[squid-users] How to limit requests to port 80 for specific vhost

From: adam dirkmaat <adirkmaat_at_gmail.com>
Date: Mon, 18 Apr 2011 18:56:08 -0400

How can I limit 80 traffic to one vhost and 443 traffic to a second
vhost.  I want to be able to hit 1.2.3.4:80 & 5.6.7.8:443, and NOT
access 1.2.3.4:443 & 5.6.7.8:80?

[root_at_calamari squid]# squid -v

Squid Cache: Version 2.6.STABLE21

[root_at_calamari squid]# cat /etc/squid/squid.conf

# SQUID 2.6.STABLE6

# NETWORK OPTIONS

# -----------------------------------------------------------------------------

http_port 80 defaultsite=web.somesite.com vhost

https_port 443 cert=/usr/local/ssl/owa-cert-20090629.pem
key=/usr/local/ssl/owa-20090629.pem defaultsite=mail.somesite.com
vhost

icp_port 0

# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS

# -----------------------------------------------------------------------------

hosts_file /etc/hosts

dns_nameservers 1.1.1.1 1.1.1.2

url_rewrite_host_header off

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM

# -----------------------------------------------------------------------------

cache_peer 1.2.3.4 parent 80 0 no-query originserver name=web

acl web_site dstdomain web.somesite.com

cache_peer_access web allow web_site

# webmail on port 443 outside, port 80 inside

cache_peer 5.6.7.8 parent 443 0 no-query originserver login=PASS
front-end-https=on ssl sslflags=DONT_VERIFY_PEER name=owa

acl owa_site dstdomain owa.somesite.com

cache_peer_access owa allow owa_site

http_access allow web_site

http_access allow owa_site

sslproxy_flags DONT_VERIFY_PEER

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

# OPTIONS WHICH AFFECT THE CACHE SIZE

# -----------------------------------------------------------------------------

cache_mem 683 MB

# LOGFILE PATHNAMES AND CACHE DIRECTORIES

# -----------------------------------------------------------------------------

access_log /var/log/squid/access.log squid

cache_log /var/log/squid/cache.log

cache_store_log /var/log/squid/store.log

cache_dir ufs /sqcache/cache 35000 16 256

# OPTIONS FOR TUNING THE CACHE

# -----------------------------------------------------------------------------

refresh_pattern .               0       20%     4320

# ACCESS CONTROLS

# -----------------------------------------------------------------------------

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

# ADMINISTRATIVE PARAMETERS

# -----------------------------------------------------------------------------

cache_mgr monkey_at_somewhere.com

cache_effective_user squid

cache_effective_group squid

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt

# to list your (internal) IP networks from where browsing should

# be allowed

#acl our_networks src 192.168.1.0/24 192.168.2.0/24

#http_access allow our_networks

http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow all

# ADMINISTRATIVE PARAMETERS

# -----------------------------------------------------------------------------

visible_hostname calamari.some.site.com

# HTTPD-ACCELERATOR OPTIONS

# -----------------------------------------------------------------------------

#  TAG: httpd_accel_no_pmtu_disc        on|off

#       In many setups of transparently intercepting proxies Path-MTU

#       discovery can not work on traffic towards the clients. This is

#       the case when the intercepting device does not fully track

#       connections and fails to forward ICMP must fragment messages

#       to the cache server.

#

#       If you have such setup and experience that certain clients

#       sporadically hang or never complete requests set this to on.

#

#Default:

# httpd_accel_no_pmtu_disc off

# MISCELLANEOUS

# -----------------------------------------------------------------------------

log_icp_queries off

--
adam dirkmaat
adirkmaat_at_gmail.com
Received on Mon Apr 18 2011 - 22:56:19 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 19 2011 - 12:00:04 MDT