Re: AW: Re: [squid-users] Proxy server with FQDN and wildcard

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 04 Oct 2013 21:23:01 +1300

On 4/10/2013 7:53 p.m., Reto Bachmann wrote:
> Hi,
>
> So here is the main part of my squid.conf
>
> acl HTTP proto HTTP
> acl HTTPS proto HTTPS
>
> # Open the listerners
>
> http_port 10.10.5.5:80 accel defaultsite=www.domain.com
> https_port 10.10.5.5:443 accel cert=/etc/squid3/ssl/ssl_key
> key=/etc/squid3/ssl/ssl_key defaultsite=www.domain.com
>
> # OWA webmail.domain.com -> 10.10.1.21
>
> cache_peer 10.10.1.21
> parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=OWAdomain
>
> #Redirect rules
> acl
> redirectHTTPSOWASN urlpath_regex ^/$
> acl redirectHTTPOWASN url_regex -i ^http://.*$

You can replace the regex above with:
    acl redirectHTTPOWASN proto HTTP

Or just replace all uses of "redirectHTTPOWASN" with "HTTP" in your config.

> # redirect /owa
> deny_info 303:https://webmail.domain.com/owa/ redirectHTTPOWASN
> deny_info 303:https://webmail.domain.com/owa/ redirectHTTPSOWASN
>
> acl OWASN dstdomain webmail.domain.com
> acl OWASN dstdomain autodiscover.domain.com
> cache_peer_access OWAdomain allow OWASN
> never_direct allow OWASN

> http_access deny HTTPS OWASN redirectHTTPSOWASN
> http_access deny HTTP OWASN redirectHTTPOWASN
> http_access allow OWASN

How about this istead of all that http_access complexity?

   acl noPath urlpath_regex ^/$

   acl OWASN dstdomain webmail.domain.com autodiscover.domain.com
   deny_info 303:https://webmail.domain.com/owa/ OWASN
   cache_peer_access OWAdomain allow OWASN
   never_direct allow OWASN
   http_access deny HTTPS noPath OWASN
   http_access deny HTTP OWASN
   http_access allow OWASN

> miss_access allow OWASN

Why is miss_access present?

>
>
> # RDS access.domain.com -> 10.10.1.29
> cache_peer 10.10.1.29 parent 443 0 no-query originserver login=PASS ssl
> sslflags=DONT_VERIFY_PEER name=RDSdomain
>
> # Redirect
> acl redirectHTTPSSNRDS urlpath_regex ^/$
> acl redirectHTTPSNRDS
> url_regex -i ^http://.*$
> deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSSNRDS
> deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSNRDS
>
> acl RDSSN dstdomain access.domain.com
>
> cache_peer_access RDSdomain allow RDSSN
> never_direct allow RDSSN
>
> http_access deny HTTPS RDSSN redirectHTTPSSNRDS
>
> http_access deny HTTP RDSSN redirectHTTPSNRDS
>
> http_access allow RDSSN

You an do the same thing for RDSSN that was done above for OWASN.

> miss_access allow RDSSN
>
> # Access to the
> webserver
> cache_peer 10.10.1.22 parent 80 0 no-query originserver login=PASS name=WWWdomain
>
> # If I use FQDN like this, it
> works...
> acl WWWSN dstdomain www2.domain.com
> acl WWWSN dstdomain www.domain.com
>
> # If I use the domain name like this, it "sometimes" works. But sometimes webmail.
> domain.com also gets redirected to this webserver.

These events are when the webmail peer is not responding or overloaded
and happen because you do not deny the webmail requests going to this
backup server....

> #acl WWWSN dstdomain .domain.com
>
> cache_peer_access WWWdomain allow WWWSN

That line should be:
  cache_peer_access WWWdomain allow WWWSN !OWASN !RDSSN

As in "allow all *.domain.com except OWASN and RDSSN ones."

> never_direct allow WWWSN
>
> http_access allow WWWSN
> miss_access allow WWWSN
>
> #Global deny
> http_access deny all
> miss_access deny all
>
>
> So I hope this makes my problem more
> clear. Squid only acts as a reverse proxy to accesss my LAN servers from internet. In the wiki I found a description of
> this problem, but no solution... http://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains
>
>
> Reto

HTH
Amos
Received on Fri Oct 04 2013 - 08:23:12 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 15 2013 - 12:00:05 MDT