How to configure squid to route based on domain

mathewparet · 08-25-2011, 01:48 AM

I have a requirement which I couldnt figure out how to implement.

My server has only 1 IP

SQUID is listening to port 80

Apache is listening to port 8080

I want to configure squid such that:
1)Squid accepts all connections to port 80 (this is working find now)
2)If the request is for abc.com, it should route the page through apache - that is through 8080 (kind of a reverse proxy)
3)If the request is for ANY OTHER domain, squid should work as an open proxy server.

Thanks in advance.

EricTRA · 08-25-2011, 02:25 AM

Hello and Welcome to LinuxQuestions,

If you have your firewall/router set up in a way that all webtraffic gets forwarded to the Squid server, then you can set up Squid as a reverse proxy to redirect traffic on domain name base. I've set it up with a lot of subdomains that way. Below is a part of my squid.conf for reference. Confidential information is 'changed'

Code:

cache_mgr root
#debug_options 61,3 ALL,9
# Basic parameters
visible_hostname www.domain.com
auth_param basic realm Domain Security Portal
error_directory  /usr/share/squid3/errors/English

# This line indicates the server we will be proxying for
#
http_port 192.168.253.20:80 defaultsite=www.domain.com vhost

https_port 192.168.253.20:443 accel cert=/etc/ssl/domain.crt key=/etc/ssl/domain.key defaultsite=www.domain.com vhost protocol=https
forwarded_for on

# And the IP Address for it - adjust the IP and port if necessary

cache_peer 172.X.X.X parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=aut
acl site_aut dstdomain aut.domain.com
cache_peer_access aut allow site_aut
acl https proto https

cache_peer 172.X.X.X parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=autlog
acl site_autlog dstdomain autlog.domain.com
cache_peer_access autlog allow site_autlog
acl https proto https

cache_peer 172.X.X.X parent 7002 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=auti2
acl site_auti2 dstdomain auti2.domain.com
cache_peer_access auti2 allow site_auti2
acl https proto https

cache_peer 172.X.X.X parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testfinance
acl site_testfinance dstdomain testfinance.domain.com
cache_peer_access testfinance allow site_testfinance
acl https proto https

cache_peer 172.X.X.X parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testmat
acl site_testmat dstdomain testmat.domain.com
cache_peer_access testmat allow site_testmat
acl https proto https

cache_peer 172.X.X.X parent 7002 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=testmati2
acl site_testmati2 dstdomain testmati2.domain.com
cache_peer_access testmati2 allow site_testmati2
acl https proto https

This is only a part just to indicate how I configured the subdomains and the destination servers for them. It doesn't include any ACLs or access rules. All peers use https with a wildcard certificate.

Hope it helps. Looking forward to your participation in the forums. Have fun with Linux.

Kind regards,

Eric

mathewparet · 08-25-2011, 02:53 AM

Thank you but this is not what I am looking for. Here it works only as a reverse proxy. Please read my question again.

mathewparet · 08-25-2011, 04:25 PM

This is what I want. (Please read the original question first)

Someone types in: abc.com (then squid should route the request to apache running on port 81)

Someone types in yahoo.com (squid should proxy it as a normal web proxy)

Someone types in google.com (squid should proxy it as a normal web proxy)

In EricTRA's example he is using cache_peer for which we will have to hardcode the hostname or ip. However in my requirement it is not possible.

It should work like just any other squid installation (only thing is here it works on port 80) for all domains except abc.com (abc.com has to be redirected to apache with port 81*

EricTRA · 08-26-2011, 12:09 AM

Hi,

Sorry for not understanding your original question the first time. I think you're looking for a redirector. Have a look at this site:
Squid Redirectors

Kind regards,

Eric