Develop Reference

Squid conditional selection of parent proxy

Is there a way to configure the Squid proxy server in order to make it select a different parent proxy (specified by the cache_peer directive) based on the hostname in the requested URL, say in the outgoing HTTP(S) request?
For example, if the requested URL contains *.example1.com then select proxy1.host. If it contains *.example2.com and *.example3.com then select proxy2.host.

yes
the directives you'll need are
acl example1 dstdomain example1
acl example2 dstdomain example2
cache_peer proxy1.host parent 3128 0 no-query default
cache_peer proxy2.host parent 3128 0 no-query default
cache_peer_access proxy1.host allow example1
cache_peer_access proxy2.host allow example2
You might also want to know how these directives work
never_direct
always_direct

Restrict access to router VPN client to a single IP address

I have setup openvpn client on a asus router, it is running padavan firmware, which is similar to tomato and other.
The VPN client works, but I would like to limits it's use to one or 2 ips on my LAN (i.e. AppleTV) and all other clients bypass the VPN connection.
The padavan vpn client has a custom script that is executed with the interface goes up and down on tun0 which is the interface.
I have attempted to route the IP address of the client that I want to use, but it does not prevent access via all of the other clients:
#!/bin/sh
### Custom user script
### Called after internal VPN client connected/disconnected to remote VPN server
### $1 - action (up/down)
### $IFNAME - tunnel interface name (e.g. ppp5 or tun0)
### $IPLOCAL - tunnel local IP address
### $IPREMOTE - tunnel remote IP address
### $DNS1 - peer DNS1
### $DNS2 - peer DNS2
# private LAN subnet behind a remote server (example)
peer_lan="192.168.0.130"
peer_msk="255.255.255.253"
### example: add static route to private LAN subnet behind a remote server
func_ipup()
{
# route add -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
# route add -net $peer_lan gw $IPREMOTE dev $IFNAME
route add default dev tun0 table 200
rule add from 192.168.0.130 table 200
return 0
}
func_ipdown()
{
# route del -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
return 0
}
logger -t vpnc-script "$IFNAME $1"
case "$1" in
up)
func_ipup
;;
down)
func_ipdown
;;
esac
I realise that this is very specific to the padavan firmware, but I think that the commands that are executed when it goes up should be universal, and my routing skills are very limited !
Maybe I need to block / allow using ip tables instead?
Any suggestions or help gratefully appreciated !

HAProxy - rewrite path from domain prefix

I would like to rewrite path from the domain prefix. With two cases :
https://prefix.domain.com/path -> https://prefix.domain.com/path/#/prefix
https://prefix.domain.com/path1 -> https://prefix.domain.com/path1/#/prefix/home
I try to rewrite the path with this config. But I can not extract prefix from domain in reqirep. I think that reqrep is only for GET /XXXX HTTP/1.1 string, not full URL.
acl match path_end -i /path
acl match1 path_end -i /path1
use_backend traefik_path if match
use_backend traefik_path1 if match1
default_backend traefik_path
backend traefik_path
reqirep ^([^\ ]*\ /)path \1/path/#/??
balance roundrobin
server traefik 127.0.0.1:8000 check
backend traefik_path1
reqirep ^([^\ ]*\ /)path1 \1/path1/#/??/home
balance roundrobin
server traefik 127.0.0.1:8000 check

amazon ec2, cannot ping internal host

In amazon ec2, I have 2 instances in a placement group. First node is 172.31.12.76/20, second, 172.31.12.77/20 I can ssh both nodes from my pc. They share the same security group that has got these 2 rules:
Inbound rules:
Type Protocol Port Range Source
SSH TCP 22 0.0.0.0/0
All IMCP All N/A 0.0.0.0/0
(no outbound rules)
Both nodes see to each other in L2:
root#ip-172-31-12-76:~# arp
[...]
ip-172-31-12-77.eu-west ether 0a:ad:5e:e4:12:de C eth0
[...]
root#ip-172-31-12-77:~# arp
[...]
ip-172-31-12-76.eu-west ether 0a:34:a1:17:57:28 C eth0
[...]
iptables are empty on both nodes.
But ping does not work between each other
I have already checked a previous post:
EC2 instances not responding to internal ping
but it does not address the issue. It looks like there are no other similar posts.
Any idea? Thank you very much!

I got the answer; I need to also allow outbound icmp on each host in order to be able to ping both external and internal IPs.

Block all other url's in HAPROXY

I have a couple of rules defined in HAPROXY
acl want_server_oa path_dir ServerOA
acl serveroa_avail nbsrv(ServerOA) ge 1
use_backend ServerOA if want_server_oa serveroa_avail
acl is_root hdr_dom(host) -i mydomain.com
use_backend domainRoot if is_root
The first 3 rules were setup to route traffic to a certain subdomain
mydomain.com/ServerOA/
And the next 2 rules to route traffic to just
mydomain.com/
This works as expected. However, if I type in
mydomain.com/anypath/
It gives me a tomcat 404. I suspect the second set of rules match and forward traffic to tomcat which then returns a 404.
Based on the documentation, I did try defining some acls for blocking all other paths which didn't quite work (configuration wasn't accepted when starting haproxy).
block unless METH_GET or METH_POST want_server_oa
block unless METH_GET or METH_POST is_root
Any help would be much appreciated.

You must explicitly define the items you allow to be accessible under the root "mydomain.com/" and subfolders then block all others. (Shouldn't be a lot, right?)
acl want_server_oa path_beg /ServerOA
acl allow_html path_reg -i /.*\.html
acl allow_styles path_reg -i /css/.*\.css
block unless METH_GET want_server_oa or METH_POST want_server_oa or METH_GET allow_html or METH_POST allow_html or METH_GET allow_styles or METH_POST allow_styles
Additional note: You can check if your configuration have any errors by using the haproxy -c command. Like so:
haproxy -f /etc/haproxy/haproxy.cfg -c