[squid-users] Routing Internally And/Or Externally?

Eliezer Croitoru eliezer at ngtech.co.il
Wed Apr 20 02:14:02 UTC 2016


Hey There,

In general what you want is possible but couple things are not clear to me yet.
The config you mentioned has couple issues:
##START OF INFO
acl localnetPAC src 192.168.0.0/24                        #resource within my network
acl localnetPAC src internal.resources.com              #resource within my network
acl localnetPAC src internal1.resources.com            #resource within my network
acl localnetPAC src internal2.resources.com            #resource within my network
acl localnetPAC src internal3.resources.com            #resource within my network

acl InboundNet scr 10.24.62.51           #NetScaler
acl OutboundNet scr 10.24.62.51           #NetScaler

http_access allow localnetPAC                     #user will be let thru to the local resources
#InboundNet !localnetPAC allow OutboundNet    
#this is what I WANT to do but isn't working 
#can anyone steer me to the right track?
##END OF INFO

In general if you want to deny with a redirection you can use the deny_info and a custom "shebang"  dummy acl.
One example of implementation can be found in the list archives at:
http://lists.squid-cache.org/pipermail/squid-users/2015-October/006092.html

Squid allows you to customize the "deny" action and which one of them can be a redirection.
You have used in your example an acl like:
acl localnetPAC src internal3.resources.com            

which uses a domain, but the "src" type acl cannot be used with a domain name and can only be an IP address.
Peek at the acl docs at: http://www.squid-cache.org/Doc/config/acl/
But you have mentioned the bottom line as:
#InboundNet !localnetPAC allow OutboundNet

Which is not clear to me but I will try to be creative with an example:
acl local_network_addresses dst 192.168.0.0/24	#Internal services
acl internal_domains dstdomain internal1.resources.com #Internal domains names
acl internal_domains dstdomain internal2.resources.com  #Internal domains names
acl dummy_match dstdom_regex .		#dummy match all domain regex 
acl InboundNet scr 10.24.62.51           #NetScaler source IP(the clients IP is not visible behind the NetScaler)
deny_info 302:http://www.google.com/?%H dummy_match 	#Customized deny_info that will redirect to google with some addition
http_access allow InboundNet internal_domains 	#rule that allows netscaler sources traffic to access internal domains
http_access allow InboundNet acl local_network_addresses	#rule that allows netscaler sources traffic to access internal ip addresses
http_access deny dummy_match	# rule that should match all traffic and redirect any request to google
##END OF example

I hope the example helps you.
Let me know If it helped you and\or if you need more help or if I didn't understood the question.

Eliezer

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of nkingsquid
Sent: Tuesday, April 19, 2016 9:19 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Routing Internally And/Or Externally?

I should probably mention that its important that the request NOT be denied, just redirected if it is not a listed internal resource...



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Routing-Internally-And-Or-Externally-tp4677152p4677153.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list