Alex Lum's questions

Faço essa pergunta para obter as melhores práticas. Por exemplo, acessamos fontes de software de um usuário de PC conectado a um compartilhamento de administrador com credenciais de administrador de domínio para copiar fontes para o PC de destino. Colocamos credenciais e fechamos a janela após a cópia, mas a credencial de administrador ainda está "acessível", o usuário pode se conectar a outro compartilhamento de administrador sem inserir credenciais. Minhas perguntas são:

1. Depois de quanto tempo tenho que digitar novamente as credenciais?
2. É possível fazer uma configuração para ser avisado sempre que acessarmos o compartilhamento do administrador?
3. Quais são as melhores práticas para acessos compartilhados de administrador?

Obrigado. Atenciosamente.

Estou no almalinux 8.7 com PHP8. Teste ldapsearch com TLS está ok

ldapsearch -H ldap://xxxx -x -ZZ /etc/pki/tls/certs/xxxx.pem -D 'xxxxx' -w 'xxxx' -b 'cn=xxx,cn=users,dc=xxx,dc=xxxx'

Mas ldap_bind não encontrará o servidor ldap. Erro -1. Sem ldap_start_tls($ldap_con); , está tudo bem.

- EDITAR mensagem de erro:

O que estou perdendo?

if(empty(!$_POST["password"]))
        {
        // Configuration pour interface PHP de notre annuaire LDAP
        $server = "ldap://xxx:389";
        $login =  $_POST['login'];
        $password = $_POST['password'];
        $basedn = 'dc=xxx,dc=xxx';
        $group = 'xxxxx';

        // Connexion à LDAP.
        echo "Connexion...<br>";
        $ldap_con=ldap_connect($server) or die('Could not connect to LDAP server.');
        ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, "/etc/pki/tls/certs/xxx.pem");
        ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, "/etc/pki/tls/private/xxx.key");
        ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ldap_con, LDAP_OPT_REFERRALS, 0);
        ldap_set_option($ldap_con, LDAP_OPT_NETWORK_TIMEOUT, 10);
        ldap_start_tls($ldap_con);

        if (!@ldap_bind($ldap_con, $login . "@xxxx", $password))
                {
                // Ici on peut voir quelle est la vraie nature de l'erreur (commenter la redirection)
                 echo "<p>Error:" . ldap_error($ldap_con) . "</p>";
                 echo "<p>Error number:" . ldap_errno($ldap_con) . "</p>";
                 echo "<p>Error:" . ldap_err2str(ldap_errno($ldap_con)) . "</p>";
                // Rediriger quand erreur
                // header("Location: https://xxxxx?error=1");
                }
        else
                {
                echo("Login correct <br>");

Testes com depuração

> <?php
>         $server = "ldap://xxxx:389";
>         $login =  "xxxx";
>         $password = "xxxx";
>         $basedn = 'dc=xxx,dc=com';
>         $group = 'xxxx';
> 
>         // Connexion à LDAP.
>         echo "Connexion...<br>";
>         $ldap_con=ldap_connect($server) or die('Could not connect to LDAP server.');
>         ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, "/etc/pki/tls/certs/xxxx.pem");
>         ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, "/etc/pki/tls/private/xxxx.key");
>         ldap_set_option($ldap_con, LDAP_OPT_PROTOCOL_VERSION, 3);
>                 ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
>         ldap_set_option($ldap_con, LDAP_OPT_REFERRALS, 0);
>         ldap_set_option($ldap_con, LDAP_OPT_NETWORK_TIMEOUT, 10);
>         ldap_start_tls($ldap_con);
> 
>         ldap_bind($ldap_con, $login . "@xxxx", $password) ?>

Saída

> Connexion...<br>ldap_extended_operation_s ldap_extended_operation
> ldap_send_initial_request ldap_new_connection 1 1 0
> ldap_int_open_connection ldap_connect_to_host: TCP xxx:389
> ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying
> xxxx:389 ldap_pvt_connect: fd: 4 tm: 10 async: 0 ldap_ndelay_on: 4 attempting to connect: connect errno: 115 ldap_int_poll: fd: 4 tm:
> 10 ldap_is_sock_ready: 4 ldap_ndelay_off: 4 ldap_pvt_connect: 0
> ldap_open_defconn: successful ldap_send_server_request ldap_result ld
> 0x55808231ec30 msgid 1 wait4msg ld 0x55808231ec30 msgid 1 (infinite
> timeout) wait4msg continue ld 0x55808231ec30 msgid 1 all 1
> ** ld 0x55808231ec30 Connections:
> * host: xxxx port: 389  (default)   refcnt: 2  status: Connected   last used: Mon Nov 28 11:31:12 2022
> 
> 
> ** ld 0x55808231ec30 Outstanding Requests:  * msgid 1,  origid 1, status InProgress    outstanding referrals 0, parent count 0   ld
> 0x55808231ec30 request count 1 (abandoned 0)
> ** ld 0x55808231ec30 Response Queue:    Empty   ld 0x55808231ec30 response count 0 ldap_chkResponseList ld 0x55808231ec30 msgid 1 all 1
> ldap_chkResponseList returns ld 0x55808231ec30 NULL ldap_int_select
> read1msg: ld 0x55808231ec30 msgid 1 all 1 read1msg: ld 0x55808231ec30
> msgid 1 message type extended-result read1msg: ld 0x55808231ec30 0 new
> referrals read1msg:  mark request completed, ld 0x55808231ec30 msgid 1
> request done: ld 0x55808231ec30 msgid 1 res_errno: 0, res_error: <>,
> res_matched: <> ldap_free_request (origid 1, msgid 1)
> ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace:
> SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS
> write client hello TLS trace: SSL_connect:error in SSLv3/TLS write
> client hello ldap_int_tls_start: ldap_int_tls_connect needs read
> ldap_int_poll: fd: 4 tm: 10 ldap_is_sock_ready: 4 ldap_ndelay_off: 4
> TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace:
> SSL_connect:SSLv3/TLS read server hello TLS certificate verification:
> depth: 1, err: 0, subject: /DC=com/DC=xxx/CN=xxxx, issuer:
> /DC=com/DC=xx/CN=xx-CA TLS certificate verification: depth: 0,
> err: 0, subject: , issuer: /DC=com/DC=xxx/CN=xxxx TLS trace:
> SSL_connect:SSLv3/TLS read server certificate TLS trace:
> SSL_connect:SSLv3/TLS read server key exchange TLS trace:
> SSL_connect:SSLv3/TLS read server certificate request TLS trace:
> SSL_connect:SSLv3/TLS read server done TLS trace:
> SSL_connect:SSLv3/TLS write client certificate TLS trace:
> SSL_connect:SSLv3/TLS write client key exchange TLS trace:
> SSL_connect:SSLv3/TLS write certificate verify TLS trace:
> SSL_connect:SSLv3/TLS write change cipher spec TLS trace:
> SSL_connect:SSLv3/TLS write finished TLS trace: SSL_connect:error in
> SSLv3/TLS write finished ldap_int_tls_start: ld 0x55808231ec30 9 s
> 976966 us to go ldap_int_tls_start: ldap_int_tls_connect needs read
> ldap_int_poll: fd: 4 tm: 9 ldap_is_sock_ready: 4 ldap_ndelay_off: 4
> TLS trace: SSL_connect:SSLv3/TLS write finished TLS trace:
> SSL_connect:SSLv3/TLS read change cipher spec TLS trace:
> SSL_connect:SSLv3/TLS read finished ldap_sasl_bind_s ldap_sasl_bind
> ldap_send_initial_request ldap_send_server_request ldap_result ld
> 0x55808231ec30 msgid 2 wait4msg ld 0x55808231ec30 msgid 2 (infinite
> timeout) wait4msg continue ld 0x55808231ec30 msgid 2 all 1
> ** ld 0x55808231ec30 Connections:
> * host: xxxx port: 389  (default)   refcnt: 2  status: Connected   last used: Mon Nov 28 11:31:12 2022
> 
> 
> ** ld 0x55808231ec30 Outstanding Requests:  * msgid 2,  origid 2, status InProgress    outstanding referrals 0, parent count 0   ld
> 0x55808231ec30 request count 1 (abandoned 0)
> ** ld 0x55808231ec30 Response Queue:    Empty   ld 0x55808231ec30 response count 0 ldap_chkResponseList ld 0x55808231ec30 msgid 2 all 1
> ldap_chkResponseList returns ld 0x55808231ec30 NULL ldap_int_select
> read1msg: ld 0x55808231ec30 msgid 2 all 1 read1msg: ld 0x55808231ec30
> msgid 2 message type bind read1msg: ld 0x55808231ec30 0 new referrals
> read1msg:  mark request completed, ld 0x55808231ec30 msgid 2 request
> done: ld 0x55808231ec30 msgid 2 res_errno: 0, res_error: <>,
> res_matched: <> ldap_free_request (origid 2, msgid 2)
> ldap_parse_result ldap_msgfree ldap_free_connection 1 1
> ldap_send_unbind TLS trace: SSL3 alert write:warning:close notify
> ldap_free_connection: actually freed

EDITAR

Lancei um strace ps awux | grep sbin/httpd | awk '{print"-p " $2}' | xargs strace -fmas nada a apontar.

Strace no php-fpm strace -f $(pidof php-fpm | sed 's/\([0-9]*\)/\-p \1/g')

[pid 340925] openat(AT_FDCWD, "/etc/pki/tls/private/xxx.key", O_RDONLY) = -1 EACCES (Permission non accordée)
[pid 340925] write(2, "TLS: could not use key file `/et"..., 70) = 70
[pid 340925] write(2, "TLS: error:0200100D:system libra"..., 85) = 85
[pid 340925] write(2, "TLS: error:20074002:BIO routines"..., 80) = 80
[pid 340925] write(2, "TLS: error:140B0002:SSL routines"..., 90) = 90

   

Arquivo/var/log/php-fpm/www-error.log

[30-Nov-2022 08:00:01 UTC] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /var/www/html/SI/test2.php on line 17
[30-Nov-2022 08:00:01 UTC] PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/SI/test2.php on line 37

Obrigado

Temos diferentes clientes wifi Alguns deles em telefones Android/Apple, outros em PC Windows. Wifi é autenticado por NPS e temos um DHCP no servidor wwindows.

Não confiamos no telefone. Queremos colocar PCs com Windows em uma rede e telefones em outra rede. É possível distinguir uns dos outros? com NPS ou com opções de DHCP? Obrigado.

Eu tenho no Windows VM dois vmdk. Criei um volume fracionado para ver apenas um HDD.

Eu preciso montar isso no Linux. Eu posso ver todos os sd** Mas não consigo fazer uma montagem, o Linux não conhece o tipo de partição. Pode me ajudar?

Eu fiz um IIS 10 com ARR em um servidor DMZ windows 2019 não associado ao proxy reverso ao OWA (exchange 2016) com autenticação de certificado de cliente.

Eu recebo o erro 402.1. Aqui estão alguns detalhes. No lado ISS ARR, em GENERAL_SET_REQUEST_HEADER, posso ver o certificado do cliente. Comparado impressão digital e é o bom certificado. No lado ISS OWA, posso ver em GENERAL_REQUEST_HEADER meu X-ARR-ClientCert com o mesmo certificado bom.

Mas, o OWA parece não vê-lo, porque sou redirecionado para a autenticação NTLM (com erro 402.1 nos meus logs).

Vi que as configurações de SSL e a vinculação a https devem ser desabilitadas no back-end. mas quando ligo apenas em http, o OWA não funciona. eu parece funcionar apenas em https.

Do endereço lan, quando as configurações de SSL pedem certificado, funciona.

O que devo fazer para que a autenticação do certificado do cliente funcione a partir do ARR? Posso colocar logs se necessário para me ajudar. Obrigado.

[EDIT] Seguiu esta página: https://blogs.msdn.microsoft.com/asiatech/2014/01/27/configuring-arr-with-client-certificate/

O meu problema é este:

4. E o certificado pode ser recuperado do servidor backend desta forma: System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding(); string cert = Request.Headers["X-ARR-ClientCert"]; X509Certificate2 x509Cert2 = new X509Certificate2(encoding.GetBytes(cert));

Não sei onde colocar essas linhas de código.

Problema com a verificação de revogação de crl. Eu posso telnet servidor de destino na porta 80. Eu posso baixar crl com o Internet Explorer. Mas quando eu inicio o certutil:

C:\Users\Administrateur\Desktop>certutil -urlfetch -verify alex.cer
Émetteur:
    CN=get-SRV-DC-CA
    DC=dom
    DC=com
  Hachage du nom (sha1) : a62888b8b494cc72d5b50a3401da695e28922316
  Hachage du nom (md5) : c8c269fb24c05cd48f07ec444fa63f93
Objet:
    [email protected]
    CN=NOM Alexandre
  Hachage du nom (sha1) : facbf33942c29a333aeea9ade9db538d3d530ff7
  Hachage du nom (md5) : 01deefd4ec4bfb2d5bc80ed8221e486a
Numéro de série du certificat : 67f0382100000000a51b

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 47 Minutes, 28 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 47 Minutes, 28 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com
  NotBefore: 01/03/2019 15:05
  NotAfter: 29/02/2020 15:05
  Subject: [email protected], CN=NOM Alexandre
  Serial: 67f0382100000000a51b
  SubjectAltName: Autre nom :Nom [email protected]
  Template: 1.3.6.1.4.1.311.21.8.11025665.8001721.14437036.989286.1368235.196.5905011.1016426
  Cert: 9b28759fd75d66d04ad135b17ea93f541ace19f6
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  AIA de certificat  ----------------
  Échec "AIA" Heure : 0 (null)
    Erreur lors de la récupération de l’URL : La ressource ou le périphérique réseau spécifié n’est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
    ldap:///CN=get-SRV-DC-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?cACertificate?base?objectClass=certificationAuthority

  Vérifié "Certificat (0)" Heure : 0 b3d1bb3362ec43aedafe4c3868805db4fcda5748
    [1.0] http://SRV-DC.domain.com/CertEnroll/SRV-DC.domain.com_get-SRV-DC-CA.crt

  ----------------  CDP de certificat  ----------------
  Échec "CDP" Heure : 0 (null)
    Erreur lors de la récupération de l’URL : La ressource ou le périphérique réseau spécifié n’est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
    ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Vérifié "Liste de révocation des certificats de base (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9
    [1.0] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl

  Échec "CDP" Heure : 0 (null)
    Erreur lors de la récupération de l’URL : La ressource ou le périphérique réseau spécifié n’est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
    [1.0.0] ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint

  Ancienne liste de révocation des certificats de base "Liste de révocation des certificats delta (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9
    [1.0.1] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl

  ----------------  CDP de liste de révocation des certificats de base  ----------------
  Échec "CDP" Heure : 0 (null)
    Erreur lors de la récupération de l’URL : La ressource ou le périphérique réseau spécifié n’est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
    ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint

  OK "Liste de révocation des certificats de base (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9
    [1.0] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl

  Échec "CDP" Heure : 0 (null)
    Erreur lors de la récupération de l’URL : La ressource ou le périphérique réseau spécifié n’est plus disponible. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
    [1.0.0] ldap:///CN=get-SRV-DC-CA,CN=SRV-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dom,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint

  Ancienne liste de révocation des certificats de base "Liste de révocation des certificats delta (0592)" Heure : 0 a467254541a842b5e0819fe02e61395baeb2b4e9
    [1.0.1] http://SRV-DC.domain.com/CertEnroll/get-SRV-DC-CA.crl

  ----------------  Protocole OCSP du certificat  ----------------
  Pas d’URL "Aucun" Heure : 0 (null)
  --------------------------------
    CRL 0592:
    Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com
    ThisUpdate: 28/02/2019 13:55
    NextUpdate: 08/03/2019 02:15
    CRL: a467254541a842b5e0819fe02e61395baeb2b4e9
  Application[0] = 1.3.6.1.5.5.7.3.2 Authentification du client
  Application[1] = 1.3.6.1.5.5.7.3.4 Messagerie électronique sécurisée

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com
  NotBefore: 08/04/2015 13:36
  NotAfter: 08/04/2020 13:45
  Subject: CN=get-SRV-DC-CA, DC=dom, DC=com
  Serial: 40d4e5b7f3288898496b6f9bb3f1a103
  Template: CA
  Cert: b3d1bb3362ec43aedafe4c3868805db4fcda5748
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  AIA de certificat  ----------------
  Pas d’URL "Aucun" Heure : 0 (null)
  ----------------  CDP de certificat  ----------------
  Pas d’URL "Aucun" Heure : 0 (null)
  ----------------  Protocole OCSP du certificat  ----------------
  Pas d’URL "Aucun" Heure : 0 (null)
  --------------------------------

Exclude leaf cert:
  Chain: 52a851a29e09dc1f1aec1fd5a640854e68361f94
Full chain:
  Chain: 5046b50dfefc32be7c0c470bdb7ed2843ffc288a
  Issuer: CN=get-SRV-DC-CA, DC=dom, DC=com
  NotBefore: 01/03/2019 15:05
  NotAfter: 29/02/2020 15:05
  Subject: [email protected], CN=NOM Alexandre
  Serial: 67f0382100000000a51b
  SubjectAltName: Autre nom :Nom [email protected]
  Template: 1.3.6.1.4.1.311.21.8.11025665.8001721.14437036.989286.1368235.196.5905011.1016426
  Cert: 9b28759fd75d66d04ad135b17ea93f541ace19f6
La fonction de révocation n’a pas pu vérifier la révocation car le serveur de révocation était déconnecté. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Vérification de révocation ignorée -- le serveur est hors connexion

ERREUR : la vérification de l’état de révocation du certificat feuille a
         renvoyé La fonction de révocation n’a pas pu vérifier la révocation car le serveur de révocation était déconnecté. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: La fonction de révocation n’a pas pu vérifier la révocation car le serveur de révocation était déconnecté.

CertUtil: -verify La commande s’est terminée correctement.

Obrigado pela ajuda.

Temos um limite de tamanho de anexo no Exchange 2016 para 25 MB. Funciona com o cliente do Outlook, mas não com os clientes do OWA. Não podemos anexar documentos maiores que 100 KB.

Quando tento anexar, recebi um TCP_MISS/413.

1531128394.524     16 x.x.x.x TCP_MISS/413 299 POST https://xxxx/owa/service.svc? - FIRSTUP_PARENT/x.x.x.x -

Squid Cache: Versão 3.5.20

lula.conf

    # ----- Global Settings -----

redirect_rewrites_host_header off
cache_mem 256 MB
maximum_object_size_in_memory 128 KB
#cache_log /dev/null
#cache_store_log /dev/null
#client_persistent_connections on

https_port 443 accel cert=/etc/squid/certificats/xxx.crt key=/etc/squid/certificats/xxx.key defaultsite=xxxx vhost

# ----- Exchange Server -----
#cache_peer xxxx parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS name=exchangeServer
#cache_peer xxxx parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS connection-auth=off name=exchangeServer
#cache_peer xxxx parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS connection-auth=off name=autodiscoverServer
cache_peer xxxx parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS name=exchangeServer
cache_peer xxxx parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS name=autodiscoverServer

acl webm_url url_regex -i ^https://xxxx/.*$

acl webm_pas url_regex -i ^https://xxxx/admin.*$
acl webm_pas url_regex -i ^https://xxxx/AutoDiscover.*$
acl webm_pas url_regex -i ^https://xxxx/AutoDiscover/AutoDiscover.xml.*$
acl webm_pas url_regex -i ^https://xxxx/ecp.*$
acl webm_pas url_regex -i ^https://xxxx/ews.*$
acl webm_pas url_regex -i ^https://xxxx/Exchange.*$
acl webm_pas url_regex -i ^https://xxxx/Exchweb.*$
acl webm_pas url_regex -i ^https://xxxx/mapi.*$
acl webm_pas url_regex -i ^https://xxxx/Microsoft-Server-ActiveSync.*$
acl webm_pas url_regex -i ^https://xxxx/owa.*$
acl webm_pas url_regex -i ^https://xxxx/oab.*$
acl webm_pas url_regex -i ^https://xxxx/Public.*$
acl webm_pas url_regex -i ^https://xxxx/Rpc.*$
acl webm_pas url_regex -i ^https://xxxx/RpcWithCert.*$
acl webm_pas url_regex -i ^https://xxxx/RpcWithCert/rpcproxy.dll.*$

cache_peer_access exchangeServer allow webm_pas
cache_peer_access exchangeServer deny all

acl webm_red urlpath_regex ^/$
deny_info https://xxxx/owa/ webm_red
http_access deny webm_url webm_red

http_access allow webm_url
never_direct allow webm_url
miss_access allow webm_url

# ----- General -----

miss_access deny all
http_access deny all

# ----- Errors -----

cache_mgr xxxx
error_directory   /usr/share/squid/errors/fr
error_default_language fr
err_page_stylesheet     /etc/squid/errorpage.css
email_err_data on
httpd_suppress_version_string on
visible_hostname xxxxx

Pode me ajudar? Obrigado. Cumprimentos.