[squid-users] ICAP and "selecting" corresponding adaption_access for response via ACL based on the original destination domain from Martin Sperl on 2013-02-28 (squid-users)

From: Martin Sperl <Martin.Sperl_at_amdocs.com>
Date: Thu, 28 Feb 2013 15:32:59 +0000

Hi!

Got the following "problem" with squid 3.2.7:

We got several ICAP services with request and response-modification, that rewrites the request URL and modifies the response (especially the URLS in the html)on the return path.
That means that a request: http://a.service.name/www.google.com/...
gets translated by the request_modification to: http://www.google.com/...
This then passes the proxy/cache and on the return path we translate the URLS inside the response (like /images/srpr/logo4w.png) back to http://a.service.name/www.google.com/images/srpr/logo4w.png.

This works with a simple config like this:
adaptation_access modify_request_a allow HTTP GETPOST
adaptation_access modify_response_a allow HTTP GETPOST

So far so good.

Now we got several such services running - each one running a separate squid instance.
We want to consolidate those into a single squid instance.

So now in preparation for this second service "b.service.name" with a separate icap handler (with a similar config), I have tried to limit the icap request/response via acls to a specific URL: everything that comes in to the destinationdomain "a.service.name":

acl hosts_allowed_a dstdomain a.service.name

adaptation_access modify_request_a allow HTTP GETPOST hosts_allowed_a
adaptation_access modify_response_a allow HTTP GETPOST hosts_allowed_a

Unfortunately this does not work for the response modification.
Only icap request modification takes place, but no response-modification!

It seems as if I need to use a different ACL for this to work, as dstdomain is now "www.google.com"and not "a.service.name" but I have not found anything that would be of help.
(I am also using adapted_http_access, so this might have an impact as well)

So, how can I achieve this goal?

Is there another acltype besides "dstdomain" to match on the unmodified dstdomain instead of the icap-request modified dstdomain?
As a workaround: do I need to set an additional header (via header_access/header_replace or similar) and trigger on this acl (acl ... req_header <headername>) instead of modify_response_a?
Other ideas?

Thanks,
Martin

This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
Received on Thu Feb 28 2013 - 15:33:09 MST

This archive was generated by hypermail 2.2.0 : Fri Mar 01 2013 - 12:00:04 MST