domain.com
X-Cache-Lookup: MISS from webmail.domain.com:443
Connection: keep-alive


----------
2020/10/28 14:56:12.861 kid1| 11,2| client_side.cc(1306) parseHttpRequest: HTTP Client local=squid-external:443 remote=client-browser:22884 FD 19 flags=1
2020/10/28 14:56:12.861 kid1| 11,2| client_side.cc(1310) parseHttpRequest: HTTP Client REQUEST:
---------
GET /owa/auth/logon.aspx?url=https%3a%2f%2fwebmail.domain.com%2fowa&reason=0 HTTP/1.1
Host: webmail.domain.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: cookieTest=1; logondata=acc=0&lgn=user; sm_spd_caution=0LCGM6rKJqGWF; PrivateComputer=true; PBack=0


----------
2020/10/28 14:56:12.862 kid1| 11,2| http.cc(2263) sendRequest: HTTP Server local=squid-internal:42139 remote=exchange:80 FD 17 flags=1
2020/10/28 14:56:12.862 kid1| 11,2| http.cc(2264) sendRequest: HTTP Server REQUEST:
---------
GET /owa/auth/logon.aspx?url=https%3a%2f%2fwebmail.domain.com%2fowa&reason=0 HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: cookieTest=1; logondata=acc=0&lgn=user; sm_spd_caution=0LCGM6rKJqGWF; PrivateComputer=true; PBack=0
Host: webmail.domain.com
Surrogate-Capability: webmail.domain.com="Surrogate/1.0"
X-Forwarded-For: client-browser
Cache-Control: max-age=0
Connection: keep-alive
Front-End-Https: On


----------
2020/10/28 14:56:12.873 kid1| ctx: enter level  0: 'https://webmail.domain.com/owa/auth/logon.aspx?url=https%3a%2f%2fwebmail.domain.com%2fowa&reason=0'
2020/10/28 14:56:12.873 kid1| 11,2| http.cc(719) processReplyHeader: HTTP Server local=squid-internal:42139 remote=exchange:80 FD 17 flags=1
2020/10/28 14:56:12.874 kid1| 11,2| http.cc(723) processReplyHeader: HTTP Server RESPONSE:
---------
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
request-id: 076d002d-4d66-4bc7-93d2-0109bbb67892
X-Frame-Options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 28 Oct 2020 03:56:17 GMT
Content-Length: 27968

----------
2020/10/28 14:56:12.874 kid1| ctx: exit level  0
2020/10/28 14:56:12.874 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP Client local=squid-external:443 remote=client-browser:22884 FD 19 flags=1
2020/10/28 14:56:12.874 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
request-id: 076d002d-4d66-4bc7-93d2-0109bbb67892
X-Frame-Options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 28 Oct 2020 03:56:17 GMT
Content-Length: 27968
X-Cache: MISS from webmail.domain.com
X-Cache-Lookup: MISS from webmail.domain.com:443
Connection: keep-alive


----------
2020/10/28 14:56:12.943 kid1| 11,2| client_side.cc(1306) parseHttpRequest: HTTP Client local=squid-external:443 remote=client-browser:22884 FD 19 flags=1
2020/10/28 14:56:12.943 kid1| 11,2| client_side.cc(1310) parseHttpRequest: HTTP Client REQUEST:
---------
GET /owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa HTTP/1.1
Host: webmail.domain.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?url=https%3a%2f%2fwebmail.domain.com%2fowa&reason=0
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: cookieTest=1; logondata=acc=0&lgn=user; sm_spd_caution=0LCGM6rKJqGWF; PrivateComputer=true; PBack=0


----------
2020/10/28 14:56:12.944 kid1| 11,2| http.cc(2263) sendRequest: HTTP Server local=squid-internal:42139 remote=exchange:80 FD 17 flags=1
2020/10/28 14:56:12.944 kid1| 11,2| http.cc(2264) sendRequest: HTTP Server REQUEST:
---------
GET /owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?url=https%3a%2f%2fwebmail.domain.com%2fowa&reason=0
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: cookieTest=1; logondata=acc=0&lgn=user; sm_spd_caution=0LCGM6rKJqGWF; PrivateComputer=true; PBack=0
Host: webmail.domain.com
Surrogate-Capability: webmail.domain.com="Surrogate/1.0"
X-Forwarded-For: client-browser
Cache-Control: max-age=259200
Connection: keep-alive
Front-End-Https: On


----------
2020/10/28 14:56:12.955 kid1| ctx: enter level  0: 'https://webmail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa'
2020/10/28 14:56:12.955 kid1| 11,2| http.cc(719) processReplyHeader: HTTP Server local=squid-internal:42139 remote=exchange:80 FD 17 flags=1
2020/10/28 14:56:12.955 kid1| 11,2| http.cc(723) processReplyHeader: HTTP Server RESPONSE:
---------
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
request-id: 5b1807dd-0007-4d1e-8f5c-c6daf4d9dfa8
X-Frame-Options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 28 Oct 2020 03:56:17 GMT
Content-Length: 58778

----------
2020/10/28 14:56:12.955 kid1| ctx: exit level  0
2020/10/28 14:56:12.956 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP Client local=squid-external:443 remote=client-browser:22884 FD 19 flags=1
2020/10/28 14:56:12.956 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
request-id: 5b1807dd-0007-4d1e-8f5c-c6daf4d9dfa8
X-Frame-Options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 28 Oct 2020 03:56:17 GMT
Content-Length: 58778
X-Cache: MISS from webmail.domain.com
X-Cache-Lookup: MISS from webmail.domain.com:443
Connection: keep-alive



WORKING

----------
2020/10/28 12:01:23.527 kid1| 11,2| client_side.cc(1306) parseHttpRequest: HTTP Client local=squid-external:443 remote=client-browser:2600 FD 24 flags=1
2020/10/28 12:01:23.527 kid1| 11,2| client_side.cc(1310) parseHttpRequest: HTTP Client REQUEST:
---------
POST /owa/auth.owa HTTP/1.1
Host: webmail.domain.com
Connection: keep-alive
Content-Length: 143
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://webmail.domain.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa%2f
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: sm_spd_caution=qPZGM6JTJHMDM; PrivateComputer=true; PBack=0

----------
2020/10/28 12:01:23.549 kid1| 11,2| http.cc(2263) sendRequest: HTTP Server local=squid-internal:62597 remote=exchange:443 FD 30 flags=1
2020/10/28 12:01:23.549 kid1| 11,2| http.cc(2264) sendRequest: HTTP Server REQUEST:
---------
POST /owa/auth.owa HTTP/1.1
Content-Length: 143
Upgrade-Insecure-Requests: 1
Origin: https://webmail.domain.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa%2f
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: sm_spd_caution=qPZGM6JTJHMDM; PrivateComputer=true; PBack=0
Host: webmail.domain.com
Surrogate-Capability: webmail.domain.com="Surrogate/1.0"
X-Forwarded-For: client-browser
Cache-Control: max-age=0
Connection: keep-alive
Front-End-Https: On

----------
2020/10/28 12:01:23.649 kid1| ctx: enter level  0: 'https://webmail.domain.com/owa/auth.owa'
2020/10/28 12:01:23.649 kid1| 11,2| http.cc(719) processReplyHeader: HTTP Server local=squid-internal:62597 remote=exchange:443 FD 30 flags=1
2020/10/28 12:01:23.650 kid1| 11,2| http.cc(723) processReplyHeader: HTTP Server RESPONSE:
---------
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: https://webmail.domain.com/owa/
Server: Microsoft-IIS/8.5
request-id: 320cfc6b-e678-480e-8fa9-87126ee679d4
X-AspNet-Version: 4.0.30319
Set-Cookie: cadata=<data>; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: cadataTTL=<data>; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: cadataKey=<data>; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: cadataIV=<data>; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: cadataSig=<data>; path=/;SameSite=None; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: exchange
Date: Wed, 28 Oct 2020 01:01:28 GMT
Content-Length: 152

----------
2020/10/28 12:01:23.651 kid1| ctx: exit level  0
2020/10/28 12:01:23.651 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP Client local=squid-external:443 remote=client-browser:2600 FD 24 flags=1
2020/10/28 12:01:23.651 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: https://webmail.domain.com/owa/
Server: Microsoft-IIS/8.5
request-id: 320cfc6b-e678-480e-8fa9-87126ee679d4
X-AspNet-Version: 4.0.30319
Set-Cookie: cadata=<data>; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: cadataTTL=<data>; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: cadataKey=<data>; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: cadataIV=<data>; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: cadataSig=<data>; path=/;SameSite=None; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: exchange
Date: Wed, 28 Oct 2020 01:01:28 GMT
Content-Length: 152
X-Cache: MISS from webmail.domain.com
X-Cache-Lookup: MISS from webmail.domain.com:443
Connection: keep-alive

----------
2020/10/28 12:01:23.750 kid1| 11,2| client_side.cc(1306) parseHttpRequest: HTTP Client local=squid-external:443 remote=client-browser:2600 FD 24 flags=1
2020/10/28 12:01:23.750 kid1| 11,2| client_side.cc(1310) parseHttpRequest: HTTP Client REQUEST:
---------
GET /owa/ HTTP/1.1
Host: webmail.domain.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa%2f
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: sm_spd_caution=qPZGM6JTJHMDM; PrivateComputer=true; PBack=0; cadata=<data>; cadataTTL=<data>; cadataKey=<data>; cadataIV=<data>; cadataSig=<data>

----------
2020/10/28 12:01:23.751 kid1| 11,2| http.cc(2263) sendRequest: HTTP Server local=squid-internal:62597 remote=exchange:443 FD 30 flags=1
2020/10/28 12:01:23.751 kid1| 11,2| http.cc(2264) sendRequest: HTTP Server REQUEST:
---------
GET /owa/ HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edg/86.0.622.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://webmail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fwebmail.domain.com%2fowa%2f
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: sm_spd_caution=qPZGM6JTJHMDM; PrivateComputer=true; PBack=0; cadata=<data>; cadataTTL=<data>; cadataKey=<data>; cadataIV=<data>; cadataSig=<data>
Host: webmail.domain.com
Surrogate-Capability: webmail.domain.com="Surrogate/1.0"
X-Forwarded-For: client-browser
Cache-Control: max-age=0
Connection: keep-alive
Front-End-Https: On

----------
2020/10/28 12:01:23.896 kid1| ctx: enter level  0: 'https://webmail.domain.com/owa/'
2020/10/28 12:01:23.896 kid1| 11,2| http.cc(719) processReplyHeader: HTTP Server local=squid-internal:62597 remote=exchange:443 FD 30 flags=1
2020/10/28 12:01:23.896 kid1| 11,2| http.cc(723) processReplyHeader: HTTP Server RESPONSE:
---------
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
request-id: ea651da4-e232-4990-995e-72e015c573fb
X-CalculatedBETarget: exchange.domain.com
X-Content-Type-Options: nosniff
X-OWA-Version: 15.1.1979.3
X-OWA-OWSVersion: V2017_08_18
X-OWA-MinimumSupportedOWSVersion: V2_6
X-Frame-Options: SAMEORIGIN
X-OWA-DiagnosticsInfo: 46;15;7
X-BackEnd-Begin: 2020-10-28T12:01:28.905
X-BackEnd-End: 2020-10-28T12:01:28.952
X-DiagInfo: exchange
X-BEServer: exchange
X-UA-Compatible: IE=EmulateIE7
X-AspNet-Version: 4.0.30319
Set-Cookie: ClientId=567C1AE2155A441B9B9135F021DE8E49; expires=Thu, 28-Oct-2021 01:01:28 GMT; path=/; secure
Set-Cookie: UC=5caf337600204e1aa6add4af567d64ba; path=/; secure; HttpOnly
Set-Cookie: X-OWA-CANARY=ALo_AnoqYkOZD3FVdSCHPoDMmQDdetgI1eFx8F31UnwyEefwAxmPCeDfu7qodXti7-KYJeZb_Ts.; path=/; secure
Set-Cookie: X-BackEndCookie=<data>; expires=Fri, 27-Nov-2020 01:01:28 GMT; path=/owa; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: exchange
Date: Wed, 28 Oct 2020 01:01:28 GMT

----------
2020/10/28 12:01:23.897 kid1| ctx: exit level  0
2020/10/28 12:01:23.897 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP Client local=squid-external:443 remote=client-browser:2600 FD 24 flags=1
2020/10/28 12:01:23.897 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
request-id: ea651da4-e232-4990-995e-72e015c573fb
X-CalculatedBETarget: exchange.domain.com
X-Content-Type-Options: nosniff
X-OWA-Version: 15.1.1979.3
X-OWA-OWSVersion: V2017_08_18
X-OWA-MinimumSupportedOWSVersion: V2_6
X-Frame-Options: SAMEORIGIN
X-OWA-DiagnosticsInfo: 46;15;7
X-BackEnd-Begin: 2020-10-28T12:01:28.905
X-BackEnd-End: 2020-10-28T12:01:28.952
X-DiagInfo: exchange
X-BEServer: exchange
X-UA-Compatible: IE=EmulateIE7
X-AspNet-Version: 4.0.30319
Set-Cookie: ClientId=567C1AE2155A441B9B9135F021DE8E49; expires=Thu, 28-Oct-2021 01:01:28 GMT; path=/; secure
Set-Cookie: UC=5caf337600204e1aa6add4af567d64ba; path=/; secure; HttpOnly
Set-Cookie: X-OWA-CANARY=ALo_AnoqYkOZD3FVdSCHPoDMmQDdetgI1eFx8F31UnwyEefwAxmPCeDfu7qodXti7-KYJeZb_Ts.; path=/; secure
Set-Cookie: X-BackEndCookie=<data>; expires=Fri, 27-Nov-2020 01:01:28 GMT; path=/owa; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: exchange
Date: Wed, 28 Oct 2020 01:01:28 GMT
X-Cache: MISS from webmail.domain.com
X-Cache-Lookup: MISS from webmail.domain.com:443
Transfer-Encoding: chunked
Connection: keep-alive
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxying Exchange OWA wembail with SSL offloading - not working on IE/Chrome

Amos Jeffries
Administrator
On 28/10/20 5:25 pm, Scott wrote:
>
> Here are the logs (first not working, followed by working).
>
> Note this is the login attempt, not the loading of the initial page.  You'll
> see in the NOT WORKING section that the browser does NOT return a cookie to
> the server, which is where the problem may be.  Again, I'm not sure why - I'm
> thinking perhaps the browser/javascript is rejecting the cookie as it's
> missing the "secure" attribute (because the back-end is talking plain HTTP).
>

The complete absence of a cookie may be expected to break something.

The absence of a "secure" flag should only make the cookie vulnerable to
leaking. It should not affect anything depending on that cookies value.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Reverse proxying Exchange OWA wembail with SSL offloading - not working on IE/Chrome

Scott
In reply to this post by Scott
On Wed, Oct 28, 2020 at 12:00:01PM +0000, [hidden email] wrote:

> Date: Thu, 29 Oct 2020 00:08:34 +1300
> From: Amos Jeffries <[hidden email]>
> To: [hidden email]
> Subject: Re: [squid-users] Reverse proxying Exchange OWA wembail with SSL
>  offloading - not working on IE/Chrome
>
> On 28/10/20 5:25 pm, Scott wrote:
> >
> > Here are the logs (first not working, followed by working).
> >
> > Note this is the login attempt, not the loading of the initial page.  You'll
> > see in the NOT WORKING section that the browser does NOT return a cookie to
> > the server, which is where the problem may be.  Again, I'm not sure why - I'm
> > thinking perhaps the browser/javascript is rejecting the cookie as it's
> > missing the "secure" attribute (because the back-end is talking plain HTTP).
> >
>
> The complete absence of a cookie may be expected to break something.
>
> The absence of a "secure" flag should only make the cookie vulnerable to
> leaking. It should not affect anything depending on that cookies value.
>
>
> Amos
>

My current theory is that the browser ignores the server-supplied cookie
because it is missing the "secure" flag.  I could be completely wrong of
course.  But that flag is one of the few differences between a working
session and a not-working session.

I did find this site:
https://support.kemptechnologies.com/hc/en-us/articles/202154165-How-to-Add-an-SSL-Secure-and-HTTP-only-flag-to-cookies-from-a-Real-Server 
that is in the same ball park of my suspicions.

I've tried building an ICAP server using the examples from PyICAP and have
got as far as receiving the data and altering the header but I can't work out
how to send the modified header and data back to Squid.

My code is:

   def cookie_RESPMOD(self):
       self.set_icap_response(200)

       self.set_enc_status(b' '.join(self.enc_res_status))
       for h in self.enc_res_headers:
           for v in self.enc_res_headers[h]:
               if h == "set-cookie" and re.search(r'HttpOnly', v) and not re.search(r'secure', v):
                   v = v.replace('; HttpOnly', '; secure; HttpOnly')
                   print("h: ", h, "v: ", v)
               self.set_enc_header(h, v)

       if not self.has_body:
           self.send_headers(False)
           return

       self.send_headers(True)
           return

I'm sure it's something simple like not sending the body.  I really need to read the ICAP docs/RFCs.

The script generates the following:
10.2.255.1 - - [28/Oct/2020 23:17:21] "OPTIONS icap://10.2.255.1:40000/cookie ICAP/1.0" 200 -
10.2.255.1 - - [28/Oct/2020 23:17:21] "RESPMOD icap://10.2.255.1:40000/cookie ICAP/1.0" 200 -
10.2.255.1 - - [28/Oct/2020 23:17:21] code 400, message B
10.2.255.1 - - [28/Oct/2020 23:17:31] "RESPMOD icap://10.2.255.1:40000/cookie ICAP/1.0" 200 -
10.2.255.1 - - [28/Oct/2020 23:17:31] code 400, message B
10.2.255.1 - - [28/Oct/2020 23:17:31] "RESPMOD icap://10.2.255.1:40000/cookie ICAP/1.0" 200 -
10.2.255.1 - - [28/Oct/2020 23:17:31] code 400, message B

I might look into a code hack as a means of testing.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users