Re: AW: Re: [squid-users] Proxy server with FQDN and wildcard

From: rrr <real.reto_at_bluewin.ch>
Date: Mon, 14 Oct 2013 20:38:13 +0200

I implemented your changes and it works fine now
The > cache_peer_access WWWdomain allow WWWSN !OWASN !RDSSN solved my
problem.

Thanks!

On 04.10.13 10:23, Amos Jeffries wrote:
> On 4/10/2013 7:53 p.m., Reto Bachmann wrote:
>> Hi,
>>
>> So here is the main part of my squid.conf
>>
>> acl HTTP proto HTTP
>> acl HTTPS proto HTTPS
>>
>> # Open the listerners
>>
>> http_port 10.10.5.5:80 accel defaultsite=www.domain.com
>> https_port 10.10.5.5:443 accel cert=/etc/squid3/ssl/ssl_key
>> key=/etc/squid3/ssl/ssl_key defaultsite=www.domain.com
>>
>> # OWA webmail.domain.com -> 10.10.1.21
>>
>> cache_peer 10.10.1.21
>> parent 443 0 no-query originserver login=PASS ssl
>> sslflags=DONT_VERIFY_PEER name=OWAdomain
>>
>> #Redirect rules
>> acl
>> redirectHTTPSOWASN urlpath_regex ^/$
>> acl redirectHTTPOWASN url_regex -i ^http://.*$
>
> You can replace the regex above with:
> acl redirectHTTPOWASN proto HTTP
>
> Or just replace all uses of "redirectHTTPOWASN" with "HTTP" in your
> config.
>
>> # redirect /owa
>> deny_info 303:https://webmail.domain.com/owa/ redirectHTTPOWASN
>> deny_info 303:https://webmail.domain.com/owa/ redirectHTTPSOWASN
>>
>> acl OWASN dstdomain webmail.domain.com
>> acl OWASN dstdomain autodiscover.domain.com
>> cache_peer_access OWAdomain allow OWASN
>> never_direct allow OWASN
>
>> http_access deny HTTPS OWASN redirectHTTPSOWASN
>> http_access deny HTTP OWASN redirectHTTPOWASN
>> http_access allow OWASN
>
> How about this istead of all that http_access complexity?
>
> acl noPath urlpath_regex ^/$
>
> acl OWASN dstdomain webmail.domain.com autodiscover.domain.com
> deny_info 303:https://webmail.domain.com/owa/ OWASN
> cache_peer_access OWAdomain allow OWASN
> never_direct allow OWASN
> http_access deny HTTPS noPath OWASN
> http_access deny HTTP OWASN
> http_access allow OWASN
>
>
>> miss_access allow OWASN
>
> Why is miss_access present?
>
>>
>>
>> # RDS access.domain.com -> 10.10.1.29
>> cache_peer 10.10.1.29 parent 443 0 no-query originserver login=PASS ssl
>> sslflags=DONT_VERIFY_PEER name=RDSdomain
>>
>> # Redirect
>> acl redirectHTTPSSNRDS urlpath_regex ^/$
>> acl redirectHTTPSNRDS
>> url_regex -i ^http://.*$
>> deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSSNRDS
>> deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSNRDS
>>
>> acl RDSSN dstdomain access.domain.com
>>
>> cache_peer_access RDSdomain allow RDSSN
>> never_direct allow RDSSN
>>
>> http_access deny HTTPS RDSSN redirectHTTPSSNRDS
>>
>> http_access deny HTTP RDSSN redirectHTTPSNRDS
>>
>> http_access allow RDSSN
>
> You an do the same thing for RDSSN that was done above for OWASN.
>
>> miss_access allow RDSSN
>>
>> # Access to the
>> webserver
>> cache_peer 10.10.1.22 parent 80 0 no-query originserver login=PASS
>> name=WWWdomain
>>
>> # If I use FQDN like this, it
>> works...
>> acl WWWSN dstdomain www2.domain.com
>> acl WWWSN dstdomain www.domain.com
>>
>> # If I use the domain name like this, it "sometimes" works. But
>> sometimes webmail.
>> domain.com also gets redirected to this webserver.
>
> These events are when the webmail peer is not responding or overloaded
> and happen because you do not deny the webmail requests going to this
> backup server....
>
>> #acl WWWSN dstdomain .domain.com
>>
>> cache_peer_access WWWdomain allow WWWSN
>
> That line should be:
> cache_peer_access WWWdomain allow WWWSN !OWASN !RDSSN
>
> As in "allow all *.domain.com except OWASN and RDSSN ones."
>
>> never_direct allow WWWSN
>>
>> http_access allow WWWSN
>> miss_access allow WWWSN
>>
>> #Global deny
>> http_access deny all
>> miss_access deny all
>>
>>
>> So I hope this makes my problem more
>> clear. Squid only acts as a reverse proxy to accesss my LAN servers
>> from internet. In the wiki I found a description of
>> this problem, but no solution...
>> http://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains
>>
>>
>> Reto
>
> HTH
> Amos
>
Received on Mon Oct 14 2013 - 18:38:28 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 15 2013 - 12:00:05 MDT