Is there a way to configure the Squid proxy server in order to make it select a different parent proxy (specified by the cache_peer directive) based on the hostname in the requested URL, say in the outgoing HTTP(S) request?
For example, if the requested URL contains *.example1.com then select proxy1.host. If it contains *.example2.com and *.example3.com then select proxy2.host.
yes
the directives you'll need are
acl example1 dstdomain example1
acl example2 dstdomain example2
cache_peer proxy1.host parent 3128 0 no-query default
cache_peer proxy2.host parent 3128 0 no-query default
cache_peer_access proxy1.host allow example1
cache_peer_access proxy2.host allow example2
You might also want to know how these directives work
never_direct
always_direct
Related
I would like to rewrite path from the domain prefix. With two cases :
https://prefix.domain.com/path -> https://prefix.domain.com/path/#/prefix
https://prefix.domain.com/path1 -> https://prefix.domain.com/path1/#/prefix/home
I try to rewrite the path with this config. But I can not extract prefix from domain in reqirep. I think that reqrep is only for GET /XXXX HTTP/1.1 string, not full URL.
acl match path_end -i /path
acl match1 path_end -i /path1
use_backend traefik_path if match
use_backend traefik_path1 if match1
default_backend traefik_path
backend traefik_path
reqirep ^([^\ ]*\ /)path \1/path/#/??
balance roundrobin
server traefik 127.0.0.1:8000 check
backend traefik_path1
reqirep ^([^\ ]*\ /)path1 \1/path1/#/??/home
balance roundrobin
server traefik 127.0.0.1:8000 check
This ist my current setup:
Host config:
define host{
use generic-host ; Inherit default values from a template
host_name A+A ; The name we're giving to this host
alias A+A Objektausstattung Router ; A longer name associated with the host
address https://87.139.203.190:444 ; IP address of the host
hostgroups Router ; Host groups this host is associated with
}
Service config:
define service{
use generic-service ; Inherit default values from a template
host_name A+A
service_description HTTP
check_command check_http
}
I´ll get this error from Nagios:
check_icmp: Failed to resolve https://87.139.203.190:444
What am I doing wrong here ?
Nagios tries to resolve to ip-address and port. Try ip-address only.
address https://87.139.203.190 ; IP address of the host
Your host definition should only specify an IP address for the 'address'. The URL is not an attribute of the host, but of the HTTP check your want to perform.
The Service definition specifies the check_command, which is in turn defined in the checkcommands.cfg file. This will specify exactly what command is to be run, possibly using additional parameters passed.
You will probably want to pass the port number as a parameter, and that you are to use HTTPS. How to do this will depend on your settings. For example, you could use this in your checkcommands.cfg:
define command{
command_name check_https
command_line $USER1$/check_http -t 12 -H $HOSTADDRESS$ -f ok --ssl=1 -u "$ARG1$" -p "$ARG2$" -w $ARG3$ -c $ARG4$
}
Then you could configure your service with a checkcommand thus:
check_command check_https!/!444!1!5
This would check for the url http://87.139.203.190:444/, giving a warning if it takes over 1s and a critical if it takes over 5s to complete. TLSv1 would be used (else you might get a false positive on web servers with Poodle protection).
Is it possible to use Squid as reverse proxy with multiple web servers based on a query string that is passed to squid proxy?
This is the example from Squid wiki:
acl foo urlpath_regex ^/foo
cache_peer ip.of.server1 parent 80 0 no-query originserver name=server1
cache_peer_access server1 deny foo
cache_peer ip.of.server2 parent 80 0 no-query originserver name=server2
cache_peer_access server2 allow foo
cache_peer_access server2 deny all
This requires me to setup acls per webserver that I want to have, for example:
acl foo urlpath_regex ^/toserver1
acl foo urlpath_regex ^/toserver2
acl foo urlpath_regex ^/toserver3
etc
I'd like to instead specify the webserver my reverse proxy should forward to using a url parameter. For example:
http://myproxyserver.com/?webserver=server1.com&port=8000
http://myproxyserver.com/?webserver=server2.com&port=8900
etc
Is this possible in Squid?
In amazon ec2, I have 2 instances in a placement group. First node is 172.31.12.76/20, second, 172.31.12.77/20 I can ssh both nodes from my pc. They share the same security group that has got these 2 rules:
Inbound rules:
Type Protocol Port Range Source
SSH TCP 22 0.0.0.0/0
All IMCP All N/A 0.0.0.0/0
(no outbound rules)
Both nodes see to each other in L2:
root#ip-172-31-12-76:~# arp
[...]
ip-172-31-12-77.eu-west ether 0a:ad:5e:e4:12:de C eth0
[...]
root#ip-172-31-12-77:~# arp
[...]
ip-172-31-12-76.eu-west ether 0a:34:a1:17:57:28 C eth0
[...]
iptables are empty on both nodes.
But ping does not work between each other
I have already checked a previous post:
EC2 instances not responding to internal ping
but it does not address the issue. It looks like there are no other similar posts.
Any idea? Thank you very much!
I got the answer; I need to also allow outbound icmp on each host in order to be able to ping both external and internal IPs.
I have a couple of rules defined in HAPROXY
acl want_server_oa path_dir ServerOA
acl serveroa_avail nbsrv(ServerOA) ge 1
use_backend ServerOA if want_server_oa serveroa_avail
acl is_root hdr_dom(host) -i mydomain.com
use_backend domainRoot if is_root
The first 3 rules were setup to route traffic to a certain subdomain
mydomain.com/ServerOA/
And the next 2 rules to route traffic to just
mydomain.com/
This works as expected. However, if I type in
mydomain.com/anypath/
It gives me a tomcat 404. I suspect the second set of rules match and forward traffic to tomcat which then returns a 404.
Based on the documentation, I did try defining some acls for blocking all other paths which didn't quite work (configuration wasn't accepted when starting haproxy).
block unless METH_GET or METH_POST want_server_oa
block unless METH_GET or METH_POST is_root
Any help would be much appreciated.
You must explicitly define the items you allow to be accessible under the root "mydomain.com/" and subfolders then block all others. (Shouldn't be a lot, right?)
acl want_server_oa path_beg /ServerOA
acl allow_html path_reg -i /.*\.html
acl allow_styles path_reg -i /css/.*\.css
block unless METH_GET want_server_oa or METH_POST want_server_oa or METH_GET allow_html or METH_POST allow_html or METH_GET allow_styles or METH_POST allow_styles
Additional note: You can check if your configuration have any errors by using the haproxy -c command. Like so:
haproxy -f /etc/haproxy/haproxy.cfg -c