RE: [squid-users] DNS suffix searching and parent proxy

> -----Original Message-----
> From: Tim Bates [mailto:tin@new-life.org.au]
> Sent: Thursday, April 28, 2005 5:40 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] DNS suffix searching and parent proxy
>
>
> Hi.
>
> I have a local fake domain set up, and I also need to make squid use a
> parent proxy. The problem Im getting is that the "search" option in
> resolv.conf seems to be ignored if a parent proxy is configured. If I
> try to access a host using just it's name without the domain, it
> forwards to the parent. If I put the full domain, it doesnt since I have
> a "always_direct allow <local domain acl name>".
>
> I could simply create a new acl containing all the local server names,
> but that would be pretty ugly and not very easy to keep in sync with the
> DNS records.
>
> Can I make squid do a DNS lookup including the suffix search to
> determine if it's local first? If I can how. If I can't, any hints on
> how to make it work?
>
> Tim Bates

Hmm... In your case, I would be tempted to look into the append_domain
directive.

# TAG: append_domain
# Appends local domain name to hostnames without any dots in
# them. append_domain must begin with a period.
#
# Be warned that there today is Internet names with no dots in
# them using only top-domain names, so setting this may
# cause some Internet sites to become unavailable.

If you use something like "append_domain .company.intranet", then you could
use "always_direct allow .company.intranet". Otherwise, a url_regex like
"^\." would (if I'm not mistaken) match any request without dots. Testing
would be needed to verify, and I imagine that the append_domain directive is
more efficient. As a final option (choice is good) you could specify all of
the standard TLDs (both country code, and otherwise), like:

acl TLDs dstdomain "/path/to/TLDs" # Available from
http://ftp.ics.uci.edu/pub/websoft/wwwstat/country-codes.txt, but needs
editing to be usable by squid

And then use cache_peer_access:

cache_peer_access parent.proxy.server allow TLDs
cache_peer_access parent.proxy.server deny all

OR never_direct:
 
never_direct deny !TLDs
never_direct allow all

Since top level domains are added fairly infrequently, this should not cause
too much trouble...

*shrug* I'm just pulling these ideas out of the air. No guarantees.

Chris

Chris
Received on Fri Apr 29 2005 - 12:25:02 MDT