AW: Re: [squid-users] Proxy server with FQDN and wildcard

From: Reto Bachmann <real.reto_at_bluewin.ch>
Date: Fri, 4 Oct 2013 06:53:01 +0000 (GMT+00:00)

Hi,

So here is the main part of my squid.conf

acl HTTP proto HTTP
acl HTTPS proto HTTPS

# Open the listerners

http_port 10.10.5.5:80 accel defaultsite=www.domain.com
https_port 10.10.5.5:443 accel cert=/etc/squid3/ssl/ssl_key
key=/etc/squid3/ssl/ssl_key defaultsite=www.domain.com

# OWA webmail.domain.com -> 10.10.1.21

cache_peer 10.10.1.21
parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=OWAdomain

#Redirect rules
acl
redirectHTTPSOWASN urlpath_regex ^/$
acl redirectHTTPOWASN url_regex -i ^http://.*$
# redirect /owa
deny_info 303:https://webmail.domain.com/owa/ redirectHTTPOWASN
deny_info 303:https://webmail.domain.com/owa/ redirectHTTPSOWASN

acl OWASN dstdomain webmail.domain.com
acl OWASN
dstdomain autodiscover.domain.com
cache_peer_access OWAdomain allow OWASN
never_direct allow OWASN
http_access deny
HTTPS OWASN redirectHTTPSOWASN
http_access deny HTTP OWASN redirectHTTPOWASN
http_access allow OWASN
miss_access allow
OWASN

# RDS access.domain.com -> 10.10.1.29
cache_peer 10.10.1.29 parent 443 0 no-query originserver login=PASS ssl
sslflags=DONT_VERIFY_PEER name=RDSdomain

# Redirect
acl redirectHTTPSSNRDS urlpath_regex ^/$
acl redirectHTTPSNRDS
url_regex -i ^http://.*$
deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSSNRDS
deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSNRDS

acl RDSSN dstdomain access.domain.com

cache_peer_access RDSdomain allow RDSSN
never_direct allow RDSSN

http_access deny HTTPS RDSSN redirectHTTPSSNRDS

http_access deny HTTP RDSSN redirectHTTPSNRDS

http_access allow RDSSN
miss_access allow RDSSN

# Access to the
webserver
cache_peer 10.10.1.22 parent 80 0 no-query originserver login=PASS name=WWWdomain

# If I use FQDN like this, it
works...
acl WWWSN dstdomain www2.domain.com
acl WWWSN dstdomain www.domain.com

# If I use the domain name like this, it "sometimes" works. But sometimes webmail.
domain.com also gets redirected to this webserver.
#acl WWWSN dstdomain .domain.com

cache_peer_access WWWdomain allow WWWSN
never_direct allow WWWSN

http_access allow WWWSN
miss_access allow WWWSN

#Global deny
http_access deny all
miss_access deny all

So I hope this makes my problem more
clear. Squid only acts as a reverse proxy to accesss my LAN servers from internet. In the wiki I found a description of
this problem, but no solution... http://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains

Reto

----Urspr√ľngliche Nachricht----
Von: eliezer_at_ngtech.co.il
Datum: 04.10.2013 01:36
An: <squid-users_at_squid-cache.
org>
Betreff: Re: [squid-users] Proxy server with FQDN and wildcard

Hey,

in a case you can share your squid.conf
(cleaned) I can try to pick a
clue about what is going on..
it is not clear to me what is this proxy server for?
it
looks to me more like a forward proxy that has one and all the
clients can get by their ip address to specific domains.

From squid point of view it's a forward proxy..
if it sits on the face to the internet only then it's very simple..
You
can use the myport ACL to differentiate between one traffic to another.
There is a *bug* in squid that when using a .
domain.com you will have
troubles.
What squid version are you using?
if you can add some IP level description I will
might have more clue
about the bigger picture.
Is this server requires auth?
IF squid picks the first rule you need to
sort the ACLs in a way that
squid will try to match the .domain.com last..
you can try something like this pesudo:

cache_peer_access allow PROXY1 domain_acl
cache_peer_access deny PROXY1 wild_car_domain_acl

cache_peer_access allow
PROXY2 domain_acl1
cache_peer_access deny PROXY2 wild_car_domain_acl

cache_peer_access allow PROXY3
wild_car_domain_acl
#end (sorry it's not full squid compatible)

all the above should be OK about the access that is
allowed to clients..
the http_access should be also sorted the same way.. like..
http_access allow all domain_acl

http_access allow all domain_acl1
http_access allow all wild_car_domain_acl
http_access deny all

which should prevent
others using your proxy.

Hope all the above gives you an example how it should be ok..

Eliezer

On 10/04/2013 12:08
AM, Reto Bachmann wrote:
> Hi,
>
> My squid acts as a reverse proxy in my DMZ to access several different servers in
my LAN.
> webmail.domain.com ->
> Exchange Server
> intra.domain.com -> Intranet Server
> www.domain.com -> Public Webserver
>
> So for every server I defined a rule and this works fine.. But now I would
like to
> add a "wildcard" rule, that *.domain.com will be redirected to the webserver. So if someone types ww.domain.
com, it
> goes to the webserver. I found out that I can't use a acl with .domain.com and the two other acls webmail.
domain.com
> and intra.domain.com at the same time since squid picks the first rule that matches. So webmail.domain.
com sometimes
> goes to the Webserver....
>
> How can I mange squid to send all requests except the two FQDNs to www.domain.com?
>
> Regards,
> Reto
>
Received on Fri Oct 04 2013 - 06:53:16 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 04 2013 - 12:00:06 MDT