On 4/10/2013 7:53 p.m., Reto Bachmann wrote:
Hi, So here is the main part of my squid.conf acl HTTP proto HTTP acl HTTPS proto HTTPS # Open the listerners http_port 10.10.5.5:80 accel defaultsite=www.domain.com https_port 10.10.5.5:443 accel cert=/etc/squid3/ssl/ssl_key key=/etc/squid3/ssl/ssl_key defaultsite=www.domain.com # OWA webmail.domain.com -> 10.10.1.21 cache_peer 10.10.1.21 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=OWAdomain #Redirect rules acl redirectHTTPSOWASN urlpath_regex ^/$ acl redirectHTTPOWASN url_regex -i ^http://.*$
You can replace the regex above with: acl redirectHTTPOWASN proto HTTP Or just replace all uses of "redirectHTTPOWASN" with "HTTP" in your config.
# redirect /owa deny_info 303:https://webmail.domain.com/owa/ redirectHTTPOWASN deny_info 303:https://webmail.domain.com/owa/ redirectHTTPSOWASN acl OWASN dstdomain webmail.domain.com acl OWASN dstdomain autodiscover.domain.com cache_peer_access OWAdomain allow OWASN never_direct allow OWASN
http_access deny HTTPS OWASN redirectHTTPSOWASN http_access deny HTTP OWASN redirectHTTPOWASN http_access allow OWASN
How about this istead of all that http_access complexity? acl noPath urlpath_regex ^/$ acl OWASN dstdomain webmail.domain.com autodiscover.domain.com deny_info 303:https://webmail.domain.com/owa/ OWASN cache_peer_access OWAdomain allow OWASN never_direct allow OWASN http_access deny HTTPS noPath OWASN http_access deny HTTP OWASN http_access allow OWASN
miss_access allow OWASN
Why is miss_access present?
# RDS access.domain.com -> 10.10.1.29 cache_peer 10.10.1.29 parent 443 0 no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER name=RDSdomain # Redirect acl redirectHTTPSSNRDS urlpath_regex ^/$ acl redirectHTTPSNRDS url_regex -i ^http://.*$ deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSSNRDS deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSNRDS acl RDSSN dstdomain access.domain.com cache_peer_access RDSdomain allow RDSSN never_direct allow RDSSN http_access deny HTTPS RDSSN redirectHTTPSSNRDS http_access deny HTTP RDSSN redirectHTTPSNRDS http_access allow RDSSN
You an do the same thing for RDSSN that was done above for OWASN.
miss_access allow RDSSN # Access to the webserver cache_peer 10.10.1.22 parent 80 0 no-query originserver login=PASS name=WWWdomain # If I use FQDN like this, it works... acl WWWSN dstdomain www2.domain.com acl WWWSN dstdomain www.domain.com # If I use the domain name like this, it "sometimes" works. But sometimes webmail. domain.com also gets redirected to this webserver.
These events are when the webmail peer is not responding or overloaded and happen because you do not deny the webmail requests going to this backup server....
#acl WWWSN dstdomain .domain.com cache_peer_access WWWdomain allow WWWSN
That line should be: cache_peer_access WWWdomain allow WWWSN !OWASN !RDSSN As in "allow all *.domain.com except OWASN and RDSSN ones."
never_direct allow WWWSN http_access allow WWWSN miss_access allow WWWSN #Global deny http_access deny all miss_access deny all So I hope this makes my problem more clear. Squid only acts as a reverse proxy to accesss my LAN servers from internet. In the wiki I found a description of this problem, but no solution... http://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains Reto
HTH Amos