Re: [squid-users] URL Rewrite for https via Squidguard

2016-01-09 Thread Darren 
Hi

Thanks Marcus

I have been hacking my own branch of Squidguard so I can add support for the 
SNI (I hope)

How would I get the peek SNI output to the url_rewriter?

I am a bit of a peek new comer.

Sounds like there is some hope and a possible way forward.

regards

Darren B.






Sent from Mailbird 
[http://www.getmailbird.com/?utm_source=Mailbirdutm_medium=emailutm_campaign=sent-from-mailbird]
On 9/01/2016 5:46:36 PM, Marcus Kool  wrote:


On 01/09/2016 05:07 AM, Darren wrote:
> Hi
>
> I am trying to hack squidguard to allow me to redirect users attempts to 
> connect to blocked https enabled sites.
>
> Some sites are allowed and the bulk are not. Currently I can see the Connect 
> details being handed to SG for processing and if I change this to return a 
> redirect to make it point to a different server
> it breaks and gives me an SSL error (as would be expected)

indeed, "as expected"...
The HTTP protocol supportly support redirection of URL by sending a 30x status 
code back to he browser.
HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is inside the 
channel and
explicitly is designed not to be tampered with. So redirecting a channel to an 
other website
always will cause a certificate error, unless ...
1) one uses ssl-bump
2) installs the Squid fake CA certificate in all browsers
3) one has a policy for the other protocols (e.g. Skype) that use CONNECT

> Is there a way I can get this redirection call to squidguard happened earlier 
> in squid before it gets this far down the CONNECT process? Or is there 
> something that I can return from Squidguard that
> would make this work? I notice that the connect attempts are always just the 
> IP address, so something earlier in the processing is doing a reverse DNS 
> lookup, is this the Browser of Squid and if so
> can I get in earlier during the process?

The above implies that you use Squid in interception mode where it initially 
can only see the IP address of the server.
In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a 
the FQDN) and then the SNI/FQDN can be used in ACLs inside Squid and any URL 
redirector that can cope with the SNI
parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but ufdbGuard 
1.32 _can_ and will be released in February.

Marcus

>
> I want to maintain the various lists in just squidguard and not put in ACLs 
> in squid.conf
>
> thanks
>
> Darren B.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL Rewrite for https via Squidguard

2016-01-09 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


10.01.16 1:36, Marcus Kool пишет:
>
>
> On 01/09/2016 09:49 AM, Darren wrote:
>> Hi
>>
>> Thanks Marcus
>>
>> I have been hacking my own branch of Squidguard so I can add support
for the SNI (I hope)
>>
>> How would I get the peek SNI output to the url_rewriter?
>
> using  url_rewrite_extras
>
>> I am a bit of a peek new comer.
>>
>> Sounds like there is some hope and a possible way forward.
This is not for new comer, Marcus ;)
>>
>> regards
>>
>> Darren B.
>>
>>
>>
>>
>>
>>
>> Sent from Mailbird

>>>
>>> On 9/01/2016 5:46:36 PM, Marcus Kool 
wrote:
>>>
>>>
>>>
>>> On 01/09/2016 05:07 AM, Darren wrote:
>>> > Hi
>>> >
>>> > I am trying to hack squidguard to allow me to redirect users
attempts to connect to blocked https enabled sites.
>>> >
>>> > Some sites are allowed and the bulk are not. Currently I can see
the Connect details being handed to SG for processing and if I change
this to return a redirect to make it point to a different server
>>> > it breaks and gives me an SSL error (as would be expected)
>>>
>>> indeed, "as expected"...
>>> The HTTP protocol supportly support redirection of URL by sending a
30x status code back to he browser.
>>> HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is
inside the channel and
>>> explicitly is designed not to be tampered with. So redirecting a
channel to an other website
>>> always will cause a certificate error, unless ...
>>> 1) one uses ssl-bump
>>> 2) installs the Squid fake CA certificate in all browsers
>>> 3) one has a policy for the other protocols (e.g. Skype) that use
CONNECT
>>>
>>> > Is there a way I can get this redirection call to squidguard
happened earlier in squid before it gets this far down the CONNECT
process? Or is there something that I can return from Squidguard that
>>> > would make this work? I notice that the connect attempts are
always just the IP address, so something earlier in the processing is
doing a reverse DNS lookup, is this the Browser of Squid and if so
>>> > can I get in earlier during the process?
>>>
>>> The above implies that you use Squid in interception mode where it
initially can only see the IP address of the server.
>>> In ssl-bump mode, Squid can peek in step1 and find the SNI of the
server (a.k.a the FQDN) and then the SNI/FQDN can be used in ACLs inside
Squid and any URL redirector that can cope with the SNI
>>> parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but
ufdbGuard 1.32 _can_ and will be released in February.
>>>
>>> Marcus
>>>
>>> >
>>> > I want to maintain the various lists in just squidguard and not
put in ACLs in squid.conf
>>> >
>>> > thanks
>>> >
>>> > Darren B.
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWkWLkAAoJENNXIZxhPexGGFAIAI6V/xTDgjH2gYlcPR2+6eUH
rrmWh6Jd5ddF+qx5gdLY53PmHK6IoNCWkPXtu2ZQSLhBVmj+I1vzB1menVi2gEh7
7qtE1bKGmVcajxON+tbIpyHYrKXSl7ewP9hRaO/BbqGSy+LFpzkv9CbrwmmC5dE4
v5DFZVJEn6F3qQdoJKER6t4WKX42H1khFs8rXMn3sdY1R8PVbS18xpDNGv8emmCX
4aWvlGO72sGvpU/oTMa/bJ2EMXzHOqkgI2uTIkIpLK0SlgoPYVJP+jCDdwWWuSif
CNQS8pEmJsqrH4YxRoVhMkenBDw2W58yYWWQSx9HuAXTUp7H0lV3DNfNy10pAcc=
=1H+h
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL Rewrite for https via Squidguard

2016-01-09 Thread Marcus Kool 



On 01/09/2016 09:49 AM, Darren wrote:

Hi

Thanks Marcus

I have been hacking my own branch of Squidguard so I can add support for the 
SNI (I hope)

How would I get the peek SNI output to the url_rewriter?


using  url_rewrite_extras


I am a bit of a peek new comer.

Sounds like there is some hope and a possible way forward.

regards

Darren B.






Sent from Mailbird 



On 9/01/2016 5:46:36 PM, Marcus Kool  wrote:



On 01/09/2016 05:07 AM, Darren wrote:
> Hi
>
> I am trying to hack squidguard to allow me to redirect users attempts to 
connect to blocked https enabled sites.
>
> Some sites are allowed and the bulk are not. Currently I can see the Connect 
details being handed to SG for processing and if I change this to return a 
redirect to make it point to a different server
> it breaks and gives me an SSL error (as would be expected)

indeed, "as expected"...
The HTTP protocol supportly support redirection of URL by sending a 30x status 
code back to he browser.
HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is inside the 
channel and
explicitly is designed not to be tampered with. So redirecting a channel to an 
other website
always will cause a certificate error, unless ...
1) one uses ssl-bump
2) installs the Squid fake CA certificate in all browsers
3) one has a policy for the other protocols (e.g. Skype) that use CONNECT

> Is there a way I can get this redirection call to squidguard happened earlier 
in squid before it gets this far down the CONNECT process? Or is there something 
that I can return from Squidguard that
> would make this work? I notice that the connect attempts are always just the 
IP address, so something earlier in the processing is doing a reverse DNS lookup, 
is this the Browser of Squid and if so
> can I get in earlier during the process?

The above implies that you use Squid in interception mode where it initially 
can only see the IP address of the server.
In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a 
the FQDN) and then the SNI/FQDN can be used in ACLs inside Squid and any URL 
redirector that can cope with the SNI
parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but ufdbGuard 
1.32 _can_ and will be released in February.

Marcus

>
> I want to maintain the various lists in just squidguard and not put in ACLs 
in squid.conf
>
> thanks
>
> Darren B.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL Rewrite for https via Squidguard

2016-01-09 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


09.01.16 15:45, Marcus Kool пишет:
>
>
> On 01/09/2016 05:07 AM, Darren wrote:
>> Hi
>>
>> I am trying to hack squidguard to allow me to redirect users attempts
to connect to blocked https enabled sites.
>>
>> Some sites are allowed and the bulk are not. Currently I can see the
Connect details being handed to SG for processing and if I change this
to return a redirect to make it point to a different server
>> it breaks and gives me an SSL error (as would be expected)
>
> indeed, "as expected"...
> The HTTP protocol supportly support redirection of URL by sending a
30x status code back to he browser.
> HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is
inside the channel and
> explicitly is designed not to be tampered with.  So redirecting a
channel to an other website
> always will cause a certificate error, unless ...
>1) one uses ssl-bump
>2) installs the Squid fake CA certificate in all browsers
>3) one has a policy for the other protocols (e.g. Skype) that use
CONNECT
>
>> Is there a way I can get this redirection call to squidguard happened
earlier in squid before it gets this far down the CONNECT process? Or is
there something that I can return from Squidguard that
>> would make this work? I notice that the connect attempts are always
just the IP address, so something earlier in the processing is doing a
reverse DNS lookup, is this the Browser of Squid and if so
>> can I get in earlier during the process?
>
> The above implies that you use Squid in interception mode where it
initially can only see the IP address of the server.
Note: Squid 3.5 only see IP initially. 3.4 knows full FQDN. Note this.
You deal not only 3.5 and above. But _many_ 3.4.x installations.
> In ssl-bump mode, Squid can peek in step1 and find the SNI of the server 
> (a.k.a the FQDN) and then
the SNI/FQDN can be used in ACLs inside Squid and any URL redirector
that can cope with the SNI parameter.  Squidguard cannot, the latest
ufdbGuard 1.31 cannot, but ufdbGuard 1.32 _can_ and will be released in
February.
>
> Marcus
>
>>
>> I want to maintain the various lists in just squidguard and not put
in ACLs in squid.conf
>>
>> thanks
>>
>> Darren B.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWkVuXAAoJENNXIZxhPexG6OYIAI5tDWbOeSuzj6ppKSadE466
7b4YzxownSixeddyVL+diCBRFVPtBbHzvrOmy+jHo+fYgZrTqBg/hh0MKd4eJ+zq
JiY78WwNbYGDKat+UGXzT0F7eVePHJo5o/c1z3am1FfdqGtFdKCh+9VZ4E4TrAH5
mjgJtb+x0c7pi5Yen6PJVAQIjoB3MiJ3xoeVAyFUbJdrRAS8PgFgbEdMuqy9+UkH
3yp0KSgKnc3IE5NghWhITJfyHXsPcwnpIqOhTxQrE+DFPj9IREPcnfq3N4+v6tvz
17swFfGHe1FUwGGssfiAsLC+QeeZPkSLlPP0ytgk/WMxR8tfLTJy26b1QzVg/Ko=
=InjG
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL Rewrite for https via Squidguard

2016-01-09 Thread Marcus Kool 



On 01/09/2016 05:07 AM, Darren wrote:

Hi

I am trying to hack squidguard to allow me to redirect users attempts to 
connect to blocked https enabled sites.

Some sites are allowed and the bulk are not. Currently I can see the Connect 
details being handed to SG for processing and if I change this to return a 
redirect to make it point to a different server
it breaks and gives me an SSL error (as would be expected)


indeed, "as expected"...
The HTTP protocol supportly support redirection of URL by sending a 30x status 
code back to he browser.
HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is inside the 
channel and
explicitly is designed not to be tampered with.  So redirecting a channel to an 
other website
always will cause a certificate error, unless ...
   1) one uses ssl-bump
   2) installs the Squid fake CA certificate in all browsers
   3) one has a policy for the other protocols (e.g. Skype) that use CONNECT


Is there a way I can get this redirection call to squidguard happened earlier 
in squid before it gets this far down the CONNECT process? Or is there 
something that I can return from Squidguard that
would make this work? I notice that the connect attempts are always just the IP 
address, so something earlier in the processing is doing a reverse DNS lookup, 
is this the Browser of Squid and if so
can I get in earlier during the process?


The above implies that you use Squid in interception mode where it initially 
can only see the IP address of the server.
In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a the FQDN) and then the SNI/FQDN can be used in ACLs inside Squid and any URL redirector that can cope with the SNI 
parameter.  Squidguard cannot, the latest ufdbGuard 1.31 cannot, but ufdbGuard 1.32 _can_ and will be released in February.


Marcus



I want to maintain the various lists in just squidguard and not put in ACLs in 
squid.conf

thanks

Darren B.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] URL Rewrite for https via Squidguard

2016-01-08 Thread Darren 
Hi

I am trying to hack squidguard to allow me to redirect users attempts to 
connect to blocked https enabled sites.

Some sites are allowed and the bulk are not. Currently I can see the Connect 
details being handed to SG for processing and if I change this to return a 
redirect to make it point to a different server it breaks and gives me an SSL 
error (as would be expected)

Is there a way I can get this redirection call to squidguard happened earlier 
in squid before it gets this far down the CONNECT process? Or is there 
something that I can return from Squidguard that would make this work? I notice 
that the connect attempts are always just the IP address, so something earlier 
in the processing is doing a reverse DNS lookup, is this the Browser of Squid 
and if so can I get in earlier during the process?


I want to maintain the various lists in just squidguard and not put in ACLs in 
squid.conf

thanks

Darren B.










Sent from Mailbird 
[http://www.getmailbird.com/?utm_source=Mailbirdutm_medium=emailutm_campaign=sent-from-mailbird]___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] URL rewrite and POST body

2013-11-06 Thread WorkingMan 
1) Is the POST body request preserved when using url_rewrite_program? Based on 
my test it seems to be lost. If it's lost is it easy to modify SQUID to 
preserve that (or maybe an option to enable that)?

2) Can URL be rewritten in content adaptation like eCAP (or ICAP)? Just 
wondering.

3) what is the order of url_rewrite_program (or other redirect option) and 
content adaptation order (which one comes first?).

Let me know what can be done for rewrite the URL and preserve POST body (so 
query params in the request body and not in the URL)

[squid-users] URL rewrite and POST body

2013-11-06 Thread WorkingMan 
1) Is the POST body request preserved when using url_rewrite_program? Based on 
my test it seems to be lost. If it's lost is it easy to modify SQUID to 
preserve that (or maybe an option to enable that)?

2) Can URL be rewritten in content adaptation like eCAP (or ICAP)? Just 
wondering.

3) what is the order of url_rewrite_program (or other redirect option) and 
content adaptation order (which one comes first?).

Let me know what can be done for URL rewrite and preserve POST body (query 
params in the request body and not in the URL)

Thanks,

Re: [squid-users] URL rewrite and POST body

2013-11-06 Thread Amos Jeffries 

On 6/11/2013 12:37 p.m., WorkingMan wrote:

1) Is the POST body request preserved when using url_rewrite_program? Based on
my test it seems to be lost. If it's lost is it easy to modify SQUID to
preserve that (or maybe an option to enable that)?


It should be preserved. Only headers portion should be completely 
rebuilt with new headers copied from the old URLs' request to the new 
URLs' request.



2) Can URL be rewritten in content adaptation like eCAP (or ICAP)? Just
wondering.


Yes.


3) what is the order of url_rewrite_program (or other redirect option) and
content adaptation order (which one comes first?).


1) http_access access controls (deny_info redirect)
2) ICAP/eCAP
3) URL-rewrite/redirect
4) adapted_http_access controls (deny_info redirect again)
5) source selection stages ...



Let me know what can be done for rewrite the URL and preserve POST body (so
query params in the request body and not in the URL)


query params in the POST body, and body. Nothing Squid does affects them.

Amos

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-24 Thread Amos Jeffries 

On 24/02/2012 11:52 a.m., Roman Gelfand wrote:

Hi Amos,

I could be wrong, but I understood from your several posts that this
type of configuration is not recommended (either due to security
issues or performance, I don't remember exactly).

Is that right?


*redirect*, (using deny_info or redirector program which does real 3XX 
status redirects) is fine and a built-in feature of HTTP. Since what it 
does is inform the client browser/agent to change the URI being 
requested. Keeping any state between the server and client synchronized. 
Security, behaviour expectations and working state is all kept predictable.


*rewrite*, (using a redirector/rewriter to alter the URL in-transit) is 
not recommended on grounds of being complex with many breakages from the 
client browser/agent being unaware of the URL change. re-write is at 
heart a cross-site/XSS attack, in the same ways that intercept proxy is 
a MITM attack. Intending for it to happen does not change the side 
effects or lessen the risks.


Amos

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-23 Thread Roman Gelfand 
Hi Amos,

I could be wrong, but I understood from your several posts that this
type of configuration is not recommended (either due to security
issues or performance, I don't remember exactly).

Is that right?

Thanks,

On Tue, Feb 21, 2012 at 7:29 AM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 21/02/2012 11:21 p.m., Fried Wil wrote:

 On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote:
 I have this error on my access.log
 1329819182.985      0 CLIENT_IP TCP_DENIED/302 340 GET
 https://webmail.domain.foo/ - NONE/- text/html
 1329819183.011      0 CLIENT_IP TCP_MISS/404 1530 GET
 https://webmail.domain.foo/302:https://EXCHANGE_IP/owa/ -
 FIRST_UP_PARENT/exchangeServer text/html
 1329819183.043      0 CLIENT_IP TCP_MISS/404 1530 GET
 https://webmail.domain.foo/favicon.ico - FIRST_UP_PARENT/exchangeServer
 text/html

 for these lines
 acl redirectOWA urlpath_regex ^/$
 deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA
 http_access deny HTTPSOWA redirectOWA

 replace 303 by 302 give the same error


 bad configuration ?


 Sorry. Yes. Drop the 303: part. It is just the new URL for squid 3.1.

 Amos

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-21 Thread Fried Wil 
Hi Amos, 

Thanks for your very good explaination.

I wanna to specify all i want to need :

https://webmail.domain.foo/ -- https://EXCHANGE_IP/owa/
https://webmail.domain.foo/owa/ -- https://EXCHANGE_IP/owa/
https://webmail.domain.foo/rpc/ -- https://EXCHANGE_IP/rpc/
https://webmail.domain.foo/Microsoft-Active-Sync/ 
--https://EXCHANGE_IP/Microsoft-Active-Sync/
https://webmail.domain.foo/EWS/ -- https://EXCHANGE_IP/EWS/

The 302 redirection is needed only for the / .

I'have test your configuration Amos, and it's the same ..

1329818099.937  0 CLIENT_IP TCP_MISS/503 3243 GET
https://webmail.domain.foo/ - NONE/- text/html

but for /owa/ ..

1329818128.646  2 CLIENT_IP TCP_MISS/302 435 GET
https://webmail.domain.foo/owa/ - FIRST_UP_PARENT/exchangeServer -
1329818128.685  3 CLIENT_IP TCP_MISS/200 1491 GET
https://webmail.domain.foo/owa/auth/logon.aspx? -
FIRST_UP_PARENT/exchangeServer text/html



This is my new squid.conf configuration : 

BEGIN##
https_port webmail.lexsi.com:443 accel
cert=/etc/squid3/webmail.domain.foo.crt key=/etc/squid3/server.key
defaultsite=webmail.domain.foo vhost

cache_peer EXCHANGE_IP parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_IP.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl HTTPSOWA url_regex -i ^https://webmail.domain.foo/.*$
acl HTTPS proto HTTPS
acl lexsi dstdomain webmail.domain.foo

acl OWA dstdomain webmail.domain.foo
acl OWA-SITE urlpath_regex
(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_IP/owa/

cache_peer_access exchangeServer allow OWA
cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all

acl redirectOWA urlpath_regex ^/$
deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA
http_access deny HTTPSOWA redirectOWA
http_access allow all (for tests ^^)

END##


Thx in advance guys




On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote:
 On 21.02.2012 04:59, Fried Wil wrote:
 Hello Guys,
 
 I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
 usage ... (rpc not compatible with apache2). I would  like  to
 redirect
 the / to /owa. How can i do that ? thx guys
 
 
 Um. I've started with a bit of a side-track some major
 simplifications inline with your config. The answer to your question
 is at the end.
 
 
 This is my configuration of squid.conf just for OWA Access.
 
 $
 https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
 key=/etc/squid3/server.key defaultsite=webmail.domain.foo
 
 NOTE: it is important to be aware that in 3.1 and older if you omit
 vhost flag but set defaultsite=. Has the effect or re-writing
 *all* inbound request URI with the domain name specified as
 defaultsite= value. The importance of this will become clearer
 later...
 
 
 
 cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
 login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
 sslflags=DONT_VERIFY_PEER name=exchangeServer
 
 acl url_allow url_regex -i ^https://webmail.domain.foo/.*$
 
 Hint #1: ^https://webmail.domain.foo/.*$; overlaps and matches same
 URL as all the following patterns.
 
 
 Remove the patterns from here...
 
 acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
 acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
 acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
 acl url_allow url_regex -i
 ^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
 acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
 acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
 acl url_allow url_regex -i
 ^https://webmail.domain.foo/autodiscover.*$
 
 ... down to here.
 
 Hint #2: url_regex -i ^https://webmail.domain.foo/.*$;  canbe
 further reduced to a simple pair of ACL:
 
   acl HTTPS proto HTTPS
   acl foo dstdomain webmail.domain.foo
 
 
 acl OWA dstdomain webmail.domain.foo
 
 Hint #3: note how the new foo ACL and OWA ACL are identical. You
 can drop the suggested foo ACL and use OWA.
 
 
 Result: You can replace all uses of url_allow in *_access lines
 with the pair HTTPS OWA.
 
 
 acl OWA-SITE urlpath_regex
 
 (\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
 acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/
 
 cache_peer_access exchangeServer allow OWA
 
 Hint #4: remembering that http_port defaultsite= has already made
 the URI domain name webmail.domain.foo you will notice how the
 OWA ACL will always match.
  This by itself means no other cache_peer_access exchangeServer
 lines will be tested.
 
 
 cache_peer_access exchangeServer deny all
 
 Hint #5: now that you have configured exchangeServer deny all the
 rest of the cache_peer_access exchangeServer lines are
 meaningless.
 
 never_direct allow OWA

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-21 Thread Fried Wil 
On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote:
 - Proper HTTP *redirect* using 3xx status messages should work fine.
 But Squid needs to be configured to handle both the before and after
 URL when received from the client. Exchange only needs to handle the
 after URI.
 
 
 To simply do a global / to /owa/ *redirect* you can do this very
 simple:
 
  acl redirectOWA urlpath_regex ^/$
  deny_info 303:https://EXCHANGE_SERVER/owa/ redirectOWA
  http_access deny HTTPS OWA redirectOWA
 
 Place this at the top of the reverse-proxy http_access lines and the
 clients will be redirected to load that given URL before they are
 sent anywhere near Exchange.
 
 NOTE: The domain EXCHANGE_SERVER needs to point at your Squid
 https_port address if you want the OWA requests to continue to
 operate through Squid. BUT, I think you are actually wanting to
 redirect with:
 
  deny_info 303:https://webmail.domain.foo/owa/ redirectOWA
 
 
 HTH
 Amos
 

I have this error on my access.log
1329819182.985  0 CLIENT_IP TCP_DENIED/302 340 GET
https://webmail.domain.foo/ - NONE/- text/html
1329819183.011  0 CLIENT_IP TCP_MISS/404 1530 GET
https://webmail.domain.foo/302:https://EXCHANGE_IP/owa/ -
FIRST_UP_PARENT/exchangeServer text/html
1329819183.043  0 CLIENT_IP TCP_MISS/404 1530 GET
https://webmail.domain.foo/favicon.ico - FIRST_UP_PARENT/exchangeServer
text/html

for these lines
acl redirectOWA urlpath_regex ^/$
deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA
http_access deny HTTPSOWA redirectOWA

replace 303 by 302 give the same error


bad configuration ?

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-21 Thread Amos Jeffries 

On 21/02/2012 11:21 p.m., Fried Wil wrote:

On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote:
I have this error on my access.log
1329819182.985  0 CLIENT_IP TCP_DENIED/302 340 GET
https://webmail.domain.foo/ - NONE/- text/html
1329819183.011  0 CLIENT_IP TCP_MISS/404 1530 GET
https://webmail.domain.foo/302:https://EXCHANGE_IP/owa/ -
FIRST_UP_PARENT/exchangeServer text/html
1329819183.043  0 CLIENT_IP TCP_MISS/404 1530 GET
https://webmail.domain.foo/favicon.ico - FIRST_UP_PARENT/exchangeServer
text/html

for these lines
acl redirectOWA urlpath_regex ^/$
deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA
http_access deny HTTPSOWA redirectOWA

replace 303 by 302 give the same error


bad configuration ?


Sorry. Yes. Drop the 303: part. It is just the new URL for squid 3.1.

Amos

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-21 Thread Fried Wil 
On Wed, Feb 22, 2012 at 01:29:33AM +1300, Amos Jeffries wrote:
 On 21/02/2012 11:21 p.m., Fried Wil wrote:
 On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote:
 I have this error on my access.log
 1329819182.985  0 CLIENT_IP TCP_DENIED/302 340 GET
 https://webmail.domain.foo/ - NONE/- text/html
 1329819183.011  0 CLIENT_IP TCP_MISS/404 1530 GET
 https://webmail.domain.foo/302:https://EXCHANGE_IP/owa/ -
 FIRST_UP_PARENT/exchangeServer text/html
 1329819183.043  0 CLIENT_IP TCP_MISS/404 1530 GET
 https://webmail.domain.foo/favicon.ico - FIRST_UP_PARENT/exchangeServer
 text/html
 
 for these lines
 acl redirectOWA urlpath_regex ^/$
 deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA
 http_access deny HTTPSOWA redirectOWA
 
 replace 303 by 302 give the same error
 
 
 bad configuration ?
 
 Sorry. Yes. Drop the 303: part. It is just the new URL for squid 3.1.
 
 Amos


1329830487.573  0 CLIENT_IP TCP_DENIED/302 336 GET
https://webmail.domain.foo/ - NONE/- text/html
1329830487.578  3 CLIENT_IP TCP_MISS/302 441 GET
https://webmail.domain.foo/owa/ - FIRST_UP_PARENT/exchangeServer -
1329830487.581  2 CLIENT_IP TCP_MISS/200 1569 GET
https://webmail.domain.foo/owa/auth/logon.aspx? -
FIRST_UP_PARENT/exchangeServer text/html


Configuration is : 
acl redirectOWA urlpath_regex ^/$
deny_info https://webmail.domain.foo/owa/ redirectOWA
http_access deny HTTPSOWA redirectOWA

Yes ! It's OK Amos ! 

I need just to secure the Squid and GOGOGO !

Thx a lot Amos !

[squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-20 Thread Fried Wil 
Hello Guys,

I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
usage ... (rpc not compatible with apache2). I would  like  to redirect
the / to /owa. How can i do that ? thx guys

This is my configuration of squid.conf just for OWA Access.

$
https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
key=/etc/squid3/server.key defaultsite=webmail.domain.foo

cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl url_allow url_regex -i ^https://webmail.domain.foo/.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
acl url_allow url_regex -i
^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/autodiscover.*$



acl OWA dstdomain webmail.domain.foo
acl OWA-SITE urlpath_regex
(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/

cache_peer_access exchangeServer allow OWA
cache_peer_access exchangeServer deny all
never_direct allow OWA

cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer deny all
never_direct allow OWA-SITE

cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all
never_direct allow OWA-DIRS

I wanna just to redirect the https://webmail.domain.foo/ to
https://EXCHANGE_SERVER/owa/

I saw url_rewrite_program but it doesn't works :(

Thx in adavance.

Wilfried

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-20 Thread Eliezer Croitoru 

On 20/02/2012 17:59, Fried Wil wrote:
the simple way is to use a redirection page on the ows web server.
change the index.html page on the / .
some sources for that:
http://www.web-source.net/html_redirect.htm
http://www.quackit.com/html/html_redirect.cfm
http://billstclair.com/html-redirect2.html

Regards,
Eliezer

Hello Guys,

I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
usage ... (rpc not compatible with apache2). I would  like  to redirect
the / to /owa. How can i do that ? thx guys

This is my configuration of squid.conf just for OWA Access.

$
https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
key=/etc/squid3/server.key defaultsite=webmail.domain.foo

cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl url_allow url_regex -i ^https://webmail.domain.foo/.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
acl url_allow url_regex -i
^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/autodiscover.*$



acl OWA dstdomain webmail.domain.foo
acl OWA-SITE urlpath_regex
(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/

cache_peer_access exchangeServer allow OWA
cache_peer_access exchangeServer deny all
never_direct allow OWA

cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer deny all
never_direct allow OWA-SITE

cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all
never_direct allow OWA-DIRS

I wanna just to redirect the https://webmail.domain.foo/ to
https://EXCHANGE_SERVER/owa/

I saw url_rewrite_program but it doesn't works :(

Thx in adavance.

Wilfried

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-20 Thread Marcus Kool 


For HTTP is receives the full URL but for HTTPS it only receives the domainname.

The URL rewriter feature was designed to rewrite HTTP-based URLs
and cannot rewrite HTTPS-URLs.

Marcus

Fried Wil wrote:
Hi Guys, 


Thx @Eliezer for reply.
I know redirection page, thx :), but i want to use squidguard as
redirector by rewriterule or redirector program, is it possible to
process as this ?

Thx in advance.

Regards, 


Wilfried

On Mon, Feb 20, 2012 at 08:08:06PM +0200, Eliezer Croitoru wrote:

On 20/02/2012 17:59, Fried Wil wrote:
the simple way is to use a redirection page on the ows web server.
change the index.html page on the / .
some sources for that:
http://www.web-source.net/html_redirect.htm
http://www.quackit.com/html/html_redirect.cfm
http://billstclair.com/html-redirect2.html

Regards,
Eliezer

Hello Guys,

I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
usage ... (rpc not compatible with apache2). I would  like  to redirect
the / to /owa. How can i do that ? thx guys

This is my configuration of squid.conf just for OWA Access.

$
https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
key=/etc/squid3/server.key defaultsite=webmail.domain.foo

cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl url_allow url_regex -i ^https://webmail.domain.foo/.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
acl url_allow url_regex -i
^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/autodiscover.*$



acl OWA dstdomain webmail.domain.foo
acl OWA-SITE urlpath_regex
(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/

cache_peer_access exchangeServer allow OWA
cache_peer_access exchangeServer deny all
never_direct allow OWA

cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer deny all
never_direct allow OWA-SITE

cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all
never_direct allow OWA-DIRS

I wanna just to redirect the https://webmail.domain.foo/ to
https://EXCHANGE_SERVER/owa/

I saw url_rewrite_program but it doesn't works :(

Thx in adavance.

Wilfried

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-20 Thread Amos Jeffries 

On 21.02.2012 04:59, Fried Wil wrote:

Hello Guys,

I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
usage ... (rpc not compatible with apache2). I would  like  to 
redirect

the / to /owa. How can i do that ? thx guys



Um. I've started with a bit of a side-track some major simplifications 
inline with your config. The answer to your question is at the end.




This is my configuration of squid.conf just for OWA Access.

$
https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
key=/etc/squid3/server.key defaultsite=webmail.domain.foo


NOTE: it is important to be aware that in 3.1 and older if you omit 
vhost flag but set defaultsite=. Has the effect or re-writing *all* 
inbound request URI with the domain name specified as defaultsite= 
value. The importance of this will become clearer later...





cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl url_allow url_regex -i ^https://webmail.domain.foo/.*$


Hint #1: ^https://webmail.domain.foo/.*$; overlaps and matches same 
URL as all the following patterns.



Remove the patterns from here...


acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
acl url_allow url_regex -i
^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
acl url_allow url_regex -i 
^https://webmail.domain.foo/autodiscover.*$


... down to here.

Hint #2: url_regex -i ^https://webmail.domain.foo/.*$;  canbe further 
reduced to a simple pair of ACL:


  acl HTTPS proto HTTPS
  acl foo dstdomain webmail.domain.foo



acl OWA dstdomain webmail.domain.foo


Hint #3: note how the new foo ACL and OWA ACL are identical. You 
can drop the suggested foo ACL and use OWA.



Result: You can replace all uses of url_allow in *_access lines with 
the pair HTTPS OWA.




acl OWA-SITE urlpath_regex

(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/

cache_peer_access exchangeServer allow OWA


Hint #4: remembering that http_port defaultsite= has already made the 
URI domain name webmail.domain.foo you will notice how the OWA ACL 
will always match.
 This by itself means no other cache_peer_access exchangeServer lines 
will be tested.




cache_peer_access exchangeServer deny all


Hint #5: now that you have configured exchangeServer deny all the 
rest of the cache_peer_access exchangeServer lines are meaningless.



never_direct allow OWA

cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer deny all
never_direct allow OWA-SITE

cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all
never_direct allow OWA-DIRS

I wanna just to redirect the https://webmail.domain.foo/ to
https://EXCHANGE_SERVER/owa/

I saw url_rewrite_program but it doesn't works :(



Please explain doesn't work. Details are critical.

Firstly, you need to get straight whether you are redirecting or 
re-writing. They are very different things, with very different effects 
on Exchange.



- URL *re-write*, may or may not work. Exchange is *very* sensitive to 
even minor changes in the URI it is asked for. Re-writing can break 
Exchange service from one release to the next or from one windows update 
cycle to the next. Re-write has its occasional uses, but Exchange is not 
one of them.  url_rewrite_program can do both types of URI alteration. 
Although you only need it for the re-write.



- Proper HTTP *redirect* using 3xx status messages should work fine. 
But Squid needs to be configured to handle both the before and after URL 
when received from the client. Exchange only needs to handle the after 
URI.



To simply do a global / to /owa/ *redirect* you can do this very 
simple:


 acl redirectOWA urlpath_regex ^/$
 deny_info 303:https://EXCHANGE_SERVER/owa/ redirectOWA
 http_access deny HTTPS OWA redirectOWA

Place this at the top of the reverse-proxy http_access lines and the 
clients will be redirected to load that given URL before they are sent 
anywhere near Exchange.


NOTE: The domain EXCHANGE_SERVER needs to point at your Squid 
https_port address if you want the OWA requests to continue to operate 
through Squid. BUT, I think you are actually wanting to redirect with:


 deny_info 303:https://webmail.domain.foo/owa/ redirectOWA


HTH
Amos

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-20 Thread Amos Jeffries 

On 21.02.2012 11:15, Marcus Kool wrote:

For HTTP is receives the full URL but for HTTPS it only receives the
domainname.



No. This is reverse-proxy. The full request details are available.

Amos

Re: [squid-users] url rewrite

2010-08-05 Thread John Doe 
From: senthilkumaar2021 senthilkumaar2...@gmail.com

 Is there any possibility to pass urlpath rewritten urls to particular  
cache_peer in reverse proxy
 The urlpath rewritten is done using perl  script .only path in url is re 
written
 Three identical web servers are  running at different ip and the url path is 
rewritten for some requests only  .
 only the rewritten requests has to be passed to particular web  server.
 client(example.com/squid)--reverse  proxy-webserver1 or 
webserver2(example.com/squid)
   (no rewrite needed)
 client (example.com/squirm)___revere  
proxy-webserevr3(example.com/squid)
  (squirm url path is rewritten as 
  
squid)

With an external_acl and cache_peer_access maybe?
If url ends with squirm, block... and then use this acl to block the first two 
peers.
if not blocked, block the third peer...
Would this work?

JD

Re: [squid-users] url rewrite

2010-08-05 Thread John Doe 
From: John Doe jd...@yahoo.com

 From: senthilkumaar2021 senthilkumaar2...@gmail.com
   Is there any possibility to pass urlpath rewritten urls to particular  
 cache_peer in reverse proxy
  The urlpath rewritten is done using  perl  script .only path in url is re 
 written
  Three  identical web servers are  running at different ip and the url path 
  is 

 rewritten for some requests only  .
  only the rewritten  requests has to be passed to particular web  server.
   client(example.com/squid)--reverse  proxy-webserver1 or 
 webserver2(example.com/squid)
   (no rewrite needed)
  client (example.com/squirm)___revere  
 proxy-webserevr3(example.com/squid)
 (squirm  url path is 
  rewritten 
as  

 squid)
 
 With an external_acl and  cache_peer_access maybe?
 If url ends with squirm, block... and then use this  acl to block the first 
 two 

 peers.
 if not blocked, block the third  peer...
 Would this work?

My bad, the external part is really not needed...
Something like:
acl has_squirm urlpath_regex squirm$
cache_peer_access peer1 allow !has_squirm
cache_peer_access peer2 allow !has_squirm
cache_peer_access peer3 allow has_squirm
cache_peer_access peer1 deny all
cache_peer_access peer2 deny all
cache_peer_access peer3 deny all

JD

[squid-users] url rewrite

2010-08-04 Thread senthilkumaar2021 

Hi

Is there any possibility to pass urlpath rewritten urls to particular 
cache_peer in reverse proxy


The urlpath rewritten is done using perl script .only path in url is re 
written


Three identical web servers are running at different ip and the url path 
is rewritten for some requests only .

only the rewritten requests has to be passed to particular web server.

Eg

client(example.com/squid)--reverse proxy-webserver1 or 
webserver2(example.com/squid)

   (no rewrite needed)

client (example.com/squirm)___revere 
proxy-webserevr3(example.com/squid)
   (squirm url path is 
rewritten as squid)



Regards
senthil

Re: [squid-users] url-rewrite digest authentication not working together

2010-07-17 Thread Henrik Nordström 
ons 2010-07-14 klockan 12:07 -0700 skrev Mike Melson:

 Digest authentication fails because the uri=string in the
 Authorization header isn't rewritten  so it doesn't match the POST
 URI created by url-rewrite-program. Is there a way to also rewrite the
 uri string in the Authorization header before squid sends it to the
 originserver? 

No, it's included in the one-way digest authentication hash, and
included in the Authorization header just to deal with cases like this.

   digest-uri
 The URI from Request-URI of the Request-Line; duplicated here
 because proxies are allowed to change the Request-Line in transit.

You need to make the server accept the digest-uri as valid in the
Authorization header, or get rid of the need to rewrite the URI.

Note: The server is meant to use digest-uri when verifying the Digest
authentication hash, not the Request-URI.

Regards
Henrik

[squid-users] url-rewrite digest authentication not working together

2010-07-14 Thread Mike Melson 
Hi - 

I'm having trouble using squid plus a url-rewrite-program as a reverse proxy to 
a system that requires digest authentication. 

Digest authentication fails because the uri=string in the Authorization 
header isn't rewritten  so it doesn't match the POST URI created by 
url-rewrite-program. Is there a way to also rewrite the uri string in the 
Authorization header before squid sends it to the originserver? 

If it helps clarify, I'm using curl to POST to squid as a reverse proxy to a 
custom web server. And, if I eliminate the url-rewrite-program authorization 
works fine. 

e.g. [curl] -- POST /myfile.txt -- [squid (url-rewrite myfile.txt to 32-bit 
hex string)] -- POST /32bit-hex-string -- [originserver]

Thanks, 
Mike

Re: [squid-users] url-rewrite digest authentication not working together

2010-07-14 Thread Amos Jeffries 
On Wed, 14 Jul 2010 12:07:45 -0700 (PDT), Mike Melson
mike.mel...@caringo.com wrote:
 Hi - 
 
 I'm having trouble using squid plus a url-rewrite-program as a reverse
 proxy to a system that requires digest authentication. 
 
 Digest authentication fails because the uri=string in the
Authorization
 header isn't rewritten  so it doesn't match the POST URI created by
 url-rewrite-program. Is there a way to also rewrite the uri string in
the
 Authorization header before squid sends it to the originserver?

No. This is one of the limits of re-writing the requested URL while it is
in transit.

Consider what the reason for having that URI in the Authorization header
means:
  The client is passing specific credentials to a security zone identified
by the URI.
If the URI is being used even in part as realm then the encryption itself
is salted on the public URI.

 
 If it helps clarify, I'm using curl to POST to squid as a reverse proxy
to
 a custom web server. And, if I eliminate the url-rewrite-program
 authorization works fine. 
 
 e.g. [curl] -- POST /myfile.txt -- [squid (url-rewrite myfile.txt to
 32-bit hex string)] -- POST /32bit-hex-string -- [originserver]

URL-re-writing is a rather nasty violation of HTTP. Where possible you
need to remove it.

Squid in reverse proxy mode acts exactly like a client web browser when
contacting the web server. Your web server should always be aware of it's
public URIs and able to handle requests for them.

Amos

Re: [squid-users] url-rewrite PHP script issue under Ubuntu 10.04

2010-06-03 Thread Nyamul Hassan 
That was a good find!

Amos, does that indeed help?  It would be nice to know.

Regards
HASSAN



On Tue, Jun 1, 2010 at 03:10, Horacio H. pokehor...@gmail.com wrote:

 Hi!

 Thanks Alexandre and Amos for your replies, together they pointed me
 into the right direction!

 Based on the the URLs sent by Alexandre, I edited the
 /etc/php5/cli/php.ini file and tested different values for
 max_execution_time and max_input_time but none changed the PHP's
 script behavior.  Then, I remembered Amos mentioned a 60sec timeout. I
 saw my cache.log and yes there was an exactly 60sec delay after
 starting squid and the first Warning. So, I searched the php.ini for
 a similar value and found this directive: default_socket_timeout. I
 changed it to 300sec and the Warnings started to show up accordingly.
 Then I changed it's value to -1 and the warnings haven't shown up
 again!

 Squid doesn't complain anymore about my PHP-scripts, but I don't know
 if this change has secondary effects or any other consequences.  I'll
 be monitoring them, but in any case I have the backup Perl-scripts.

 Thanks again!

Re: [squid-users] url-rewrite PHP script issue under Ubuntu 10.04

2010-05-31 Thread Horacio H. 
Hi!

Thanks Alexandre and Amos for your replies, together they pointed me
into the right direction!

Based on the the URLs sent by Alexandre, I edited the
/etc/php5/cli/php.ini file and tested different values for
max_execution_time and max_input_time but none changed the PHP's
script behavior.  Then, I remembered Amos mentioned a 60sec timeout. I
saw my cache.log and yes there was an exactly 60sec delay after
starting squid and the first Warning. So, I searched the php.ini for
a similar value and found this directive: default_socket_timeout. I
changed it to 300sec and the Warnings started to show up accordingly.
Then I changed it's value to -1 and the warnings haven't shown up
again!

Squid doesn't complain anymore about my PHP-scripts, but I don't know
if this change has secondary effects or any other consequences.  I'll
be monitoring them, but in any case I have the backup Perl-scripts.

Thanks again!

[squid-users] url-rewrite PHP script issue under Ubuntu 10.04

2010-05-25 Thread Horacio H. 
Hi !

I was wondering if someone else has noticed a similar behavior:

I wrote an URL-rewrite script with PHP as explained at
http://wiki.squid-cache.org/ConfigExamples/PhpRedirectors. The
script was running without complains under Squid 2.7.Stable9 and
Ubuntu 9.04, then I upgraded Ubuntu to 10.04 and warning messages
started to show up:

2010/05/15 16:48:28| WARNING: url_rewriter #XX (FD XX) exited  
(repeat n-times)
2010/05/15 16:48:28| Too few url_rewriter processes are running
2010/05/15 16:48:28| Starting new helpers

Things I've tried to solve the issue without success:

- Simplified the PHP script to the minimum (finally just using the
wiki's example).
- A clean installation of Ubuntu 10.04.
- Downgraded PHP package from 5.3 to 5.2.
- Recompiled Squid (just in case).

Perl scripts are not afected, so I rewrited/transalted the script. The
service is up again but a big question mark was left over my head.

I know it's not a Squid's issue per se, but at least the wiki may need
to be updated before other people get stuck at this point...

Thanks for reading.

---
squid.conf:
---
url_rewrite_program  /etc/squid/phpredir
url_rewrite_children 32

-
phpredir:
-
#!/usr/bin/php
?php
$temp = array();
while ( $input = fgets(STDIN) ) {
 $temp = split(' ', $input);
 $output = $temp[0] . \n;
 echo $output;
}

Re: [squid-users] url-rewrite PHP script issue under Ubuntu 10.04

2010-05-25 Thread Amos Jeffries 
On Tue, 25 May 2010 18:49:16 -0500, Horacio H. pokehor...@gmail.com
wrote:
 Hi !
 
 I was wondering if someone else has noticed a similar behavior:
 
 I wrote an URL-rewrite script with PHP as explained at
 http://wiki.squid-cache.org/ConfigExamples/PhpRedirectors. The
 script was running without complains under Squid 2.7.Stable9 and
 Ubuntu 9.04, then I upgraded Ubuntu to 10.04 and warning messages
 started to show up:
 
 2010/05/15 16:48:28| WARNING: url_rewriter #XX (FD XX) exited  
 (repeat n-times)
 2010/05/15 16:48:28| Too few url_rewriter processes are running
 2010/05/15 16:48:28| Starting new helpers
 
 Things I've tried to solve the issue without success:
 
 - Simplified the PHP script to the minimum (finally just using the
 wiki's example).
 - A clean installation of Ubuntu 10.04.
 - Downgraded PHP package from 5.3 to 5.2.
 - Recompiled Squid (just in case).
 
 Perl scripts are not afected, so I rewrited/transalted the script. The
 service is up again but a big question mark was left over my head.
 
 I know it's not a Squid's issue per se, but at least the wiki may need
 to be updated before other people get stuck at this point...

Hi Horacio,
 Being a great PHP fan myself with a lot of helpers I've been fighting
this problem for a year or so now.

The issue centers around the automatic run timeouts PHP has.

Under several of the 5.0-5.2 releases the background engine has either not
obeyed the php.ini settings correctly or not obeyed run-time overrides
correctly. I pushed through and supported many alterations to Squid-3.2
which help minimize the problem, but...

As far as I can tell so far the new 5.3 engine seems not to obey either
run-time or configured settings and sticks rigidly to a 60sec timeout. 
While technically helpers can be of any language, this recent behaviour
change of PHP 5.3 makes it completely useless as a Squid helper for even
small installations.

I'd advise some other scripting language for now, or if you must the very
latest squid-3.x code (http://www.squid-cache.org/Versions/v3/HEAD/) will
be important to prevent Squid constantly restarting as its helpers
self-destruct. Even then the constantly unavailable helpers make Squid a
bit slow and hang on many requests while they are restarted.

Amos

[squid-users] URL rewrite Help

2009-08-31 Thread Trevor Merrill 
I am currently testing squid in a reverse proxy configuration with JBoss 
Portal backend servers. My goal is to phase out Apache and mod_proxy and 
gain some speed with squid. I have a basic reverse proxy configuration 
working for www.mydomain.com but I need to try and duplicate the 
following in squid:

(Apache conf example)
VirtualHost *:80
  ServerName subdomain.mydomain.com
  ServerAlias *.subdomain.mydomain.com
  ServerAdmin webmas...@mydomain.com

  ProxyRequests Off
  ProxyPreserveHost On

  Proxy *
   Order deny,allow
   Allow from all
  /Proxy

  RewriteEngine On
  RewriteRule .* - [E=DEFAULT_PORTAL:subdomain]
  RewriteCond %{REQUEST_URI} ^/?$
  RewriteRule .* http://192.168.5.44:8380/portal/%{ENV:DEFAULT_PORTAL} [P,L]

  ProxyPass / http://192.168.5.66:8380/
  ProxyPassReverse / http://192.168.5.66:8380/

  ErrorLog /var/log/apache2/error.log
  LogLevel warn
  CustomLog /var/log/apache2/access.log combined
/VirtualHost

Is it possible to do this sort of rewriting in squid? Essentially all I 
am doing is changing the HTTP request from http://subdomain.mydomain.com 
- http://backendJBossserverIP:8080/portal/subdomain, the host stays the 
same so the public sees http://www.mydomain.com/portal/subdomain. I am 
having a tough time finding examples or some direction to start heading in.

For fun here is my current squid conf and the corresponding Apache conf 
that I was able to essentially replace:

(Apache conf snippet)
VirtualHost *:80
  ServerName www.mydomain.com
  ServerAlias mydomain.com
  ServerAdmin webmas...@mydomain.com

  ProxyRequests Off
  ProxyPreserveHost On
  Proxy *
   Order deny,allow
   Allow from all
  /Proxy

  ProxyPass / http://192.168.5.66:8380/
  ProxyPassReverse / http://192.168.5.66:8380/

  ErrorLog /var/log/apache2/error.log
  LogLevel warn
  CustomLog /var/log/apache2/access.log combined
/VirtualHost

(Squid conf snippet)
 cache_peer 192.168.5.66 parent 8080 0 no-query no-digest originserver 
 name=testerJBoss
 acl TesterJBoss_sites dstdomain .mydomain.com
 cache_peer_access testerJBoss allow TesterJBoss_sites
 http_access allow TesterJBoss_sites
 http_access deny All
Thanks for the help.

Trevor Merrill

Re: [squid-users] URL rewrite Help

2009-08-31 Thread Youenn Boussard 

Hello,

You can try this in your squid.conf :

url_rewrite_program iRedirector.py
url_rewrite_children 1
url_rewrite_concurrency 20
url_rewrite_host_header off
Get and customize this files (this is template file )
https://ingeniweb.svn.sourceforge.net/svnroot/ingeniweb/iw.recipe.squid/trunk/iw/recipe/squid/templates/iRedirector.py_tmpl 
 (rename iRedirector.py)
https://ingeniweb.svn.sourceforge.net/svnroot/ingeniweb/iw.recipe.squid/trunk/iw/recipe/squid/templates/squidRewriteRules.py_tmpl 
 (rename squidRewriteRules.py)
And  you configure in squidRewriteRules the redirection as mod rewrite  
(if you can) for apache.

rewrites = (
(r'http://192.168.5.44:8380/(.*)',
   r'http://backendJBossserverIP:8080/portal/subdomain/\1', 'P,L'),
)
...

Regards Youenn.
Le 31 août 09 à 18:21, Trevor Merrill a écrit :

I am currently testing squid in a reverse proxy configuration with  
JBoss
Portal backend servers. My goal is to phase out Apache and mod_proxy  
and

gain some speed with squid. I have a basic reverse proxy configuration
working for www.mydomain.com but I need to try and duplicate the
following in squid:

(Apache conf example)
VirtualHost *:80
 ServerName subdomain.mydomain.com
 ServerAlias *.subdomain.mydomain.com
 ServerAdmin webmas...@mydomain.com

 ProxyRequests Off
 ProxyPreserveHost On

 Proxy *
  Order deny,allow
  Allow from all
 /Proxy

 RewriteEngine On
 RewriteRule .* - [E=DEFAULT_PORTAL:subdomain]
 RewriteCond %{REQUEST_URI} ^/?$
 RewriteRule .* http://192.168.5.44:8380/portal/% 
{ENV:DEFAULT_PORTAL} [P,L]


 ProxyPass / http://192.168.5.66:8380/
 ProxyPassReverse / http://192.168.5.66:8380/

 ErrorLog /var/log/apache2/error.log
 LogLevel warn
 CustomLog /var/log/apache2/access.log combined
/VirtualHost

Is it possible to do this sort of rewriting in squid? Essentially  
all I

am doing is changing the HTTP request from http://subdomain.mydomain.com
- http://backendJBossserverIP:8080/portal/subdomain, the host stays  
the

same so the public sees http://www.mydomain.com/portal/subdomain. I am
having a tough time finding examples or some direction to start  
heading in.


For fun here is my current squid conf and the corresponding Apache  
conf

that I was able to essentially replace:

(Apache conf snippet)
VirtualHost *:80
 ServerName www.mydomain.com
 ServerAlias mydomain.com
 ServerAdmin webmas...@mydomain.com

 ProxyRequests Off
 ProxyPreserveHost On
 Proxy *
  Order deny,allow
  Allow from all
 /Proxy

 ProxyPass / http://192.168.5.66:8380/
 ProxyPassReverse / http://192.168.5.66:8380/

 ErrorLog /var/log/apache2/error.log
 LogLevel warn
 CustomLog /var/log/apache2/access.log combined
/VirtualHost

(Squid conf snippet)

cache_peer 192.168.5.66 parent 8080 0 no-query no-digest originserver
name=testerJBoss
acl TesterJBoss_sites dstdomain .mydomain.com
cache_peer_access testerJBoss allow TesterJBoss_sites
http_access allow TesterJBoss_sites
http_access deny All

Thanks for the help.

Trevor Merrill




Youenn Boussard
INGENIWEB (TM) - SAS 5 Euros - RC B 438 725 632
1, rue Royale
227, Les Bureaux de la Colline - Bat D
92213  - Saint Cloud Cedex
Tél : 01 78 15 24 00 / Fax : 01 46 02 44 04

Re: [squid-users] URL rewrite Help

2009-08-31 Thread Henrik Nordstrom 
mån 2009-08-31 klockan 09:21 -0700 skrev Trevor Merrill:
 I am currently testing squid in a reverse proxy configuration with JBoss 
 Portal backend servers. My goal is to phase out Apache and mod_proxy and 
 gain some speed with squid. I have a basic reverse proxy configuration 
 working for www.mydomain.com but I need to try and duplicate the 
 following in squid:

I would suggest you first check if the JBoss Portal backend can be
reconfigured to support vhost on it's own without needing a reverse
proxy playing tricks with rewriting URLs. Simplifies matters greatly in
the long run.

Failing that you can do the rewrites you describe with a small URL
rewriter helper doing the needed rewrites.

The equivalence of ProxyPassReverse however (location_rewrite_program)
requires Squid-2.7. Not yet available in Squid-3.

Regards
Henrik

Re: [squid-users] URL Rewrite

2009-03-04 Thread howard chen 
Hi,

On Wed, Mar 4, 2009 at 4:30 AM, Chris Robertson crobert...@gci.net wrote:
 See the forceddomain argument to cache_peer.
 http://www.squid-cache.org/Doc/config/cache_peer/

Is it possible to force into an URL?

e.g.

*.example.com/* = http://www.google.com/aboutus

Re: [squid-users] URL Rewrite

2009-03-04 Thread Chris Robertson 

howard chen wrote:

Hi,

On Wed, Mar 4, 2009 at 4:30 AM, Chris Robertson crobert...@gci.net wrote:
  

See the forceddomain argument to cache_peer.
http://www.squid-cache.org/Doc/config/cache_peer/



Is it possible to force into an URL?

e.g.

*.example.com/* = http://www.google.com/aboutus
  


I don't think that's possible with forceddomain, as it just rewrites the 
domain portion of the HTTP header.  I'd use a deny_info page.


acl redirect_site dstdomain .example.com
http_access deny redirect_site
deny_info http://www.google.com/aboutus redirect_site

Either the deny_info page is going to have to be served from another 
domain than that which triggers the redirect, or you'll have to make 
your own error page 
(http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-2931f707c7137629bad3cecc83d8a014c4818e0a).


Otherwise a url_rewrite_program (possibly accompanied by 
url_rewrite_access) would work.  
http://www.squid-cache.org/Doc/config/url_rewrite_program/, 
http://www.squid-cache.org/Doc/config/url_rewrite_access/


Chris

[squid-users] URL Rewrite

2009-03-03 Thread howard chen 
Hi

Currently I am using dstdomain/cache_peer to rewrite url request from
client to backend apache (so squid act as a reverse proxy)


e.g.

acl dstdomain_site  dstdomain   .example.com


cache_peer  192.168.11.123   parent 80 0 no-query
originserver round-robin login=PASS weight=1
cache_peer_access192.168.11.123   allow dstdomain_site
cache_peer_access   192.168.11.123   deny all



This require my backend apache has a virtual host listening for .example.com

But how can I manually force rewrite an URL from user, even my
backend apache is not listening example.com?

e.g.

.example.com = .google.com

I remember this can easily done this using apache mod_rewrite
(mod_proxy) but is it possible to be done in squid?

Thanks.

Re: [squid-users] URL Rewrite

2009-03-03 Thread Chris Robertson 

howard chen wrote:

Hi

Currently I am using dstdomain/cache_peer to rewrite url request from
client to backend apache (so squid act as a reverse proxy)


e.g.

acl dstdomain_site  dstdomain   .example.com


cache_peer  192.168.11.123   parent 80 0 no-query
originserver round-robin login=PASS weight=1
cache_peer_access192.168.11.123   allow dstdomain_site
cache_peer_access   192.168.11.123   deny all



This require my backend apache has a virtual host listening for .example.com

But how can I manually force rewrite an URL from user, even my
backend apache is not listening example.com?

e.g.

.example.com = .google.com

I remember this can easily done this using apache mod_rewrite
(mod_proxy) but is it possible to be done in squid?
  


See the forceddomain argument to cache_peer. 
http://www.squid-cache.org/Doc/config/cache_peer/



Thanks.
  


Chris

Re: [squid-users] Url Rewrite

2007-12-04 Thread Amos Jeffries 

Almered Niklas wrote:

Hi!

We're trying to configure a Squid 2.6 stable 16 with two servers, a
webserver with Linux and Apache and a web mapping server with Windows
and IIS.

A: application.example.com (Apache webserver on port 8081)
B: map.example.com (IIS web mapping server o port 80)

Now, Squid is installed om the Linux machine listening to port 80 and my
aim is that Squid should do a rewrite on url:s like
application.example.com/proxy and redirect them to map.example.com


The squid.conf file looks like this:

acl our_proxyurl url_regex application.example.com/proxy

url_rewrite_access allow our_proxyurl
url_rewrite_program /usr/local/squid/bin/test.pl 
url_rewrite_children 10 
url_rewrite_host_header on 
always_direct allow all


http_port 80 accel defaultsite=application.example.com

cache_peer 1.2.3.85 parent 8081 0 no-query originserver name=server_app 
cache_peer 1.2.3.65 parent 80 0 no-query originserver name=server_map


We accomplished the rewrite but at the same time access is being denied
to application.example.com with the following error:
Unable to forward this request at this time

How do I configure the Squid with url rewrite without losing access?


You will need an http_access control to permit access to those websites.

I would also suggest either cache_peer_domain or cache_peer_access +ACLs 
to direct certain traffic to each peer.


'always_direct'+'cache_peer ... no-query' might cause problems later ... 
you will need to test if the always_direct is actually needed once 
http_access is properly configured.


Amos

[squid-users] Url Rewrite

2007-12-03 Thread Almered Niklas 

Hi!

We're trying to configure a Squid 2.6 stable 16 with two servers, a
webserver with Linux and Apache and a web mapping server with Windows
and IIS.

A: application.example.com (Apache webserver on port 8081)
B: map.example.com (IIS web mapping server o port 80)

Now, Squid is installed om the Linux machine listening to port 80 and my
aim is that Squid should do a rewrite on url:s like
application.example.com/proxy and redirect them to map.example.com


The squid.conf file looks like this:

acl our_proxyurl url_regex application.example.com/proxy

url_rewrite_access allow our_proxyurl
url_rewrite_program /usr/local/squid/bin/test.pl 
url_rewrite_children 10 
url_rewrite_host_header on 
always_direct allow all

http_port 80 accel defaultsite=application.example.com

cache_peer 1.2.3.85 parent 8081 0 no-query originserver name=server_app 
cache_peer 1.2.3.65 parent 80 0 no-query originserver name=server_map

We accomplished the rewrite but at the same time access is being denied
to application.example.com with the following error:
Unable to forward this request at this time

How do I configure the Squid with url rewrite without losing access?


Niklas Almered
System developer

Re: [squid-users] url rewrite and cache, which URL should be cached?

2007-10-15 Thread Henrik Nordstrom 
On ons, 2007-10-10 at 10:20 +0200, Sylvain Viart wrote:

 the redirector returns:
 echo http://mes-test2.mydomain.com/js/mailbox.js; | perl t.pl
 !php! http://static-php/js/mailbox.js

There should be no space between the urlgroup tag and the URL.

Anything after the first space is ignored by Squid.

Regards
Henrik


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] url rewrite and cache, which URL should be cached?

2007-10-10 Thread Sylvain Viart 

Hi Henrik,

Henrik Nordstrom a écrit :

On tis, 2007-10-09 at 17:47 +0200, Sylvain Viart wrote:
  

Hi,

I use a redirector on an accel proxy config.

url_rewrite_program /etc/squid/redirector.pl
url_rewrite_children 15
url_rewrite_concurrency 0
url_rewrite_host_header off


It seems, that the url used to store the requested url is the orginal 
url, not the rewrited on.



The cache is using the rewritten URL.
  

here is some more detail:

the redirector script:
#--8 
#!/usr/bin/perl
#
# request_URIclient_IP/FQDNusername HTTP_method
#
# url_rewrite_program
# URL SP client_ip / fqdn SP user SP method SP urlgroup NL
#
#
# access.log
# 1190984604.736  6 12.34.56.78 TCP_MISS/200 1752 GET 
http://proxy-03.mydomain.com/thumb/100/default_woman.jpg - ROUNDROBI

# N_PARENT/php-03 image/jpeg
#
#
# !perl -n -e ' m@(http://[^ ]+)@; print $1\n;'  
/var/log/squid/access.log

$|=1;

$filer = 'filer-01';
@filer_domain = qw /img.mydomain.com/;

$filer_host = join('|', @filer_domain);

# dumy domain name for canonical rewriting
$php = 'static-php';

$n = 0;
while ()
{
   if(m[^http://$filer_host/] || 
m[^http://([^/]+)/(js/static_file|media|thumb)])

   {
   #$host = get_filer;
   s#http://[^/]+(:[0-9]+)?#http://$filer#;

   # add urlgroup
   s/^/!filer! /;
   }
   else
   {
   if($_ !~ /\.php/)
   {
   s#http://[^/]+(:[0-9]+)?#http://$php#;
   }

   # add urlgroup
   s/^/!php! /;
   }

   print;
}
#--8 

the redirector returns:
echo http://mes-test2.mydomain.com/js/mailbox.js; | perl t.pl
!php! http://static-php/js/mailbox.js

echo http://sometestagain.mydomain.com/js/mailbox.js; | perl t.pl
!php! http://static-php/js/mailbox.js

some store.log entries:

1191938682.998 SWAPOUT 00 02E5 2AC12C498B97741871A11F0290E927C8  200 
1191938682 1180514999-1 application/x-javascript

418/418 GET http://mes-test.mydomain.com/js/mailbox.js
1191938722.433 SWAPOUT 00 02E7 C61344FEBB15FC2C7D039A36A2EE552D  200 
1191938722 1180514999-1 application/x-javascript

418/418 GET http://mes-test2.mydomain.com/js/mailbox.js

for me it should be stored under
http://static-php/js/mailbox.js

associated acl and urlgroup:

# urlgroup matching acl from url_rewrite_program
acl static_doc urlgroup filer
acl php_doc urlgroup php

# filer server access rules
cache_peer_access filer-01 allow static_doc
cache_peer_access filer-01 deny all

# php server access exclusion for static_doc matched on the filer
#cache_peer_access php-01 deny static_doc
#cache_peer_access php-02 deny static_doc
#cache_peer_access php-03 deny static_doc
cache_peer_access php-04 deny static_doc

Could it be associated with the urlgroup which somewhat hides the rewriting?


Sequence is approximately

* Request accepted
* http_access Access controls
* URL rewriting, replacing Squid's idea of the URL
* http_access2 Access controls
* Cache lookup
* Forwarding on cache miss
* http_reply_access Reply access controls


Because of this using url_rewrite_host_header off can be a very bad
thing as it makes the requested URL sent to the web server differ from
the cache URL, and can easily bite you..
  

it seems it bites, :-)

but that what I want, it worked with squid2.5 redirector without urlgroup.
* cache canonized URL
* peer: original URL.

would be simpler if it works like that for my config

More documentation on url_rewrite_host_header off?

Regards,
Sylvain.

Re: [squid-users] url rewrite and cache, which URL should be cached?

2007-10-10 Thread Sylvain Viart 

Hi,

Found:
Could it be associated with the urlgroup which somewhat hides the 
rewriting?



Yes it is !

snip of the redirector, squid.conf unmodified

while ()
{
  # filer rewriting not modified
   if(m[^http://$filer_host/] || 
m[^http://([^/]+)/(js/static_file|media|thumb)])

   {
   #$host = get_filer;
   s#http://[^/]+(:[0-9]+)?#http://$filer#;

   # add urlgroup
   s/^/!filer! /;
   }
   else
   {
   # php canonization
   if($_ !~ /\.php/)
   {
   s#http://[^/]+(:[0-9]+)?#http://$php#;
   }

   # add urlgroup, DISABLED it hides rewriting !
   #s/^/!php! /;
   }

   print;
}

from store.log

#urlgroup commented for php rewriting:

1192003008.380  0 12.34.56.78 TCP_MEM_HIT/200 839 GET 
http://mes-test2.mydomain.com/js/mailbox.js - NONE/- 
application/x-javascript
1192003052.809  3 12.34.56.78 TCP_MISS/200 830 GET 
http://sometest.mydomain.com/js/mailbox.js - ROUNDROBIN_PARENT/php-04 
application/x-javascript
1192003191.848  5 12.34.56.78 TCP_MISS/200 830 GET 
http://testthat.mydomain.com/js/mailbox.js - ROUNDROBIN_PARENT/php-04 
application/x-javascript
1192003459.194  0 12.34.56.78 TCP_MEM_HIT/200 838 GET 
http://test-0.mydomain.com/js/mailbox.js - NONE/- application/x-javascript
1192003461.945  8 12.34.56.78 TCP_MEM_HIT/200 838 GET 
http://test-0.mydomain.com/js/mailbox.js - NONE/- application/x-javascript
1192003494.894  0 12.34.56.78 TCP_MEM_HIT/200 838 GET 
http://test-10428.mydomain.com/js/mailbox.js - NONE/- 
application/x-javascript
1192003534.370  0 12.34.56.78 TCP_MEM_HIT/200 838 GET 
http://test-5769.mydomain.com/js/mailbox.js - NONE/- 
application/x-javascript


# urlgroup activated it doesn't seem to work anymore.:
1192003579.940  1 12.34.56.78 TCP_MISS/200 830 GET 
http://test-24309.mydomain.com/js/mailbox.js - ROUNDROBIN_PARENT/php-04 
application/x-javascript
1192003592.293  1 12.34.56.78 TCP_MISS/200 829 GET 
http://test-30186.mydomain.com/js/mailbox.js - ROUNDROBIN_PARENT/php-03 
application/x-javascript


Regards,
Sylvain.

[squid-users] url rewrite and cache, which URL should be cached?

2007-10-09 Thread Sylvain Viart 

Hi,

I use a redirector on an accel proxy config.

url_rewrite_program /etc/squid/redirector.pl
url_rewrite_children 15
url_rewrite_concurrency 0
url_rewrite_host_header off


It seems, that the url used to store the requested url is the orginal 
url, not the rewrited on.

I would like to store the content on canonized URL, is it possible?

How do I debug that?


Regards,
Sylvain.

Re: [squid-users] url rewrite and cache, which URL should be cached?

2007-10-09 Thread Adrian Chadd 
On Tue, Oct 09, 2007, Sylvain Viart wrote:
 Hi,
 
 I use a redirector on an accel proxy config.
 
 url_rewrite_program /etc/squid/redirector.pl
 url_rewrite_children 15
 url_rewrite_concurrency 0
 url_rewrite_host_header off
 
 
 It seems, that the url used to store the requested url is the orginal 
 url, not the rewrited on.
 I would like to store the content on canonized URL, is it possible?

Thats what I'm working on in my spare time.
(I'd love it if someone beat me to it and published their patch!)

You also mean store and retrieve on the canonized URL?




Adrian

Re: [squid-users] url rewrite and cache, which URL should be cached?

2007-10-09 Thread Henrik Nordstrom 
On tis, 2007-10-09 at 17:47 +0200, Sylvain Viart wrote:
 Hi,
 
 I use a redirector on an accel proxy config.
 
 url_rewrite_program /etc/squid/redirector.pl
 url_rewrite_children 15
 url_rewrite_concurrency 0
 url_rewrite_host_header off
 
 
 It seems, that the url used to store the requested url is the orginal 
 url, not the rewrited on.

The cache is using the rewritten URL.

Sequence is approximately

* Request accepted
* http_access Access controls
* URL rewriting, replacing Squid's idea of the URL
* http_access2 Access controls
* Cache lookup
* Forwarding on cache miss
* http_reply_access Reply access controls


Because of this using url_rewrite_host_header off can be a very bad
thing as it makes the requested URL sent to the web server differ from
the cache URL, and can easily bite you..

Regards
Henrik


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] url rewrite problem

2007-10-02 Thread Keshava M P 
you have to use a redirector and you have to include the
url_rewrite_program and related directives in squid.conf. typicallly,
url_rewrite_program=/path/to/yourredirectprogram/
url_rewrite_children=5
url_rewrite_concurrency=5
url_rewrite_host_header off

Either you define the entries of internal hosts in /etc/hosts or you
can use the internal ips directly in your redirector.
example: your outside ip is mapped to e1.yourdomain.com,
e2.yourdomain.com,e3.yourdomain.com.
let us say these correspond to host1 (10.9.0.1), host2 (10.9.0.2),
host3 (10.9.0.3)

your redirector program will look something like this:

#!/usr/bin/perl
$|=1;
while () {
@X = split;
$url = $X[0];
$url =~ [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED];
$url =~ [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED];
$url =~ [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED];
print;
}

you can also use internal ip addresses in place of host1, host2 etc.
you can even redirect to a specific page like
http://host1/path/to/your/page

Keshava

On 10/2/07, Srinivas B [EMAIL PROTECTED] wrote:
 Hi All,

 is there any way I can redirect urls that are replaced by accelerated mode.

 I have something like

 http_port 8080 accel defaultsite=mysite.com

 Requests are replaced by host=mysite.com.

 I want to redirect some url based on original request (depending upon
 hostname). I have tried vhost option.., but doesn't seem to solve the
 problem, as hostname requested externally is not defined in internal
 DNS.

 Please help

 Thanks in advance.

 Srinivas



-- 
M P Keshava

Re: [squid-users] url rewrite problem

2007-10-02 Thread Amos Jeffries 

Srinivas B wrote:

Hi All,

is there any way I can redirect urls that are replaced by accelerated mode.

I have something like

http_port 8080 accel defaultsite=mysite.com

Requests are replaced by host=mysite.com.

I want to redirect some url based on original request (depending upon
hostname). I have tried vhost option.., but doesn't seem to solve the
problem, as hostname requested externally is not defined in internal
DNS.


FQDN should be resolvable regardless of where you are. Websites should 
always use FQDN. You need to seriously consider allowing the local 
network to resolve your FQDN then. Particulary the webservers that are 
supposed to be serving those websites publicly.


Anyway, to get accel going without involving DNS you only need to use a 
cache_peer with a few ACLs to do the heavy lifting.


So long as its just a re-direction and not a re-writing that you want, 
the following should be much easier and faster.


Here's a few of my config lines:

   # an internal source machine...
 cache_peer colo-32.localdomain parent 80 0 originserver name=colo1
   # domain it runs...
 acl colo1Hosted dstdomain .mifrenz.com
   # it ONLY provides that domain...
 cache_peer_access colo1 allow colo1Hosted GETPOST
 cache_peer_access colo1 deny all
   # people are allowed to do general web stuff with it...
 http_access allow colo1Hosted GETPOST
   # squid is not allowed to do anything with this domain itself...
 never_direct allow colo1Hosted

  cache_peer rio.treenetnz.com parent 80 0 originserver name=rio
  acl rioHosted dstdomain .treenet.co.nz
  acl rioHosted dstdomain .treenetnz.com
  cache_peer_access rio allow rioHosted GETPOST
  cache_peer_access rio deny all
  http_access allow rioHosted GETPOST
  never_direct allow rioHosted


etc, etc, repeat as needed for any unique sources.

You can use any of the ACL criteria to switch origins based on anything 
you like.


FYI some names like colo-1 are not resolvable to the public. It does not 
matter. As long as the name squid is given as the peer can be resolved 
by squid, and the host server understands the names of domains its meant 
to be hosting. The only DNS involved here is resolving 
colo-32.localdomain and rio.treenetnz.com when squid needs them.


Placed ahead of the regular http_access rules it works well forcing all 
accelerated/locally-hosted domain MISS'es out to the designated real 
source, and blocking any general traffic being passed to the hosting 
servers. Without the additional overhead of redirector threads.


'vhost' will do basic 'accel' and also alter the original Host: header 
of the request as it goes through squid.


Amos