What is the regex that is accepted by the reverse proxy rules of squid ?

ricardop · Feb 17, 2016, 11:49 AM

I want to establish rules that redirect
http://servername/dir1/* to machine A
and
everything else to machine B, including http://servername/<anything else="" other="" than="" dir1="">*

Right now the problem that I have is that dir1 urls get load balanced between A and B, which I don't want.
There seems to be now way to say that one rule has higher priority than other, and so far negative match rules (?! don't seem to be accepted.

Is there anyway to address my problem?</anything>

StarkJohan · Oct 20, 2017, 4:01 PM

Did you find a solution to this? Trying to accomplish exactly the same.

I've got working regex's but the problem seems to be that the squid reverse proxy regex input does not accept negative lookahead.

The below regex working as expected for the server that should catch "/cloud", "/cloud/", "/cloud/" and so on.
^https?://(www.)?domain.com/cloud($|/).$

When trying to exclude the above matches from the "catch all" server it gets tricky. The regex below should work but fails when including the negative lookahead (no match at all, clients are just dropped). Without the negative lookahead (?!/cloud($|/)) everything is fine expect that it also matches the above "/cloud" matches. Like you described, the mapping alters between the two servers as both match.
^https?://(www.)?domain.com(?!/cloud($|/)).*$

The log complains but the regex is correct…
ERROR: Skipping regular expression. Compile failed: '^https?://(www.)?domain.com(?!/cloud($|/)).*$'

Is there another way of doing this?
Why isn't the negative lookahead accepted?
It seems like squid does not like negated/negative parts of the regex. Instead a deny/allow approach seems to be used. If this is correct the pfsense GUI would need a possibility to add "negative/deny" regex's as well as the positive we have today.

StarkJohan · Oct 20, 2017, 7:07 PM

I've figured out the problem. It's two parted.

1. The regex library used in this case does not seem to support negative lookaheads like "(?!word)" for some reason. Not sure what library is used, if it's bundled with squid or if a local regex library is used. Maybe something can be done here?

2. It's indeed a allow/deny config. I think the only way to achieve what we're trying to do if problem 1 cannot be solved is to add some functionality to the reverse proxy GUI.

acl rvm_server1 url_regex -i ^https?://(www.)?domain.com.$
acl rvm_server2 url_regex -i ^https?://(www.)?domain.com/cloud($|/).$
cache_peer_access rvp_server1 allow rvm_server1
cache_peer_access rvp_server2 allow rvm_server2
cache_peer_access rvp_server1 deny allsrc
cache_peer_access rvp_server2 deny allsrc
never_direct allow rvm_server1
never_direct allow rvm_server2
http_access allow rvm_server1
http_access allow rvm_server2

Above is an excerpt from my squid.conf as generated by pfsense. Adding a single line at the correct position solves the problem.

cache_peer_access rvp_server1 deny rvm_server2

Adding the line above before the allow line of rvp_server1 and presto. Doing this from the GUI is probably easier to do by adding another url_regex on the same mapping page and denying that instead of cross referencing and I'm doing above.

Does anyone acquainted with the pfsense squid package have any input on this? Maybe the thread should be moved to packages too.