[squid-users] reverse proxy / ACL issues.

From: Greg Whynott <[email protected]>
Date: Wed, 07 Dec 2005 13:45:09 -0500

Hello,
The question: Is there a way to use squid's rproxy feature with ACLs?
Using ACLs in a reverse proxy mode seems to break server name / ip parsing.

-Version 2.5.STABLE5
-SUSE LINUX Enterprise Server 9 (i586)
-We are using squid in a reverse proxy config to allow a client to view
pages on an internal web server which are related to the project we are
working on for them.
-The squid service sits out in the dmz.
-Both the internal network and the dmz use private numbers.
-The internal web server is the front end to many internal services,
which the client should not be able to view.

Things work as expected until I add an ACL. When an ACL is added it
seems as if the internal addresses are not replaced by the rproxy
service anymore.

For example:
without acls, if I load (from the outside, out on the internet)
http://external.site.ip.com/projects/CLIENTX/foo.html and foo.html has a
href which will take you elsewhere on the same internal server, it
works. Viewing the source shows it has replaced the internal IPs with
the external.site.ip.com's IP.

if I add an ACL, the internal IPs are no longer replaced with the
rproxy's IP. instead the hrefs use the internal IPs. The first page
loads, but any hrefs point to internal IPs. This of course breaks
things for the client.

Here is the ACL bits I've added to the conf file: basically any url
with the string "clientx" can be loaded, everything else not.

#
# URLs WHICH CLIENT CAN LOAD -ggw
#
#acl clienturl url_regex -i clientx
#acl noview url_regex -i grid io rgrid
#
# apply acl rules
#
#http_access deny noview
#http_access allow clienturl
#

any thoughts?

thanks,
greg
Received on Wed Dec 07 2005 - 11:45:38 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST