I implemented your changes and it works fine now
The > cache_peer_access WWWdomain allow WWWSN !OWASN !RDSSN solved my
problem.
Thanks!
On 04.10.13 10:23, Amos Jeffries wrote:
On 4/10/2013 7:53 p.m., Reto Bachmann wrote:
Hi,
So here is the main part of my squid.conf
acl HTTP proto HTTP
acl HTTPS proto HTTPS
# Open the listerners
http_port 10.10.5.5:80 accel defaultsite=www.domain.com
https_port 10.10.5.5:443 accel cert=/etc/squid3/ssl/ssl_key
key=/etc/squid3/ssl/ssl_key defaultsite=www.domain.com
# OWA webmail.domain.com -> 10.10.1.21
cache_peer 10.10.1.21
parent 443 0 no-query originserver login=PASS ssl
sslflags=DONT_VERIFY_PEER name=OWAdomain
#Redirect rules
acl
redirectHTTPSOWASN urlpath_regex ^/$
acl redirectHTTPOWASN url_regex -i ^http://.*$
You can replace the regex above with:
acl redirectHTTPOWASN proto HTTP
Or just replace all uses of "redirectHTTPOWASN" with "HTTP" in your
config.
# redirect /owa
deny_info 303:https://webmail.domain.com/owa/ redirectHTTPOWASN
deny_info 303:https://webmail.domain.com/owa/ redirectHTTPSOWASN
acl OWASN dstdomain webmail.domain.com
acl OWASN dstdomain autodiscover.domain.com
cache_peer_access OWAdomain allow OWASN
never_direct allow OWASN
http_access deny HTTPS OWASN redirectHTTPSOWASN
http_access deny HTTP OWASN redirectHTTPOWASN
http_access allow OWASN
How about this istead of all that http_access complexity?
acl noPath urlpath_regex ^/$
acl OWASN dstdomain webmail.domain.com autodiscover.domain.com
deny_info 303:https://webmail.domain.com/owa/ OWASN
cache_peer_access OWAdomain allow OWASN
never_direct allow OWASN
http_access deny HTTPS noPath OWASN
http_access deny HTTP OWASN
http_access allow OWASN
miss_access allow OWASN
Why is miss_access present?
# RDS access.domain.com -> 10.10.1.29
cache_peer 10.10.1.29 parent 443 0 no-query originserver login=PASS ssl
sslflags=DONT_VERIFY_PEER name=RDSdomain
# Redirect
acl redirectHTTPSSNRDS urlpath_regex ^/$
acl redirectHTTPSNRDS
url_regex -i ^http://.*$
deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSSNRDS
deny_info 303:https://access.domain.com/RDWeb/ redirectHTTPSNRDS
acl RDSSN dstdomain access.domain.com
cache_peer_access RDSdomain allow RDSSN
never_direct allow RDSSN
http_access deny HTTPS RDSSN redirectHTTPSSNRDS
http_access deny HTTP RDSSN redirectHTTPSNRDS
http_access allow RDSSN
You an do the same thing for RDSSN that was done above for OWASN.
miss_access allow RDSSN
# Access to the
webserver
cache_peer 10.10.1.22 parent 80 0 no-query originserver login=PASS
name=WWWdomain
# If I use FQDN like this, it
works...
acl WWWSN dstdomain www2.domain.com
acl WWWSN dstdomain www.domain.com
# If I use the domain name like this, it "sometimes" works. But
sometimes webmail.
domain.com also gets redirected to this webserver.
These events are when the webmail peer is not responding or overloaded
and happen because you do not deny the webmail requests going to this
backup server....
#acl WWWSN dstdomain .domain.com
cache_peer_access WWWdomain allow WWWSN
That line should be:
cache_peer_access WWWdomain allow WWWSN !OWASN !RDSSN
As in "allow all *.domain.com except OWASN and RDSSN ones."
never_direct allow WWWSN
http_access allow WWWSN
miss_access allow WWWSN
#Global deny
http_access deny all
miss_access deny all
So I hope this makes my problem more
clear. Squid only acts as a reverse proxy to accesss my LAN servers
from internet. In the wiki I found a description of
this problem, but no solution...
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains
Reto
HTH
Amos
