[squid-users] site http://www.domain.cpu.qc.ca work BUT http://domain.cpu.qc.ca DONT WORK

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 20 04:36:59 UTC 2015

On 20/10/2015 6:57 a.m., Sebastien.Boulianne wrote:
> If I replace the "acl cpuwebacl dstdomain www.cpu.qc.ca" by "acl cpuwebacl dstdomain cpu.qc.ca", I got a error 404****

I think I see where the confusion is coming from. We need to teach you
both how dstdomain and proxying works.

* Lets start with dstdomain.

This line: acl cpuwebacl dstdomain cpu.qc.ca

... matches *only* the http://cpu.qc.ca/ requests.

This line: acl cpuwebacl dstdomain www.cpu.qc.ca

... matches *only* the http://www.cpu.qc.ca/ requests.

Because the values in the dstdomain are *exact* domain FQDN.

This line:
  acl cpuwebacl dstdomain .cpu.qc.ca

.. matches any request for cpu.qc.ca *and* for any sub-domain such as
www.cpu.qc.ca, helloworld.cpu.qc.ca, etc.
Because the '.' prefix makes it a wildcard match.

So what you have been doing is switching the ACL from accepting the main
domain FQDN and its www.* subdomain. But not both at once.

* Secondly, proxying.

The purpose of the proxy is to pass on the client request as
transparently as possible. Note that "transparent" here has the literal
meaning of transparency. As in the request received is almost exactly
what gets passed on.

I suspect that TMG did not proxy the requests but interpreted and
translated a request for the main FQDN to www.*, or vice versa. Squid
does not do that. Squid passes the *actual* client request URL to the
origin server and expects that server to be fully aware of the URLs it
is serving up.

If your origin server is broken and cannot handle the real client
requests, there are workarounds. But the best thing is to fix the server
so it will work propery regardless of a proxy being in front. So lets
try that first.

As Anthony mentioned the 404 is coming from the origin. Find out why and
fix it, or if its okay ignore it.


More information about the squid-users mailing list