We help IT Professionals succeed at work.

Using Squid to route requests for a specific sites to another proxy

za_mkh
za_mkh asked
on
Hi,

We using a Smoothwall Squid proxy. Which is working fine! We have some access rules configured where requests for specific intranet domains are sent to another upstream squid proxy for resolution etc. This worked well for the last three years. However, we now have a request that some specific intranet websites now need to be sent to another proxy for resolution, and this is where I am having issues!  The problem is that regardless of what I do, all requests go to the primary server.

Listed below is information on the upstream proxies:

Upstream Proxy 1 is 10.10.10.10
Upstream Proxy 2 is 11.11.11.11

I have the appropriate acls setup on the local SQUID proxy. They are listed in the code window below.

As you can see the "specific sites" are subsets of the .net.local domain and hence Squid is therefore sending the requests the primary server. If I remove .net.local from the allsites.acl file, then it gets routed to the second proxy. But then, all other .net.local sites requests cause the local SQUID proxy to connect directly to intranet site in question instead of sending it to the upstream proxy.

So I still need all other .net.local sites to go via proxy 1.

Does anybody have an idea on how I can achieve that so that only the specific sites go to proxy 2?

I have tried the urldom_regex option but I get the same results.
#allsites upstream proxy
cache_peer 10.10.10.10 parent 8080 0 default no-query login=PASS connect-timeout=30 originserver connection-auth=auto http11
acl allsites dstdom_regex "/var/smoothwall/proxy/advanced/acls/allsites.acl"
never_direct allow allsites.acl
cache_peer_access 10.10.10.10 allow allsites

#specific sites upstream proxy
cache_peer 11.11.11.11 parent 8080 0 no-query login=PASS connect-timeout=30 originserver connection-auth=auto http11
acl allsites dstdom_regex "/var/smoothwall/proxy/advanced/acls/specificsites.acl"
never_direct allow specificsites.acl
cache_peer_access 11.11.11.11 allow specificsites

listing of the allsites.acl file
.net.local
.com
.co.uk

listing of the specificsites.acl file
site.net.local
site4.net.local

Open in new window

Comment
Watch Question

Top Expert 2005

Commented:
Have You tried putting "cache_peer 11.11.11.11" definitions before #allsites? Maybe squid processes them one by one terminating at first match.

I also reccomend matching domaind case-insensitive - option -i
za_mkhIT Manager

Author

Commented:
Hi Ravenpl,

I could never understand what the -i option was! Thanks, will implement that!

I did try  to put the he #specificsites before the  #allsites (thinking it would work) but it didn't. Thats when I gave up and thought I need expert knowledge on this!

Any other ideas I could try?

Thanks
Top Expert 2005
Commented:
Isn't it as simple as denying specificsites to access cache_peer 10.10.10.10 ?

cache_peer_access 10.10.10.10 deny specificsites
cache_peer_access 10.10.10.10 allow allsites
za_mkhIT Manager

Author

Commented:
Ah .. good idea .. I will try that and get back to you!
za_mkhIT Manager

Author

Commented:
The only way it worked was to put the "specificsites" ACL config before the "allsites" ACL config, and then to put the deny ACL string the for the allsites ACL config!

Thanks for your help! Really appreciated.