subject:"\[squid\-users\] Url Rewrite"

Re: [squid-users] URL rewrite and POST body

2013-11-06 Thread Amos Jeffries


On 6/11/2013 12:37 p.m., WorkingMan wrote:

1) Is the POST body request preserved when using url_rewrite_program? Based on
my test it seems to be lost. If it's lost is it easy to modify SQUID to
preserve that (or maybe an option to enable that)?


It should be preserved. Only headers portion should be completely 
rebuilt with new headers copied from the old URLs' request to the new 
URLs' request.



2) Can URL be rewritten in content adaptation like eCAP (or ICAP)? Just
wondering.


Yes.


3) what is the order of url_rewrite_program (or other redirect option) and
content adaptation order (which one comes first?).


1) http_access access controls (deny_info redirect)
2) ICAP/eCAP
3) URL-rewrite/redirect
4) adapted_http_access controls (deny_info redirect again)
5) source selection stages ...



Let me know what can be done for rewrite the URL and preserve POST body (so
query params in the request body and not in the URL)


"query params" in the POST body, and body. Nothing Squid does affects them.

Amos

[squid-users] URL rewrite and POST body

2013-11-06 Thread WorkingMan

1) Is the POST body request preserved when using url_rewrite_program? Based on 
my test it seems to be lost. If it's lost is it easy to modify SQUID to 
preserve that (or maybe an option to enable that)?

2) Can URL be rewritten in content adaptation like eCAP (or ICAP)? Just 
wondering.

3) what is the order of url_rewrite_program (or other redirect option) and 
content adaptation order (which one comes first?).

Let me know what can be done for URL rewrite and preserve POST body (query 
params in the request body and not in the URL)

Thanks,

[squid-users] URL rewrite and POST body

2013-11-06 Thread WorkingMan

1) Is the POST body request preserved when using url_rewrite_program? Based on 
my test it seems to be lost. If it's lost is it easy to modify SQUID to 
preserve that (or maybe an option to enable that)?

2) Can URL be rewritten in content adaptation like eCAP (or ICAP)? Just 
wondering.

3) what is the order of url_rewrite_program (or other redirect option) and 
content adaptation order (which one comes first?).

Let me know what can be done for rewrite the URL and preserve POST body (so 
query params in the request body and not in the URL)

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-24 Thread Amos Jeffries


On 24/02/2012 11:52 a.m., Roman Gelfand wrote:

Hi Amos,

I could be wrong, but I understood from your several posts that this
type of configuration is not recommended (either due to security
issues or performance, I don't remember exactly).

Is that right?


*redirect*, (using deny_info or redirector program which does real 3XX 
status redirects) is fine and a built-in feature of HTTP. Since what it 
does is inform the client browser/agent to change the URI being 
requested. Keeping any state between the server and client synchronized. 
Security, behaviour expectations and working state is all kept predictable.


*rewrite*, (using a redirector/rewriter to alter the URL in-transit) is 
not recommended on grounds of being complex with many breakages from the 
client browser/agent being unaware of the URL change. re-write is at 
heart a cross-site/XSS attack, in the same ways that intercept proxy is 
a MITM attack. Intending for it to happen does not change the side 
effects or lessen the risks.


Amos

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-23 Thread Roman Gelfand

Hi Amos,

I could be wrong, but I understood from your several posts that this
type of configuration is not recommended (either due to security
issues or performance, I don't remember exactly).

Is that right?

Thanks,

On Tue, Feb 21, 2012 at 7:29 AM, Amos Jeffries  wrote:
> On 21/02/2012 11:21 p.m., Fried Wil wrote:
>>
>> On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote:
>> I have this error on my access.log
>> 1329819182.985      0 CLIENT_IP TCP_DENIED/302 340 GET
>> https://webmail.domain.foo/ - NONE/- text/html
>> 1329819183.011      0 CLIENT_IP TCP_MISS/404 1530 GET
>> https://webmail.domain.foo/302:https://EXCHANGE_IP/owa/ -
>> FIRST_UP_PARENT/exchangeServer text/html
>> 1329819183.043      0 CLIENT_IP TCP_MISS/404 1530 GET
>> https://webmail.domain.foo/favicon.ico - FIRST_UP_PARENT/exchangeServer
>> text/html
>>
>> for these lines
>> acl redirectOWA urlpath_regex ^/$
>> deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA
>> http_access deny HTTPSOWA redirectOWA
>>
>> replace 303 by 302 give the same error
>>
>>
>> bad configuration ?
>
>
> Sorry. Yes. Drop the "303:" part. It is just the new URL for squid 3.1.
>
> Amos

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-21 Thread Fried Wil

On Wed, Feb 22, 2012 at 01:29:33AM +1300, Amos Jeffries wrote:
> On 21/02/2012 11:21 p.m., Fried Wil wrote:
> >On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote:
> >I have this error on my access.log
> >1329819182.985  0 CLIENT_IP TCP_DENIED/302 340 GET
> >https://webmail.domain.foo/ - NONE/- text/html
> >1329819183.011  0 CLIENT_IP TCP_MISS/404 1530 GET
> >https://webmail.domain.foo/302:https://EXCHANGE_IP/owa/ -
> >FIRST_UP_PARENT/exchangeServer text/html
> >1329819183.043  0 CLIENT_IP TCP_MISS/404 1530 GET
> >https://webmail.domain.foo/favicon.ico - FIRST_UP_PARENT/exchangeServer
> >text/html
> >
> >for these lines
> >acl redirectOWA urlpath_regex ^/$
> >deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA
> >http_access deny HTTPSOWA redirectOWA
> >
> >replace 303 by 302 give the same error
> >
> >
> >bad configuration ?
> 
> Sorry. Yes. Drop the "303:" part. It is just the new URL for squid 3.1.
> 
> Amos


1329830487.573  0 CLIENT_IP TCP_DENIED/302 336 GET
https://webmail.domain.foo/ - NONE/- text/html
1329830487.578  3 CLIENT_IP TCP_MISS/302 441 GET
https://webmail.domain.foo/owa/ - FIRST_UP_PARENT/exchangeServer -
1329830487.581  2 CLIENT_IP TCP_MISS/200 1569 GET
https://webmail.domain.foo/owa/auth/logon.aspx? -
FIRST_UP_PARENT/exchangeServer text/html


Configuration is : 
acl redirectOWA urlpath_regex ^/$
deny_info https://webmail.domain.foo/owa/ redirectOWA
http_access deny HTTPSOWA redirectOWA

Yes ! It's OK Amos ! 

I need just to secure the Squid and GOGOGO !

Thx a lot Amos !

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-21 Thread Amos Jeffries


On 21/02/2012 11:21 p.m., Fried Wil wrote:

On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote:
I have this error on my access.log
1329819182.985  0 CLIENT_IP TCP_DENIED/302 340 GET
https://webmail.domain.foo/ - NONE/- text/html
1329819183.011  0 CLIENT_IP TCP_MISS/404 1530 GET
https://webmail.domain.foo/302:https://EXCHANGE_IP/owa/ -
FIRST_UP_PARENT/exchangeServer text/html
1329819183.043  0 CLIENT_IP TCP_MISS/404 1530 GET
https://webmail.domain.foo/favicon.ico - FIRST_UP_PARENT/exchangeServer
text/html

for these lines
acl redirectOWA urlpath_regex ^/$
deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA
http_access deny HTTPSOWA redirectOWA

replace 303 by 302 give the same error


bad configuration ?


Sorry. Yes. Drop the "303:" part. It is just the new URL for squid 3.1.

Amos

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-21 Thread Fried Wil

On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote:
> - Proper HTTP *redirect* using 3xx status messages should work fine.
> But Squid needs to be configured to handle both the before and after
> URL when received from the client. Exchange only needs to handle the
> "after" URI.
> 
> 
> To simply do a global / to /owa/ *redirect* you can do this very
> simple:
> 
>  acl redirectOWA urlpath_regex ^/$
>  deny_info 303:https://EXCHANGE_SERVER/owa/ redirectOWA
>  http_access deny HTTPS OWA redirectOWA
> 
> Place this at the top of the reverse-proxy http_access lines and the
> clients will be redirected to load that given URL before they are
> sent anywhere near Exchange.
> 
> NOTE: The domain "EXCHANGE_SERVER" needs to point at your Squid
> https_port address if you want the OWA requests to continue to
> operate through Squid. BUT, I think you are actually wanting to
> redirect with:
> 
>  deny_info 303:https://webmail.domain.foo/owa/ redirectOWA
> 
> 
> HTH
> Amos
> 

I have this error on my access.log
1329819182.985  0 CLIENT_IP TCP_DENIED/302 340 GET
https://webmail.domain.foo/ - NONE/- text/html
1329819183.011  0 CLIENT_IP TCP_MISS/404 1530 GET
https://webmail.domain.foo/302:https://EXCHANGE_IP/owa/ -
FIRST_UP_PARENT/exchangeServer text/html
1329819183.043  0 CLIENT_IP TCP_MISS/404 1530 GET
https://webmail.domain.foo/favicon.ico - FIRST_UP_PARENT/exchangeServer
text/html

for these lines
acl redirectOWA urlpath_regex ^/$
deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA
http_access deny HTTPSOWA redirectOWA

replace 303 by 302 give the same error


bad configuration ?

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-21 Thread Fried Wil

Hi Amos, 

Thanks for your very good explaination.

I wanna to specify all i want to need :

https://webmail.domain.foo/ --> https://EXCHANGE_IP/owa/
https://webmail.domain.foo/owa/ --> https://EXCHANGE_IP/owa/
https://webmail.domain.foo/rpc/ --> https://EXCHANGE_IP/rpc/
https://webmail.domain.foo/Microsoft-Active-Sync/ 
-->https://EXCHANGE_IP/Microsoft-Active-Sync/
https://webmail.domain.foo/EWS/ --> https://EXCHANGE_IP/EWS/

The 302 redirection is needed only for the / .

I'have test your configuration Amos, and it's the same ..

1329818099.937  0 CLIENT_IP TCP_MISS/503 3243 GET
https://webmail.domain.foo/ - NONE/- text/html

but for /owa/ ..

1329818128.646  2 CLIENT_IP TCP_MISS/302 435 GET
https://webmail.domain.foo/owa/ - FIRST_UP_PARENT/exchangeServer -
1329818128.685  3 CLIENT_IP TCP_MISS/200 1491 GET
https://webmail.domain.foo/owa/auth/logon.aspx? -
FIRST_UP_PARENT/exchangeServer text/html



This is my new squid.conf configuration : 

BEGIN##
https_port webmail.lexsi.com:443 accel
cert=/etc/squid3/webmail.domain.foo.crt key=/etc/squid3/server.key
defaultsite=webmail.domain.foo vhost

cache_peer EXCHANGE_IP parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_IP.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl HTTPSOWA url_regex -i ^https://webmail.domain.foo/.*$
acl HTTPS proto HTTPS
acl lexsi dstdomain webmail.domain.foo

acl OWA dstdomain webmail.domain.foo
acl OWA-SITE urlpath_regex
(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_IP/owa/

cache_peer_access exchangeServer allow OWA
cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all

acl redirectOWA urlpath_regex ^/$
deny_info 303:https://webmail.lexsi.lan/owa/ redirectOWA
http_access deny HTTPSOWA redirectOWA
http_access allow all (for tests ^^)

END##


Thx in advance guys




On Tue, Feb 21, 2012 at 12:26:11PM +1300, Amos Jeffries wrote:
> On 21.02.2012 04:59, Fried Wil wrote:
> >Hello Guys,
> >
> >I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
> >usage ... (rpc not compatible with apache2). I would  like  to
> >redirect
> >the "/" to "/owa". How can i do that ? thx guys
> >
> 
> Um. I've started with a bit of a side-track some major
> simplifications inline with your config. The answer to your question
> is at the end.
> 
> 
> >This is my configuration of squid.conf just for OWA Access.
> >
> >$
> >https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
> >key=/etc/squid3/server.key defaultsite=webmail.domain.foo
> 
> NOTE: it is important to be aware that in 3.1 and older if you omit
> "vhost" flag but set "defaultsite=". Has the effect or re-writing
> *all* inbound request URI with the domain name specified as
> defaultsite= value. The importance of this will become clearer
> later...
> 
> 
> >
> >cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
> >login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
> >sslflags=DONT_VERIFY_PEER name=exchangeServer
> >
> >acl url_allow url_regex -i ^https://webmail.domain.foo/.*$
> 
> Hint #1: "^https://webmail.domain.foo/.*$"; overlaps and matches same
> URL as all the following patterns.
> 
> 
> Remove the patterns from here...
> 
> >acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
> >acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
> >acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
> >acl url_allow url_regex -i
> >^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
> >acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
> >acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
> >acl url_allow url_regex -i
> >^https://webmail.domain.foo/autodiscover.*$
> 
> ... down to here.
> 
> Hint #2: "url_regex -i ^https://webmail.domain.foo/.*$";  canbe
> further reduced to a simple pair of ACL:
> 
>   acl HTTPS proto HTTPS
>   acl foo dstdomain webmail.domain.foo
> 
> >
> >acl OWA dstdomain webmail.domain.foo
> 
> Hint #3: note how the new "foo" ACL and "OWA" ACL are identical. You
> can drop the suggested "foo" ACL and use "OWA".
> 
> 
> Result: You can replace all uses of "url_allow" in *_access lines
> with the pair "HTTPS OWA".
> 
> 
> >acl OWA-SITE urlpath_regex
> >
> >(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
> >acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/
> >
> >cache_peer_access exchangeServer allow OWA
> 
> Hint #4: remembering that http_port defaultsite= has already made
> the URI domain name "webmail.domain.foo" you will notice how the
> "OWA" ACL will always match.
>  This by itself means no other "cache_peer_access exchangeServer"
> lines will be tested.
> 
> 
> >cache_peer_access exchangeServer deny all
> 
> Hint

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-20 Thread Amos Jeffries


On 21.02.2012 11:15, Marcus Kool wrote:

For HTTP is receives the full URL but for HTTPS it only receives the
domainname.



No. This is reverse-proxy. The full request details are available.

Amos

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-20 Thread Amos Jeffries

On 21.02.2012 04:59, Fried Wil wrote:

Hello Guys,

I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
usage ... (rpc not compatible with apache2). I would like to
redirect

the "/" to "/owa". How can i do that ? thx guys

Um. I've started with a bit of a side-track some major simplifications
inline with your config. The answer to your question is at the end.

This is my configuration of squid.conf just for OWA Access.

$
https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
key=/etc/squid3/server.key defaultsite=webmail.domain.foo

NOTE: it is important to be aware that in 3.1 and older if you omit
"vhost" flag but set "defaultsite=". Has the effect or re-writing *all*
inbound request URI with the domain name specified as defaultsite=
value. The importance of this will become clearer later...

cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl url_allow url_regex -i ^https://webmail.domain.foo/.*$

Hint #1: "^https://webmail.domain.foo/.*$"; overlaps and matches same
URL as all the following patterns.

Remove the patterns from here...

acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
acl url_allow url_regex -i
^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
acl url_allow url_regex -i
^https://webmail.domain.foo/autodiscover.*$

... down to here.

Hint #2: "url_regex -i ^https://webmail.domain.foo/.*$"; canbe further
reduced to a simple pair of ACL:

acl HTTPS proto HTTPS
acl foo dstdomain webmail.domain.foo

acl OWA dstdomain webmail.domain.foo

Hint #3: note how the new "foo" ACL and "OWA" ACL are identical. You
can drop the suggested "foo" ACL and use "OWA".

Result: You can replace all uses of "url_allow" in *_access lines with
the pair "HTTPS OWA".

acl OWA-SITE urlpath_regex

(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/

cache_peer_access exchangeServer allow OWA

Hint #4: remembering that http_port defaultsite= has already made the
URI domain name "webmail.domain.foo" you will notice how the "OWA" ACL
will always match.
This by itself means no other "cache_peer_access exchangeServer" lines
will be tested.

cache_peer_access exchangeServer deny all

Hint #5: now that you have configured "exchangeServer deny all" the
rest of the "cache_peer_access exchangeServer" lines are meaningless.

never_direct allow OWA

cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer deny all
never_direct allow OWA-SITE

cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all
never_direct allow OWA-DIRS

I wanna just to redirect the https://webmail.domain.foo/ to
https://EXCHANGE_SERVER/owa/

I saw "url_rewrite_program" but it doesn't works :(

Please explain "doesn't work". Details are critical.

Firstly, you need to get straight whether you are redirecting or
re-writing. They are very different things, with very different effects
on Exchange.

- URL *re-write*, may or may not work. Exchange is *very* sensitive to
even minor changes in the URI it is asked for. Re-writing can break
Exchange service from one release to the next or from one windows update
cycle to the next. Re-write has its occasional uses, but Exchange is not
one of them. url_rewrite_program can do both types of URI alteration.
Although you only need it for the re-write.

- Proper HTTP *redirect* using 3xx status messages should work fine.
But Squid needs to be configured to handle both the before and after URL
when received from the client. Exchange only needs to handle the "after"
URI.

To simply do a global / to /owa/ *redirect* you can do this very
simple:

acl redirectOWA urlpath_regex ^/$
deny_info 303:https://EXCHANGE_SERVER/owa/ redirectOWA
http_access deny HTTPS OWA redirectOWA

Place this at the top of the reverse-proxy http_access lines and the
clients will be redirected to load that given URL before they are sent
anywhere near Exchange.

NOTE: The domain "EXCHANGE_SERVER" needs to point at your Squid
https_port address if you want the OWA requests to continue to operate
through Squid. BUT, I think you are actually wanting to redirect with:

deny_info 303:https://webmail.domain.foo/owa/ redirectOWA

HTH
Amos

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-20 Thread Marcus Kool



For HTTP is receives the full URL but for HTTPS it only receives the domainname.

The URL rewriter feature was designed to rewrite HTTP-based URLs
and cannot rewrite HTTPS-URLs.

Marcus

Fried Wil wrote:
Hi Guys, 


Thx @Eliezer for reply.
I know redirection page, thx :), but i want to use squidguard as
redirector by rewriterule or redirector program, is it possible to
process as this ?

Thx in advance.

Regards, 


Wilfried

On Mon, Feb 20, 2012 at 08:08:06PM +0200, Eliezer Croitoru wrote:

On 20/02/2012 17:59, Fried Wil wrote:
the simple way is to use a redirection page on the ows web server.
change the index.html page on the "/" .
some sources for that:
http://www.web-source.net/html_redirect.htm
http://www.quackit.com/html/html_redirect.cfm
http://billstclair.com/html-redirect2.html

Regards,
Eliezer

Hello Guys,

I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
usage ... (rpc not compatible with apache2). I would  like  to redirect
the "/" to "/owa". How can i do that ? thx guys

This is my configuration of squid.conf just for OWA Access.

$
https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
key=/etc/squid3/server.key defaultsite=webmail.domain.foo

cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl url_allow url_regex -i ^https://webmail.domain.foo/.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
acl url_allow url_regex -i
^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/autodiscover.*$



acl OWA dstdomain webmail.domain.foo
acl OWA-SITE urlpath_regex
(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/

cache_peer_access exchangeServer allow OWA
cache_peer_access exchangeServer deny all
never_direct allow OWA

cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer deny all
never_direct allow OWA-SITE

cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all
never_direct allow OWA-DIRS

I wanna just to redirect the https://webmail.domain.foo/ to
https://EXCHANGE_SERVER/owa/

I saw "url_rewrite_program" but it doesn't works :(

Thx in adavance.

Wilfried

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-20 Thread Fried Wil

Hi Guys, 

Thx @Eliezer for reply.
I know redirection page, thx :), but i want to use squidguard as
redirector by rewriterule or redirector program, is it possible to
process as this ?

Thx in advance.

Regards, 

Wilfried

On Mon, Feb 20, 2012 at 08:08:06PM +0200, Eliezer Croitoru wrote:
> On 20/02/2012 17:59, Fried Wil wrote:
> the simple way is to use a redirection page on the ows web server.
> change the index.html page on the "/" .
> some sources for that:
> http://www.web-source.net/html_redirect.htm
> http://www.quackit.com/html/html_redirect.cfm
> http://billstclair.com/html-redirect2.html
> 
> Regards,
> Eliezer
> >Hello Guys,
> >
> >I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
> >usage ... (rpc not compatible with apache2). I would  like  to redirect
> >the "/" to "/owa". How can i do that ? thx guys
> >
> >This is my configuration of squid.conf just for OWA Access.
> >
> >$
> >https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
> >key=/etc/squid3/server.key defaultsite=webmail.domain.foo
> >
> >cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
> >login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
> >sslflags=DONT_VERIFY_PEER name=exchangeServer
> >
> >acl url_allow url_regex -i ^https://webmail.domain.foo/.*$
> >acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
> >acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
> >acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
> >acl url_allow url_regex -i
> >^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
> >acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
> >acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
> >acl url_allow url_regex -i ^https://webmail.domain.foo/autodiscover.*$
> >
> >
> >
> >acl OWA dstdomain webmail.domain.foo
> >acl OWA-SITE urlpath_regex
> >(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
> >acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/
> >
> >cache_peer_access exchangeServer allow OWA
> >cache_peer_access exchangeServer deny all
> >never_direct allow OWA
> >
> >cache_peer_access exchangeServer allow OWA-SITE
> >cache_peer_access exchangeServer deny all
> >never_direct allow OWA-SITE
> >
> >cache_peer_access exchangeServer allow OWA-DIRS
> >cache_peer_access exchangeServer deny all
> >never_direct allow OWA-DIRS
> >
> >I wanna just to redirect the https://webmail.domain.foo/ to
> >https://EXCHANGE_SERVER/owa/
> >
> >I saw "url_rewrite_program" but it doesn't works :(
> >
> >Thx in adavance.
> >
> >Wilfried
>

Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-20 Thread Eliezer Croitoru


On 20/02/2012 17:59, Fried Wil wrote:
the simple way is to use a redirection page on the ows web server.
change the index.html page on the "/" .
some sources for that:
http://www.web-source.net/html_redirect.htm
http://www.quackit.com/html/html_redirect.cfm
http://billstclair.com/html-redirect2.html

Regards,
Eliezer

Hello Guys,

I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
usage ... (rpc not compatible with apache2). I would  like  to redirect
the "/" to "/owa". How can i do that ? thx guys

This is my configuration of squid.conf just for OWA Access.

$
https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
key=/etc/squid3/server.key defaultsite=webmail.domain.foo

cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl url_allow url_regex -i ^https://webmail.domain.foo/.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
acl url_allow url_regex -i
^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/autodiscover.*$



acl OWA dstdomain webmail.domain.foo
acl OWA-SITE urlpath_regex
(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/

cache_peer_access exchangeServer allow OWA
cache_peer_access exchangeServer deny all
never_direct allow OWA

cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer deny all
never_direct allow OWA-SITE

cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all
never_direct allow OWA-DIRS

I wanna just to redirect the https://webmail.domain.foo/ to
https://EXCHANGE_SERVER/owa/

I saw "url_rewrite_program" but it doesn't works :(

Thx in adavance.

Wilfried

[squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

2012-02-20 Thread Fried Wil

Hello Guys,

I'have a problem with a Squid 3.1.6 as reverse proxy for an exchange
usage ... (rpc not compatible with apache2). I would  like  to redirect
the "/" to "/owa". How can i do that ? thx guys

This is my configuration of squid.conf just for OWA Access.

$
https_port SQUID_IP:443 accel cert=/etc/squid3/external_webmail.crt
key=/etc/squid3/server.key defaultsite=webmail.domain.foo

cache_peer IP_EXCHANGE_SERVER parent 443 0 no-query originserver
login=PASS ssl sslcert=/etc/squid3/EXCHANGE_server.pem
sslflags=DONT_VERIFY_PEER name=exchangeServer

acl url_allow url_regex -i ^https://webmail.domain.foo/.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/rpc.*$
acl url_allol url_regex -i ^https://webmail.domain.foo/exchange.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/exchweb.*$
acl url_allow url_regex -i
^https://webmail.domain.foo/Microsoft-Server-ActiveSync.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/owa.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/EWS.*$
acl url_allow url_regex -i ^https://webmail.domain.foo/autodiscover.*$



acl OWA dstdomain webmail.domain.foo
acl OWA-SITE urlpath_regex
(\/rpc\/|\/owa\/|\/oab\/|\/autodiscover\/|\/Microsoft-Server-ActiveSync|\/public\/|\/exchweb\/|\/EWS\/|\/exchange\/)
acl OWA-DIRS url_regex ^https://EXCHANGE_SERVER/owa/

cache_peer_access exchangeServer allow OWA
cache_peer_access exchangeServer deny all
never_direct allow OWA

cache_peer_access exchangeServer allow OWA-SITE
cache_peer_access exchangeServer deny all
never_direct allow OWA-SITE

cache_peer_access exchangeServer allow OWA-DIRS
cache_peer_access exchangeServer deny all
never_direct allow OWA-DIRS

I wanna just to redirect the https://webmail.domain.foo/ to
https://EXCHANGE_SERVER/owa/

I saw "url_rewrite_program" but it doesn't works :(

Thx in adavance.

Wilfried

Re: [squid-users] url rewrite

2010-08-05 Thread John Doe

From: John Doe 

> From: senthilkumaar2021 
> >  Is there any possibility to pass urlpath rewritten urls to particular  
> >cache_peer in reverse proxy
> > The urlpath rewritten is done using  perl  script .only path in url is re 
> >written
> > Three  identical web servers are  running at different ip and the url path 
> > is 
>
> >rewritten for some requests only  .
> > only the rewritten  requests has to be passed to particular web  server.
> >  client(example.com/squid)-->reverse  proxy->webserver1 or 
> >webserver2(example.com/squid)
> >  (no rewrite needed)
> > client (example.com/squirm)___>revere  
> >proxy->webserevr3(example.com/squid)
> >(squirm  url path is 
> > rewritten 
>as  
>
> >squid)
> 
> With an external_acl and  cache_peer_access maybe?
> If url ends with squirm, block... and then use this  acl to block the first 
> two 
>
> peers.
> if not blocked, block the third  peer...
> Would this work?

My bad, the external part is really not needed...
Something like:
acl has_squirm urlpath_regex squirm$
cache_peer_access peer1 allow !has_squirm
cache_peer_access peer2 allow !has_squirm
cache_peer_access peer3 allow has_squirm
cache_peer_access peer1 deny all
cache_peer_access peer2 deny all
cache_peer_access peer3 deny all

JD

Re: [squid-users] url rewrite

2010-08-05 Thread John Doe

From: senthilkumaar2021 

> Is there any possibility to pass urlpath rewritten urls to particular  
>cache_peer in reverse proxy
> The urlpath rewritten is done using perl  script .only path in url is re 
>written
> Three identical web servers are  running at different ip and the url path is 
>rewritten for some requests only  .
> only the rewritten requests has to be passed to particular web  server.
> client(example.com/squid)-->reverse  proxy->webserver1 or 
>webserver2(example.com/squid)
>   (no rewrite needed)
> client (example.com/squirm)___>revere  
>proxy->webserevr3(example.com/squid)
>  (squirm url path is rewritten as 
>  
>squid)

With an external_acl and cache_peer_access maybe?
If url ends with squirm, block... and then use this acl to block the first two 
peers.
if not blocked, block the third peer...
Would this work?

JD

[squid-users] url rewrite

2010-08-04 Thread senthilkumaar2021


Hi

Is there any possibility to pass urlpath rewritten urls to particular 
cache_peer in reverse proxy


The urlpath rewritten is done using perl script .only path in url is re 
written


Three identical web servers are running at different ip and the url path 
is rewritten for some requests only .

only the rewritten requests has to be passed to particular web server.

Eg

client(example.com/squid)-->reverse proxy->webserver1 or 
webserver2(example.com/squid)

   (no rewrite needed)

client (example.com/squirm)___>revere 
proxy->webserevr3(example.com/squid)
   (squirm url path is 
rewritten as squid)



Regards
senthil

Re: [squid-users] url-rewrite & digest authentication not working together

2010-07-17 Thread Henrik Nordström

ons 2010-07-14 klockan 12:07 -0700 skrev Mike Melson:

> Digest authentication fails because the uri= in the
> Authorization header isn't rewritten & so it doesn't match the POST
> URI created by url-rewrite-program. Is there a way to also rewrite the
> uri string in the Authorization header before squid sends it to the
> originserver? 

No, it's included in the one-way digest authentication hash, and
included in the Authorization header just to deal with cases like this.

   digest-uri
 The URI from Request-URI of the Request-Line; duplicated here
 because proxies are allowed to change the Request-Line in transit.

You need to make the server accept the digest-uri as valid in the
Authorization header, or get rid of the need to rewrite the URI.

Note: The server is meant to use digest-uri when verifying the Digest
authentication hash, not the Request-URI.

Regards
Henrik

Re: [squid-users] url-rewrite & digest authentication not working together

2010-07-14 Thread Amos Jeffries

On Wed, 14 Jul 2010 12:07:45 -0700 (PDT), Mike Melson
 wrote:
> Hi - 
> 
> I'm having trouble using squid plus a url-rewrite-program as a reverse
> proxy to a system that requires digest authentication. 
> 
> Digest authentication fails because the uri= in the
Authorization
> header isn't rewritten & so it doesn't match the POST URI created by
> url-rewrite-program. Is there a way to also rewrite the uri string in
the
> Authorization header before squid sends it to the originserver?

No. This is one of the limits of re-writing the requested URL while it is
in transit.

Consider what the reason for having that URI in the Authorization header
means:
  The client is passing specific credentials to a security zone identified
by the URI.
If the URI is being used even in part as realm then the encryption itself
is salted on the public URI.

> 
> If it helps clarify, I'm using curl to POST to squid as a reverse proxy
to
> a custom web server. And, if I eliminate the url-rewrite-program
> authorization works fine. 
> 
> e.g. [curl] --> POST /myfile.txt --> [squid (url-rewrite myfile.txt to
> <32-bit hex string>)] --> POST /<32bit-hex-string> --> [originserver]

URL-re-writing is a rather nasty violation of HTTP. Where possible you
need to remove it.

Squid in reverse proxy mode acts exactly like a client web browser when
contacting the web server. Your web server should always be aware of it's
public URIs and able to handle requests for them.

Amos

[squid-users] url-rewrite & digest authentication not working together

2010-07-14 Thread Mike Melson

Hi - 

I'm having trouble using squid plus a url-rewrite-program as a reverse proxy to 
a system that requires digest authentication. 

Digest authentication fails because the uri= in the Authorization 
header isn't rewritten & so it doesn't match the POST URI created by 
url-rewrite-program. Is there a way to also rewrite the uri string in the 
Authorization header before squid sends it to the originserver? 

If it helps clarify, I'm using curl to POST to squid as a reverse proxy to a 
custom web server. And, if I eliminate the url-rewrite-program authorization 
works fine. 

e.g. [curl] --> POST /myfile.txt --> [squid (url-rewrite myfile.txt to <32-bit 
hex string>)] --> POST /<32bit-hex-string> --> [originserver]

Thanks, 
Mike

Re: [squid-users] url-rewrite PHP script issue under Ubuntu 10.04

2010-06-03 Thread Nyamul Hassan

That was a good find!

Amos, does that indeed help?  It would be nice to know.

Regards
HASSAN



On Tue, Jun 1, 2010 at 03:10, Horacio H.  wrote:
>
> Hi!
>
> Thanks Alexandre and Amos for your replies, together they pointed me
> into the right direction!
>
> Based on the the URLs sent by Alexandre, I edited the
> "/etc/php5/cli/php.ini" file and tested different values for
> "max_execution_time" and "max_input_time" but none changed the PHP's
> script behavior.  Then, I remembered Amos mentioned a 60sec timeout. I
> saw my cache.log and yes there was an exactly 60sec delay after
> starting squid and the first Warning. So, I searched the "php.ini" for
> a similar value and found this directive: "default_socket_timeout". I
> changed it to 300sec and the Warnings started to show up accordingly.
> Then I changed it's value to "-1" and the warnings haven't shown up
> again!
>
> Squid doesn't complain anymore about my PHP-scripts, but I don't know
> if this change has secondary effects or any other consequences.  I'll
> be monitoring them, but in any case I have the backup Perl-scripts.
>
> Thanks again!

Re: [squid-users] url-rewrite PHP script issue under Ubuntu 10.04

2010-05-31 Thread Horacio H.

Hi!

Thanks Alexandre and Amos for your replies, together they pointed me
into the right direction!

Based on the the URLs sent by Alexandre, I edited the
"/etc/php5/cli/php.ini" file and tested different values for
"max_execution_time" and "max_input_time" but none changed the PHP's
script behavior.  Then, I remembered Amos mentioned a 60sec timeout. I
saw my cache.log and yes there was an exactly 60sec delay after
starting squid and the first Warning. So, I searched the "php.ini" for
a similar value and found this directive: "default_socket_timeout". I
changed it to 300sec and the Warnings started to show up accordingly.
Then I changed it's value to "-1" and the warnings haven't shown up
again!

Squid doesn't complain anymore about my PHP-scripts, but I don't know
if this change has secondary effects or any other consequences.  I'll
be monitoring them, but in any case I have the backup Perl-scripts.

Thanks again!

Re: [squid-users] url-rewrite PHP script issue under Ubuntu 10.04

2010-05-25 Thread Amos Jeffries

On Tue, 25 May 2010 18:49:16 -0500, "Horacio H." 
wrote:
> Hi !
> 
> I was wondering if someone else has noticed a similar behavior:
> 
> I wrote an URL-rewrite script with PHP as explained at
> . The
> script was running without complains under Squid 2.7.Stable9 and
> Ubuntu 9.04, then I upgraded Ubuntu to 10.04 and warning messages
> started to show up:
> 
> 2010/05/15 16:48:28| WARNING: url_rewriter #XX (FD XX) exited  <
> (repeat n-times)
> 2010/05/15 16:48:28| Too few url_rewriter processes are running
> 2010/05/15 16:48:28| Starting new helpers
> 
> Things I've tried to solve the issue without success:
> 
> - Simplified the PHP script to the minimum (finally just using the
> wiki's example).
> - A clean installation of Ubuntu 10.04.
> - Downgraded PHP package from 5.3 to 5.2.
> - Recompiled Squid (just in case).
> 
> Perl scripts are not afected, so I rewrited/transalted the script. The
> service is up again but a big question mark was left over my head.
> 
> I know it's not a Squid's issue per se, but at least the wiki may need
> to be updated before other people get stuck at this point...

Hi Horacio,
 Being a great PHP fan myself with a lot of helpers I've been fighting
this problem for a year or so now.

The issue centers around the automatic run timeouts PHP has.

Under several of the 5.0-5.2 releases the background engine has either not
obeyed the php.ini settings correctly or not obeyed run-time overrides
correctly. I pushed through and supported many alterations to Squid-3.2
which help minimize the problem, but...

As far as I can tell so far the new 5.3 engine seems not to obey either
run-time or configured settings and sticks rigidly to a 60sec timeout. 
While technically helpers can be of any language, this recent behaviour
change of PHP 5.3 makes it completely useless as a Squid helper for even
small installations.

I'd advise some other scripting language for now, or if you must the very
latest squid-3.x code (http://www.squid-cache.org/Versions/v3/HEAD/) will
be important to prevent Squid constantly restarting as its helpers
self-destruct. Even then the constantly unavailable helpers make Squid a
bit slow and hang on many requests while they are restarted.

Amos

[squid-users] url-rewrite PHP script issue under Ubuntu 10.04

2010-05-25 Thread Horacio H.

Hi !

I was wondering if someone else has noticed a similar behavior:

I wrote an URL-rewrite script with PHP as explained at
. The
script was running without complains under Squid 2.7.Stable9 and
Ubuntu 9.04, then I upgraded Ubuntu to 10.04 and warning messages
started to show up:

2010/05/15 16:48:28| WARNING: url_rewriter #XX (FD XX) exited  <
(repeat n-times)
2010/05/15 16:48:28| Too few url_rewriter processes are running
2010/05/15 16:48:28| Starting new helpers

Things I've tried to solve the issue without success:

- Simplified the PHP script to the minimum (finally just using the
wiki's example).
- A clean installation of Ubuntu 10.04.
- Downgraded PHP package from 5.3 to 5.2.
- Recompiled Squid (just in case).

Perl scripts are not afected, so I rewrited/transalted the script. The
service is up again but a big question mark was left over my head.

I know it's not a Squid's issue per se, but at least the wiki may need
to be updated before other people get stuck at this point...

Thanks for reading.

---
squid.conf:
---
url_rewrite_program  /etc/squid/phpredir
url_rewrite_children 32

-
phpredir:
-
#!/usr/bin/php

Re: [squid-users] URL rewrite Help

2009-08-31 Thread Henrik Nordstrom

mån 2009-08-31 klockan 09:21 -0700 skrev Trevor Merrill:
> I am currently testing squid in a reverse proxy configuration with JBoss 
> Portal backend servers. My goal is to phase out Apache and mod_proxy and 
> gain some speed with squid. I have a basic reverse proxy configuration 
> working for www.mydomain.com but I need to try and duplicate the 
> following in squid:

I would suggest you first check if the JBoss Portal backend can be
reconfigured to support vhost on it's own without needing a reverse
proxy playing tricks with rewriting URLs. Simplifies matters greatly in
the long run.

Failing that you can do the rewrites you describe with a small URL
rewriter helper doing the needed rewrites.

The equivalence of ProxyPassReverse however (location_rewrite_program)
requires Squid-2.7. Not yet available in Squid-3.

Regards
Henrik

Re: [squid-users] URL rewrite Help

2009-08-31 Thread Youenn Boussard


Hello,

You can try this in your squid.conf :

url_rewrite_program iRedirector.py
url_rewrite_children 1
url_rewrite_concurrency 20
url_rewrite_host_header off
Get and customize this files (this is template file )
https://ingeniweb.svn.sourceforge.net/svnroot/ingeniweb/iw.recipe.squid/trunk/iw/recipe/squid/templates/iRedirector.py_tmpl 
 (rename iRedirector.py)
https://ingeniweb.svn.sourceforge.net/svnroot/ingeniweb/iw.recipe.squid/trunk/iw/recipe/squid/templates/squidRewriteRules.py_tmpl 
 (rename squidRewriteRules.py)
And  you configure in squidRewriteRules the redirection as mod rewrite  
(if you can) for apache.

rewrites = (
(r'http://192.168.5.44:8380/(.*)',
   r'http://backendJBossserverIP:8080/portal/subdomain/\1', 'P,L'),
)
...

Regards Youenn.
Le 31 août 09 à 18:21, Trevor Merrill a écrit :

I am currently testing squid in a reverse proxy configuration with  
JBoss
Portal backend servers. My goal is to phase out Apache and mod_proxy  
and

gain some speed with squid. I have a basic reverse proxy configuration
working for www.mydomain.com but I need to try and duplicate the
following in squid:

(Apache conf example)

 ServerName subdomain.mydomain.com
 ServerAlias *.subdomain.mydomain.com
 ServerAdmin webmas...@mydomain.com

 ProxyRequests Off
 ProxyPreserveHost On

 
  Order deny,allow
  Allow from all
 

 RewriteEngine On
 RewriteRule .* - [E=DEFAULT_PORTAL:subdomain]
 RewriteCond %{REQUEST_URI} ^/?$
 RewriteRule .* http://192.168.5.44:8380/portal/% 
{ENV:DEFAULT_PORTAL} [P,L]


 ProxyPass / http://192.168.5.66:8380/
 ProxyPassReverse / http://192.168.5.66:8380/

 ErrorLog /var/log/apache2/error.log
 LogLevel warn
 CustomLog /var/log/apache2/access.log combined


Is it possible to do this sort of rewriting in squid? Essentially  
all I

am doing is changing the HTTP request from http://subdomain.mydomain.com
-> http://backendJBossserverIP:8080/portal/subdomain, the host stays  
the

same so the public sees http://www.mydomain.com/portal/subdomain. I am
having a tough time finding examples or some direction to start  
heading in.


For fun here is my current squid conf and the corresponding Apache  
conf

that I was able to essentially replace:

(Apache conf snippet)

 ServerName www.mydomain.com
 ServerAlias mydomain.com
 ServerAdmin webmas...@mydomain.com

 ProxyRequests Off
 ProxyPreserveHost On
 
  Order deny,allow
  Allow from all
 

 ProxyPass / http://192.168.5.66:8380/
 ProxyPassReverse / http://192.168.5.66:8380/

 ErrorLog /var/log/apache2/error.log
 LogLevel warn
 CustomLog /var/log/apache2/access.log combined


(Squid conf snippet)

cache_peer 192.168.5.66 parent 8080 0 no-query no-digest originserver
name=testerJBoss
acl TesterJBoss_sites dstdomain .mydomain.com
cache_peer_access testerJBoss allow TesterJBoss_sites
http_access allow TesterJBoss_sites
http_access deny All

Thanks for the help.

Trevor Merrill




Youenn Boussard
INGENIWEB (TM) - SAS 5 Euros - RC B 438 725 632
1, rue Royale
227, Les Bureaux de la Colline - Bat D
92213  - Saint Cloud Cedex
Tél : 01 78 15 24 00 / Fax : 01 46 02 44 04

[squid-users] URL rewrite Help

2009-08-31 Thread Trevor Merrill

I am currently testing squid in a reverse proxy configuration with JBoss 
Portal backend servers. My goal is to phase out Apache and mod_proxy and 
gain some speed with squid. I have a basic reverse proxy configuration 
working for www.mydomain.com but I need to try and duplicate the 
following in squid:

(Apache conf example)

  ServerName subdomain.mydomain.com
  ServerAlias *.subdomain.mydomain.com
  ServerAdmin webmas...@mydomain.com

  ProxyRequests Off
  ProxyPreserveHost On

  
   Order deny,allow
   Allow from all
  

  RewriteEngine On
  RewriteRule .* - [E=DEFAULT_PORTAL:subdomain]
  RewriteCond %{REQUEST_URI} ^/?$
  RewriteRule .* http://192.168.5.44:8380/portal/%{ENV:DEFAULT_PORTAL} [P,L]

  ProxyPass / http://192.168.5.66:8380/
  ProxyPassReverse / http://192.168.5.66:8380/

  ErrorLog /var/log/apache2/error.log
  LogLevel warn
  CustomLog /var/log/apache2/access.log combined


Is it possible to do this sort of rewriting in squid? Essentially all I 
am doing is changing the HTTP request from http://subdomain.mydomain.com 
-> http://backendJBossserverIP:8080/portal/subdomain, the host stays the 
same so the public sees http://www.mydomain.com/portal/subdomain. I am 
having a tough time finding examples or some direction to start heading in.

For fun here is my current squid conf and the corresponding Apache conf 
that I was able to essentially replace:

(Apache conf snippet)

  ServerName www.mydomain.com
  ServerAlias mydomain.com
  ServerAdmin webmas...@mydomain.com

  ProxyRequests Off
  ProxyPreserveHost On
  
   Order deny,allow
   Allow from all
  

  ProxyPass / http://192.168.5.66:8380/
  ProxyPassReverse / http://192.168.5.66:8380/

  ErrorLog /var/log/apache2/error.log
  LogLevel warn
  CustomLog /var/log/apache2/access.log combined


(Squid conf snippet)
> cache_peer 192.168.5.66 parent 8080 0 no-query no-digest originserver 
> name=testerJBoss
> acl TesterJBoss_sites dstdomain .mydomain.com
> cache_peer_access testerJBoss allow TesterJBoss_sites
> http_access allow TesterJBoss_sites
> http_access deny All
Thanks for the help.

Trevor Merrill

Re: [squid-users] URL Rewrite

2009-03-04 Thread Chris Robertson


howard chen wrote:

Hi,

On Wed, Mar 4, 2009 at 4:30 AM, Chris Robertson  wrote:
  

See the "forceddomain" argument to cache_peer.
http://www.squid-cache.org/Doc/config/cache_peer/



Is it possible to force into an URL?

e.g.

*.example.com/* => http://www.google.com/aboutus
  


I don't think that's possible with forceddomain, as it just rewrites the 
domain portion of the HTTP header.  I'd use a deny_info page.


acl redirect_site dstdomain .example.com
http_access deny redirect_site
deny_info http://www.google.com/aboutus redirect_site

Either the deny_info page is going to have to be served from another 
domain than that which triggers the redirect, or you'll have to make 
your own error page 
(http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-2931f707c7137629bad3cecc83d8a014c4818e0a).


Otherwise a url_rewrite_program (possibly accompanied by 
url_rewrite_access) would work.  
http://www.squid-cache.org/Doc/config/url_rewrite_program/, 
http://www.squid-cache.org/Doc/config/url_rewrite_access/


Chris

Re: [squid-users] URL Rewrite

2009-03-04 Thread howard chen

Hi,

On Wed, Mar 4, 2009 at 4:30 AM, Chris Robertson  wrote:
> See the "forceddomain" argument to cache_peer.
> http://www.squid-cache.org/Doc/config/cache_peer/

Is it possible to force into an URL?

e.g.

*.example.com/* => http://www.google.com/aboutus

Re: [squid-users] URL Rewrite

2009-03-03 Thread Chris Robertson


howard chen wrote:

Hi

Currently I am using dstdomain/cache_peer to rewrite url request from
client to backend apache (so squid act as a reverse proxy)


e.g.

acl dstdomain_site  dstdomain   .example.com


cache_peer  192.168.11.123   parent 80 0 no-query
originserver round-robin login=PASS weight=1
cache_peer_access192.168.11.123   allow dstdomain_site
cache_peer_access   192.168.11.123   deny all



This require my backend apache has a virtual host listening for .example.com

But how can I manually force rewrite an URL from user, even my
backend apache is not listening example.com?

e.g.

.example.com => .google.com

I remember this can easily done this using apache mod_rewrite
(mod_proxy) but is it possible to be done in squid?
  


See the "forceddomain" argument to cache_peer. 
http://www.squid-cache.org/Doc/config/cache_peer/



Thanks.
  


Chris

[squid-users] URL Rewrite

2009-03-03 Thread howard chen

Hi

Currently I am using dstdomain/cache_peer to rewrite url request from
client to backend apache (so squid act as a reverse proxy)


e.g.

acl dstdomain_site  dstdomain   .example.com


cache_peer  192.168.11.123   parent 80 0 no-query
originserver round-robin login=PASS weight=1
cache_peer_access192.168.11.123   allow dstdomain_site
cache_peer_access   192.168.11.123   deny all



This require my backend apache has a virtual host listening for .example.com

But how can I manually force rewrite an URL from user, even my
backend apache is not listening example.com?

e.g.

.example.com => .google.com

I remember this can easily done this using apache mod_rewrite
(mod_proxy) but is it possible to be done in squid?

Thanks.

Re: [squid-users] Url Rewrite

2007-12-04 Thread Amos Jeffries


Almered Niklas wrote:

Hi!

We're trying to configure a Squid 2.6 stable 16 with two servers, a
webserver with Linux and Apache and a web mapping server with Windows
and IIS.

A: application.example.com (Apache webserver on port 8081)
B: map.example.com (IIS web mapping server o port 80)

Now, Squid is installed om the Linux machine listening to port 80 and my
aim is that Squid should do a rewrite on url:s like
application.example.com/proxy and redirect them to map.example.com


The squid.conf file looks like this:

acl our_proxyurl url_regex application.example.com/proxy

url_rewrite_access allow our_proxyurl
url_rewrite_program /usr/local/squid/bin/test.pl 
url_rewrite_children 10 
url_rewrite_host_header on 
always_direct allow all


http_port 80 accel defaultsite=application.example.com

cache_peer 1.2.3.85 parent 8081 0 no-query originserver name=server_app 
cache_peer 1.2.3.65 parent 80 0 no-query originserver name=server_map


We accomplished the rewrite but at the same time access is being denied
to application.example.com with the following error:
"Unable to forward this request at this time"

How do I configure the Squid with url rewrite without losing access?


You will need an http_access control to permit access to those websites.

I would also suggest either cache_peer_domain or cache_peer_access +ACLs 
to direct certain traffic to each peer.


'always_direct'+'cache_peer ... no-query' might cause problems later ... 
you will need to test if the always_direct is actually needed once 
http_access is properly configured.


Amos

[squid-users] Url Rewrite

2007-12-03 Thread Almered Niklas


Hi!

We're trying to configure a Squid 2.6 stable 16 with two servers, a
webserver with Linux and Apache and a web mapping server with Windows
and IIS.

A: application.example.com (Apache webserver on port 8081)
B: map.example.com (IIS web mapping server o port 80)

Now, Squid is installed om the Linux machine listening to port 80 and my
aim is that Squid should do a rewrite on url:s like
application.example.com/proxy and redirect them to map.example.com


The squid.conf file looks like this:

acl our_proxyurl url_regex application.example.com/proxy

url_rewrite_access allow our_proxyurl
url_rewrite_program /usr/local/squid/bin/test.pl 
url_rewrite_children 10 
url_rewrite_host_header on 
always_direct allow all

http_port 80 accel defaultsite=application.example.com

cache_peer 1.2.3.85 parent 8081 0 no-query originserver name=server_app 
cache_peer 1.2.3.65 parent 80 0 no-query originserver name=server_map

We accomplished the rewrite but at the same time access is being denied
to application.example.com with the following error:
"Unable to forward this request at this time"

How do I configure the Squid with url rewrite without losing access?


Niklas Almered
System developer

Re: [squid-users] url rewrite and cache, which URL should be cached?

2007-10-15 Thread Henrik Nordstrom

On ons, 2007-10-10 at 10:20 +0200, Sylvain Viart wrote:

> the redirector returns:
> echo "http://mes-test2.mydomain.com/js/mailbox.js"; | perl t.pl
> !php! http://static-php/js/mailbox.js

There should be no space between the urlgroup tag and the URL.

Anything after the first space is ignored by Squid.

Regards
Henrik


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] url rewrite and cache, which URL should be cached?

2007-10-10 Thread Sylvain Viart


Hi,

Found:
Could it be associated with the urlgroup which somewhat hides the 
rewriting?



Yes it is !

snip of the redirector, squid.conf unmodified

while (<>)
{
  # filer rewriting not modified
   if(m[^http://$filer_host/] || 
m[^http://([^/]+)/(js/static_file|media|thumb)])

   {
   #$host = &get_filer;
   s#http://[^/]+(:[0-9]+)?#http://$filer#;

   # add urlgroup
   s/^/!filer! /;
   }
   else
   {
   # php canonization
   if($_ !~ /\.php/)
   {
   s#http://[^/]+(:[0-9]+)?#http://$php#;
   }

   # add urlgroup, DISABLED it hides rewriting !
   #s/^/!php! /;
   }

   print;
}

from store.log

#urlgroup commented for php rewriting:

1192003008.380  0 12.34.56.78 TCP_MEM_HIT/200 839 GET 
http://mes-test2.mydomain.com/js/mailbox.js - NONE/- 
application/x-javascript
1192003052.809  3 12.34.56.78 TCP_MISS/200 830 GET 
http://sometest.mydomain.com/js/mailbox.js - ROUNDROBIN_PARENT/php-04 
application/x-javascript
1192003191.848  5 12.34.56.78 TCP_MISS/200 830 GET 
http://testthat.mydomain.com/js/mailbox.js - ROUNDROBIN_PARENT/php-04 
application/x-javascript
1192003459.194  0 12.34.56.78 TCP_MEM_HIT/200 838 GET 
http://test-0.mydomain.com/js/mailbox.js - NONE/- application/x-javascript
1192003461.945  8 12.34.56.78 TCP_MEM_HIT/200 838 GET 
http://test-0.mydomain.com/js/mailbox.js - NONE/- application/x-javascript
1192003494.894  0 12.34.56.78 TCP_MEM_HIT/200 838 GET 
http://test-10428.mydomain.com/js/mailbox.js - NONE/- 
application/x-javascript
1192003534.370  0 12.34.56.78 TCP_MEM_HIT/200 838 GET 
http://test-5769.mydomain.com/js/mailbox.js - NONE/- 
application/x-javascript


# urlgroup activated it doesn't seem to work anymore.:
1192003579.940  1 12.34.56.78 TCP_MISS/200 830 GET 
http://test-24309.mydomain.com/js/mailbox.js - ROUNDROBIN_PARENT/php-04 
application/x-javascript
1192003592.293  1 12.34.56.78 TCP_MISS/200 829 GET 
http://test-30186.mydomain.com/js/mailbox.js - ROUNDROBIN_PARENT/php-03 
application/x-javascript


Regards,
Sylvain.

Re: [squid-users] url rewrite and cache, which URL should be cached?

2007-10-10 Thread Sylvain Viart


Hi Henrik,

Henrik Nordstrom a écrit :

On tis, 2007-10-09 at 17:47 +0200, Sylvain Viart wrote:
  

Hi,

I use a redirector on an accel proxy config.

url_rewrite_program /etc/squid/redirector.pl
url_rewrite_children 15
url_rewrite_concurrency 0
url_rewrite_host_header off


It seems, that the url used to store the requested url is the orginal 
url, not the rewrited on.



The cache is using the rewritten URL.
  

here is some more detail:

the redirector script:
#--8< 
#!/usr/bin/perl
#
# request_URIclient_IP/FQDNusername HTTP_method
#
# url_rewrite_program
# URL  client_ip "/" fqdn  user  method  urlgroup 
#
#
# access.log
# 1190984604.736  6 12.34.56.78 TCP_MISS/200 1752 GET 
http://proxy-03.mydomain.com/thumb/100/default_woman.jpg - ROUNDROBI

# N_PARENT/php-03 image/jpeg
#
#
# !perl -n -e ' m@(http://[^ ]+)@; print "$1\n";' < 
/var/log/squid/access.log

$|=1;

$filer = 'filer-01';
@filer_domain = qw /img.mydomain.com/;

$filer_host = join('|', @filer_domain);

# dumy domain name for canonical rewriting
$php = 'static-php';

$n = 0;
while (<>)
{
   if(m[^http://$filer_host/] || 
m[^http://([^/]+)/(js/static_file|media|thumb)])

   {
   #$host = &get_filer;
   s#http://[^/]+(:[0-9]+)?#http://$filer#;

   # add urlgroup
   s/^/!filer! /;
   }
   else
   {
   if($_ !~ /\.php/)
   {
   s#http://[^/]+(:[0-9]+)?#http://$php#;
   }

   # add urlgroup
   s/^/!php! /;
   }

   print;
}
#--8< 

the redirector returns:
echo "http://mes-test2.mydomain.com/js/mailbox.js"; | perl t.pl
!php! http://static-php/js/mailbox.js

echo "http://sometestagain.mydomain.com/js/mailbox.js"; | perl t.pl
!php! http://static-php/js/mailbox.js

some store.log entries:

1191938682.998 SWAPOUT 00 02E5 2AC12C498B97741871A11F0290E927C8  200 
1191938682 1180514999-1 application/x-javascript

418/418 GET http://mes-test.mydomain.com/js/mailbox.js
1191938722.433 SWAPOUT 00 02E7 C61344FEBB15FC2C7D039A36A2EE552D  200 
1191938722 1180514999-1 application/x-javascript

418/418 GET http://mes-test2.mydomain.com/js/mailbox.js

for me it should be stored under
http://static-php/js/mailbox.js

associated acl and urlgroup:

# urlgroup matching acl from url_rewrite_program
acl static_doc urlgroup filer
acl php_doc urlgroup php

# filer server access rules
cache_peer_access filer-01 allow static_doc
cache_peer_access filer-01 deny all

# php server access exclusion for static_doc matched on the filer
#cache_peer_access php-01 deny static_doc
#cache_peer_access php-02 deny static_doc
#cache_peer_access php-03 deny static_doc
cache_peer_access php-04 deny static_doc

Could it be associated with the urlgroup which somewhat hides the rewriting?


Sequence is approximately

* Request accepted
* http_access Access controls
* URL rewriting, replacing Squid's idea of the URL
* http_access2 Access controls
* Cache lookup
* Forwarding on cache miss
* http_reply_access Reply access controls


Because of this using "url_rewrite_host_header off" can be a very bad
thing as it makes the requested URL sent to the web server differ from
the cache URL, and can easily bite you..
  

it seems it bites, :-)

but that what I want, it worked with squid2.5 redirector without urlgroup.
* cache canonized URL
* peer: original URL.

would be simpler if it works like that for my config

More documentation on "url_rewrite_host_header off"?

Regards,
Sylvain.

Re: [squid-users] url rewrite and cache, which URL should be cached?

2007-10-09 Thread Henrik Nordstrom

On tis, 2007-10-09 at 17:47 +0200, Sylvain Viart wrote:
> Hi,
> 
> I use a redirector on an accel proxy config.
> 
> url_rewrite_program /etc/squid/redirector.pl
> url_rewrite_children 15
> url_rewrite_concurrency 0
> url_rewrite_host_header off
> 
> 
> It seems, that the url used to store the requested url is the orginal 
> url, not the rewrited on.

The cache is using the rewritten URL.

Sequence is approximately

* Request accepted
* http_access Access controls
* URL rewriting, replacing Squid's idea of the URL
* http_access2 Access controls
* Cache lookup
* Forwarding on cache miss
* http_reply_access Reply access controls


Because of this using "url_rewrite_host_header off" can be a very bad
thing as it makes the requested URL sent to the web server differ from
the cache URL, and can easily bite you..

Regards
Henrik


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] url rewrite and cache, which URL should be cached?

2007-10-09 Thread Adrian Chadd

On Tue, Oct 09, 2007, Sylvain Viart wrote:
> Hi,
> 
> I use a redirector on an accel proxy config.
> 
> url_rewrite_program /etc/squid/redirector.pl
> url_rewrite_children 15
> url_rewrite_concurrency 0
> url_rewrite_host_header off
> 
> 
> It seems, that the url used to store the requested url is the orginal 
> url, not the rewrited on.
> I would like to store the content on canonized URL, is it possible?

Thats what I'm working on in my spare time.
(I'd love it if someone beat me to it and published their patch!)

You also mean store and retrieve on the canonized URL?




Adrian

[squid-users] url rewrite and cache, which URL should be cached?

2007-10-09 Thread Sylvain Viart


Hi,

I use a redirector on an accel proxy config.

url_rewrite_program /etc/squid/redirector.pl
url_rewrite_children 15
url_rewrite_concurrency 0
url_rewrite_host_header off


It seems, that the url used to store the requested url is the orginal 
url, not the rewrited on.

I would like to store the content on canonized URL, is it possible?

How do I debug that?


Regards,
Sylvain.

Re: [squid-users] url rewrite problem

2007-10-02 Thread Amos Jeffries


Srinivas B wrote:

Hi All,

is there any way I can redirect urls that are replaced by accelerated mode.

I have something like

http_port 8080 accel defaultsite=mysite.com

Requests are replaced by host=mysite.com.

I want to redirect some url based on original request (depending upon
hostname). I have tried vhost option.., but doesn't seem to solve the
problem, as hostname requested externally is not defined in internal
DNS.


FQDN should be resolvable regardless of where you are. Websites should 
always use FQDN. You need to seriously consider allowing the local 
network to resolve your FQDN then. Particulary the webservers that are 
supposed to be serving those websites publicly.


Anyway, to get accel going without involving DNS you only need to use a 
cache_peer with a few ACLs to do the heavy lifting.


So long as its just a re-direction and not a re-writing that you want, 
the following should be much easier and faster.


Here's a few of my config lines:

   # an internal source machine...
 cache_peer colo-32.localdomain parent 80 0 originserver name=colo1
   # domain it runs...
 acl colo1Hosted dstdomain .mifrenz.com
   # it ONLY provides that domain...
 cache_peer_access colo1 allow colo1Hosted GETPOST
 cache_peer_access colo1 deny all
   # people are allowed to do general web stuff with it...
 http_access allow colo1Hosted GETPOST
   # squid is not allowed to do anything with this domain itself...
 never_direct allow colo1Hosted

  cache_peer rio.treenetnz.com parent 80 0 originserver name=rio
  acl rioHosted dstdomain .treenet.co.nz
  acl rioHosted dstdomain .treenetnz.com
  cache_peer_access rio allow rioHosted GETPOST
  cache_peer_access rio deny all
  http_access allow rioHosted GETPOST
  never_direct allow rioHosted


etc, etc, repeat as needed for any unique sources.

You can use any of the ACL criteria to switch origins based on anything 
you like.


FYI some names like colo-1 are not resolvable to the public. It does not 
matter. As long as the name squid is given as the peer can be resolved 
by squid, and the host server understands the names of domains its meant 
to be hosting. The only DNS involved here is resolving 
colo-32.localdomain and rio.treenetnz.com when squid needs them.


Placed ahead of the regular http_access rules it works well forcing all 
accelerated/locally-hosted domain MISS'es out to the designated real 
source, and blocking any general traffic being passed to the hosting 
servers. Without the additional overhead of redirector threads.


'vhost' will do basic 'accel' and also alter the original Host: header 
of the request as it goes through squid.


Amos

Re: [squid-users] url rewrite problem

2007-10-02 Thread Keshava M P

you have to use a redirector and you have to include the
url_rewrite_program and related directives in squid.conf. typicallly,
url_rewrite_program=/path/to/yourredirectprogram/
url_rewrite_children=5
url_rewrite_concurrency=5
url_rewrite_host_header off

Either you define the entries of internal hosts in /etc/hosts or you
can use the internal ips directly in your redirector.
example: your outside ip is mapped to e1.yourdomain.com,
e2.yourdomain.com,e3.yourdomain.com.
let us say these correspond to host1 (10.9.0.1), host2 (10.9.0.2),
host3 (10.9.0.3)

your redirector program will look something like this:

#!/usr/bin/perl
$|=1;
while (<>) {
@X = split;
$url = $X[0];
$url =~ [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED];
$url =~ [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED];
$url =~ [EMAIL PROTECTED]://[EMAIL PROTECTED]://[EMAIL PROTECTED];
print;
}

you can also use internal ip addresses in place of host1, host2 etc.
you can even redirect to a specific page like
http://host1/path/to/your/page

Keshava

On 10/2/07, Srinivas B <[EMAIL PROTECTED]> wrote:
> Hi All,
>
> is there any way I can redirect urls that are replaced by accelerated mode.
>
> I have something like
>
> http_port 8080 accel defaultsite=mysite.com
>
> Requests are replaced by host=mysite.com.
>
> I want to redirect some url based on original request (depending upon
> hostname). I have tried vhost option.., but doesn't seem to solve the
> problem, as hostname requested externally is not defined in internal
> DNS.
>
> Please help
>
> Thanks in advance.
>
> Srinivas
>

-- 
M P Keshava

[squid-users] url rewrite problem

2007-10-01 Thread Srinivas B

Hi All,

is there any way I can redirect urls that are replaced by accelerated mode.

I have something like

http_port 8080 accel defaultsite=mysite.com

Requests are replaced by host=mysite.com.

I want to redirect some url based on original request (depending upon
hostname). I have tried vhost option.., but doesn't seem to solve the
problem, as hostname requested externally is not defined in internal
DNS.

Please help

Thanks in advance.

Srinivas

43 matches

Mail list logo