[squid-dev] Alternate origin server selection

Steve Hill steve at opendium.com
Thu Oct 28 13:24:04 UTC 2021 

Various online services provide "virtual IPs" to change the way those 
services behave.  An example of this is enforcing Safe Search on Google 
Search:
https://support.google.com/websearch/answer/186669?hl=en

Google recommend setting the network's DNS server to override the normal 
"www.google.com" domain with a replacement RR:
     www.google.com. CNAME forcesafesearch.google.com.

This causes clients making requests to www.google.com to connect to a 
specific IP address and Google will enforce Safe Search for those clients.

However, DNS changes generally affect the entire network and there is a 
requirement to apply this setting to only specific users / machines. 
Overriding DNS also relies on the clients using the correct DNS server 
and not having already cached the record from elsewhere.  It seems a 
good place to do this is in the proxy.

For non-transparently proxied traffic, the client makes a "CONNECT 
www.google.com" request, and the proxy could rewrite this to "CONNECT 
forcesafesearch.google.com" so that the connection goes to the virtual IP.

For transparently proxied traffic, the client makes a connection to 
www.google.com's IP address, which Squid intercepts.  Squid must then 
SSL-peek the request to figure out that it is connecting to 
www.google.com.  The onward connection can then be redirected to the 
virtual IP.

There is code to do this:
   https://github.com/squid-cache/squid/pull/924
This allows an external ACL to record an alt-host note, or an ICAP 
server to return an X-Alt-Host header, specifying a new origin server to 
connect to.

The pull request was rejected, as it adds CVE-2009-0801 vulnerabilities.

I'm hoping for some guidance on the best way to achieve this.

Many thanks.

-- 
- Steve Hill
    Technical Director | Cyfarwyddwr Technegol
    Opendium    Online Safety & Web Filtering     http://www.opendium.com
                Diogelwch Ar-Lein a Hidlo Gwefan

    Enquiries | Ymholiadau:   sales at opendium.com     +44-1792-824568
    Support   | Cefnogi:      support at opendium.com   +44-1792-825748

------------------------------------------------------------------------
Opendium Limited is a company registered in England and Wales.
Mae Opendium Limited yn gwmni sydd wedi'i gofrestru yn Lloegr a Chymru.

Company No. | Rhif Cwmni:   5465437
Highfield House, 1 Brue Close, Bruton, Somerset, BA10 0HY, England.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: steve.vcf
Type: text/x-vcard
Size: 259 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20211028/006389fa/attachment.vcf>

More information about the squid-dev mailing list