RE: [squid-users] ACL Hell

> -----Original Message-----
> From: Graham_Trigge@EnterpriseServices.com.au
> [mailto:Graham_Trigge@EnterpriseServices.com.au]
> Sent: Thursday, October 13, 2005 6:28 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] ACL Hell
>
>
> Help required (before I lose all my hair),
>
> I have a Squid server configured (2.5 stable 11) to redirect page
> requests for a certain domain to another squid server (for security
> reasons within our network):
>
> cache_peer 1.2.3.4 (blah blah blah)
> acl domain_name dstdomain abc.net.au
> cache_peer_access 1.2.3.4 allow domain_name
>
> I have now been asked to redirect certain pages in this domain (for
> example, http://target.abc.net.au) to another squid server
> (for security
> reasons). So I have configured the following acl:
>
> cache_peer 5.6.7.8 (blah blah blah)
> acl new_target url_regex ^http://target\.abc\.net\.au
>
> For the life of me I cannot get this working. I have the following
> configured in the conf file:
>

Looking at the example in squid.conf.default I think this...

> cache_peer_access 5.6.7.8 allow new_target
> cache_peer_access 5.6.7.8 deny domain_name
> cache_peer_access 1.2.3.4 deny new_target
> cache_peer_access 1.2.3.4 allow domain_name
>

...should read...

cache_peer_access 5.6.7.8 allow new_target
cache_peer_access 5.6.7.8 deny all # Only use 5.6.7.8 for target.abc.net.au
cache_peer_access 1.2.3.4 allow domain_name
cache_peer_access 1.2.3.4 deny all # optional

You might also change the new_target acl to...

acl new_target dstdomain .target.abc.net.au

If that doesn't work, turn on acl debugging:

# For debugging ACLs uncomment the next line and tail cache.log
# debug_options ALL,1 33,2
# For verbose debugging of ACLs uncomment the next line and tail cache.log
# debug_options ALL,1 33,2 28,9

> To me, this should send the target.abc.net.au through to
> 5.6.7.8, and send
>
>
> all other abc.net.au requests through to 1.2.3.4. Either the
> new ACL is
> not working, or the target.abc.net.au is being associated to
> both ACL's,
> so not performing the redirection. I am either seeing no traffic get
> through to either squid servers, or it is not going to the
> squid server I
> need it to go to.
>
> Questions (which I can't find answers for):
> - can an acl element cover more than one target, or is
> the first match
>
>
> hit the only match (for example, does "target.abc.net.au"
> fall under both
> the domain_name and new_target example above)?
> - is there a better way of configuring the acl for
> target.abc.net.au?

Yes, target.abc.net.au does match both the domain_name acl and the new_target acl. Just to be safe, I would define new_target before domain_name (and obviously keep the new_target cache_peer_access line before the domain_name cache_peer_access line).

> - has anyone done this/seen this done and has examples?
>

There was an other person on the list a few months ago trying to do something similar. I'm not sure if he ever got it working...

> I have been pulling my hair out for the last few days, so any
> help would
> be grateful
>
> Regards
>
> Graham Trigge.
>
>

Chris
Received on Mon Oct 17 2005 - 18:43:24 MDT