Hi, So here is the main part of my squid.conf acl HTTP proto HTTP acl HTTPS proto HTTPS # Open the listerners http_port 10.10.5.5:80 accel defaultsite=www.domain.com https_port 10.10.5.5:443 accel cert=/etc/squid3/ssl/ssl_key key=/etc/squid3/ssl/ssl_key defaultsite=www.domain.com # OWA webmail.domain.com -> 10.10.1.21 cache_peer 10.10.1.21 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=OWAdomain #Redirect rules acl redirectHTTPSOWASN urlpath_regex ^/$ acl redirectHTTPOWASN url_regex -i ^http://.*$ # redirect /owa deny_info 303:https://webmail.domain.com/owa/ redirectHTTPOWASN deny_info 303:https://webmail.domain.com/owa/ redirectHTTPSOWASN acl OWASN dstdomain webmail.domain.com acl OWASN dstdomain autodiscover.domain.com cache_peer_access OWAdomain allow OWASN never_direct allow OWASN http_access deny HTTPS OWASN redirectHTTPSOWASN http_access deny HTTP OWASN redirectHTTPOWASN http_access allow OWASN miss_access allow OWASN # RDS access.domain.com -> 10.10.1.29 cache_peer 10.10.1.29 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=RDSdomain # Redirect acl redirectHTTPSSNRDS urlpath_regex ^/$ acl redirectHTTPSNRDS url_regex -i ^http://.*$ deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSSNRDS deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSNRDS acl RDSSN dstdomain access.domain.com cache_peer_access RDSdomain allow RDSSN never_direct allow RDSSN http_access deny HTTPS RDSSN redirectHTTPSSNRDS http_access deny HTTP RDSSN redirectHTTPSNRDS http_access allow RDSSN miss_access allow RDSSN # Access to the webserver cache_peer 10.10.1.22 parent 80 0 no-query originserver login=PASS name=WWWdomain # If I use FQDN like this, it works... acl WWWSN dstdomain www2.domain.com acl WWWSN dstdomain www.domain.com # If I use the domain name like this, it "sometimes" works. But sometimes webmail. domain.com also gets redirected to this webserver. #acl WWWSN dstdomain .domain.com cache_peer_access WWWdomain allow WWWSN never_direct allow WWWSN http_access allow WWWSN miss_access allow WWWSN #Global deny http_access deny all miss_access deny all So I hope this makes my problem more clear. Squid only acts as a reverse proxy to accesss my LAN servers from internet. In the wiki I found a description of this problem, but no solution... http://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains Reto ----Ursprüngliche Nachricht---- Von: eliezer@xxxxxxxxxxxx Datum: 04.10.2013 01:36 An: <squid-users@squid-cache. org> Betreff: Re: Proxy server with FQDN and wildcard Hey, in a case you can share your squid.conf (cleaned) I can try to pick a clue about what is going on.. it is not clear to me what is this proxy server for? it looks to me more like a forward proxy that has one and all the clients can get by their ip address to specific domains. >From squid point of view it's a forward proxy.. if it sits on the face to the internet only then it's very simple.. You can use the myport ACL to differentiate between one traffic to another. There is a *bug* in squid that when using a . domain.com you will have troubles. What squid version are you using? if you can add some IP level description I will might have more clue about the bigger picture. Is this server requires auth? IF squid picks the first rule you need to sort the ACLs in a way that squid will try to match the .domain.com last.. you can try something like this pesudo: cache_peer_access allow PROXY1 domain_acl cache_peer_access deny PROXY1 wild_car_domain_acl cache_peer_access allow PROXY2 domain_acl1 cache_peer_access deny PROXY2 wild_car_domain_acl cache_peer_access allow PROXY3 wild_car_domain_acl #end (sorry it's not full squid compatible) all the above should be OK about the access that is allowed to clients.. the http_access should be also sorted the same way.. like.. http_access allow all domain_acl http_access allow all domain_acl1 http_access allow all wild_car_domain_acl http_access deny all which should prevent others using your proxy. Hope all the above gives you an example how it should be ok.. Eliezer On 10/04/2013 12:08 AM, Reto Bachmann wrote: > Hi, > > My squid acts as a reverse proxy in my DMZ to access several different servers in my LAN. > webmail.domain.com -> > Exchange Server > intra.domain.com -> Intranet Server > www.domain.com -> Public Webserver > > So for every server I defined a rule and this works fine.. But now I would like to > add a "wildcard" rule, that *.domain.com will be redirected to the webserver. So if someone types ww.domain. com, it > goes to the webserver. I found out that I can't use a acl with .domain.com and the two other acls webmail. domain.com > and intra.domain.com at the same time since squid picks the first rule that matches. So webmail.domain. com sometimes > goes to the Webserver.... > > How can I mange squid to send all requests except the two FQDNs to www.domain.com? > > Regards, > Reto >
