> -----Original Message----- > From: Graham_Trigge@xxxxxxxxxxxxxxxxxxxxxxxxx > [mailto:Graham_Trigge@xxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Thursday, October 13, 2005 6:28 PM > To: squid-users@xxxxxxxxxxxxxxx > Subject: ACL Hell > > > Help required (before I lose all my hair), > > I have a Squid server configured (2.5 stable 11) to redirect page > requests for a certain domain to another squid server (for security > reasons within our network): > > cache_peer 1.2.3.4 (blah blah blah) > acl domain_name dstdomain abc.net.au > cache_peer_access 1.2.3.4 allow domain_name > > I have now been asked to redirect certain pages in this domain (for > example, http://target.abc.net.au) to another squid server > (for security > reasons). So I have configured the following acl: > > cache_peer 5.6.7.8 (blah blah blah) > acl new_target url_regex ^http://target\.abc\.net\.au > > For the life of me I cannot get this working. I have the following > configured in the conf file: > Looking at the example in squid.conf.default I think this... > cache_peer_access 5.6.7.8 allow new_target > cache_peer_access 5.6.7.8 deny domain_name > cache_peer_access 1.2.3.4 deny new_target > cache_peer_access 1.2.3.4 allow domain_name > ...should read... cache_peer_access 5.6.7.8 allow new_target cache_peer_access 5.6.7.8 deny all # Only use 5.6.7.8 for target.abc.net.au cache_peer_access 1.2.3.4 allow domain_name cache_peer_access 1.2.3.4 deny all # optional You might also change the new_target acl to... acl new_target dstdomain .target.abc.net.au If that doesn't work, turn on acl debugging: # For debugging ACLs uncomment the next line and tail cache.log # debug_options ALL,1 33,2 # For verbose debugging of ACLs uncomment the next line and tail cache.log # debug_options ALL,1 33,2 28,9 > To me, this should send the target.abc.net.au through to > 5.6.7.8, and send > > > all other abc.net.au requests through to 1.2.3.4. Either the > new ACL is > not working, or the target.abc.net.au is being associated to > both ACL's, > so not performing the redirection. I am either seeing no traffic get > through to either squid servers, or it is not going to the > squid server I > need it to go to. > > Questions (which I can't find answers for): > - can an acl element cover more than one target, or is > the first match > > > hit the only match (for example, does "target.abc.net.au" > fall under both > the domain_name and new_target example above)? > - is there a better way of configuring the acl for > target.abc.net.au? Yes, target.abc.net.au does match both the domain_name acl and the new_target acl. Just to be safe, I would define new_target before domain_name (and obviously keep the new_target cache_peer_access line before the domain_name cache_peer_access line). > - has anyone done this/seen this done and has examples? > There was an other person on the list a few months ago trying to do something similar. I'm not sure if he ever got it working... > I have been pulling my hair out for the last few days, so any > help would > be grateful > > Regards > > Graham Trigge. > > Chris
