AW: Re: [squid-users] Proxy server with FQDN and wildcard

From: Reto Bachmann <>
Date: Fri, 4 Oct 2013 06:53:01 +0000 (GMT+00:00)


So here is the main part of my squid.conf

acl HTTP proto HTTP
acl HTTPS proto HTTPS

# Open the listerners

http_port accel
https_port accel cert=/etc/squid3/ssl/ssl_key

# OWA ->

parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=OWAdomain

#Redirect rules
redirectHTTPSOWASN urlpath_regex ^/$
acl redirectHTTPOWASN url_regex -i ^http://.*$
# redirect /owa
deny_info 303: redirectHTTPOWASN
deny_info 303: redirectHTTPSOWASN

acl OWASN dstdomain
cache_peer_access OWAdomain allow OWASN
never_direct allow OWASN
http_access deny
http_access deny HTTP OWASN redirectHTTPOWASN
http_access allow OWASN
miss_access allow

# RDS ->
cache_peer parent 443 0 no-query originserver login=PASS ssl
sslflags=DONT_VERIFY_PEER name=RDSdomain

# Redirect
acl redirectHTTPSSNRDS urlpath_regex ^/$
acl redirectHTTPSNRDS
url_regex -i ^http://.*$
deny_info 303: redirectHTTPSSNRDS
deny_info 303: redirectHTTPSNRDS

acl RDSSN dstdomain

cache_peer_access RDSdomain allow RDSSN
never_direct allow RDSSN

http_access deny HTTPS RDSSN redirectHTTPSSNRDS

http_access deny HTTP RDSSN redirectHTTPSNRDS

http_access allow RDSSN
miss_access allow RDSSN

# Access to the
cache_peer parent 80 0 no-query originserver login=PASS name=WWWdomain

# If I use FQDN like this, it
acl WWWSN dstdomain
acl WWWSN dstdomain

# If I use the domain name like this, it "sometimes" works. But sometimes webmail. also gets redirected to this webserver.
#acl WWWSN dstdomain

cache_peer_access WWWdomain allow WWWSN
never_direct allow WWWSN

http_access allow WWWSN
miss_access allow WWWSN

#Global deny
http_access deny all
miss_access deny all

So I hope this makes my problem more
clear. Squid only acts as a reverse proxy to accesss my LAN servers from internet. In the wiki I found a description of
this problem, but no solution...


----Urspr√ľngliche Nachricht----
Datum: 04.10.2013 01:36
An: <squid-users_at_squid-cache.
Betreff: Re: [squid-users] Proxy server with FQDN and wildcard


in a case you can share your squid.conf
(cleaned) I can try to pick a
clue about what is going on..
it is not clear to me what is this proxy server for?
looks to me more like a forward proxy that has one and all the
clients can get by their ip address to specific domains.

From squid point of view it's a forward proxy..
if it sits on the face to the internet only then it's very simple..
can use the myport ACL to differentiate between one traffic to another.
There is a *bug* in squid that when using a . you will have
What squid version are you using?
if you can add some IP level description I will
might have more clue
about the bigger picture.
Is this server requires auth?
IF squid picks the first rule you need to
sort the ACLs in a way that
squid will try to match the last..
you can try something like this pesudo:

cache_peer_access allow PROXY1 domain_acl
cache_peer_access deny PROXY1 wild_car_domain_acl

cache_peer_access allow
PROXY2 domain_acl1
cache_peer_access deny PROXY2 wild_car_domain_acl

cache_peer_access allow PROXY3
#end (sorry it's not full squid compatible)

all the above should be OK about the access that is
allowed to clients..
the http_access should be also sorted the same way.. like..
http_access allow all domain_acl

http_access allow all domain_acl1
http_access allow all wild_car_domain_acl
http_access deny all

which should prevent
others using your proxy.

Hope all the above gives you an example how it should be ok..


On 10/04/2013 12:08
AM, Reto Bachmann wrote:
> Hi,
> My squid acts as a reverse proxy in my DMZ to access several different servers in
my LAN.
> ->
> Exchange Server
> -> Intranet Server
> -> Public Webserver
> So for every server I defined a rule and this works fine.. But now I would
like to
> add a "wildcard" rule, that * will be redirected to the webserver. So if someone types ww.domain.
com, it
> goes to the webserver. I found out that I can't use a acl with and the two other acls webmail.
> and at the same time since squid picks the first rule that matches. So webmail.domain.
com sometimes
> goes to the Webserver....
> How can I mange squid to send all requests except the two FQDNs to
> Regards,
> Reto
Received on Fri Oct 04 2013 - 06:53:16 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 04 2013 - 12:00:06 MDT