Re: [squid-users] Proxy server with FQDN and wildcard

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Fri, 04 Oct 2013 02:36:56 +0300

Hey,

in a case you can share your squid.conf (cleaned) I can try to pick a
clue about what is going on..
it is not clear to me what is this proxy server for?
it looks to me more like a forward proxy that has one and all the
clients can get by their ip address to specific domains.
From squid point of view it's a forward proxy..
if it sits on the face to the internet only then it's very simple..
You can use the myport ACL to differentiate between one traffic to another.
There is a *bug* in squid that when using a .domain.com you will have
troubles.
What squid version are you using?
if you can add some IP level description I will might have more clue
about the bigger picture.
Is this server requires auth?
IF squid picks the first rule you need to sort the ACLs in a way that
squid will try to match the .domain.com last..
you can try something like this pesudo:
cache_peer_access allow PROXY1 domain_acl
cache_peer_access deny PROXY1 wild_car_domain_acl

cache_peer_access allow PROXY2 domain_acl1
cache_peer_access deny PROXY2 wild_car_domain_acl

cache_peer_access allow PROXY3 wild_car_domain_acl
#end (sorry it's not full squid compatible)

all the above should be OK about the access that is allowed to clients..
the http_access should be also sorted the same way.. like..
http_access allow all domain_acl
http_access allow all domain_acl1
http_access allow all wild_car_domain_acl
http_access deny all

which should prevent others using your proxy.

Hope all the above gives you an example how it should be ok..

Eliezer

On 10/04/2013 12:08 AM, Reto Bachmann wrote:
> Hi,
>
> My squid acts as a reverse proxy in my DMZ to access several different servers in my LAN.
> webmail.domain.com ->
> Exchange Server
> intra.domain.com -> Intranet Server
> www.domain.com -> Public Webserver
>
> So for every server I defined a rule and this works fine.. But now I would like to
> add a "wildcard" rule, that *.domain.com will be redirected to the webserver. So if someone types ww.domain.com, it
> goes to the webserver. I found out that I can't use a acl with .domain.com and the two other acls webmail.domain.com
> and intra.domain.com at the same time since squid picks the first rule that matches. So webmail.domain.com sometimes
> goes to the Webserver....
>
> How can I mange squid to send all requests except the two FQDNs to www.domain.com?
>
> Regards,
> Reto
>
Received on Thu Oct 03 2013 - 23:37:09 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 04 2013 - 12:00:06 MDT