[squid-users] ssl bump and url_rewrite_program (like squidguard)

Amos Jeffries squid3 at treenet.co.nz
Thu Nov 5 03:26:59 UTC 2015

On 5/11/2015 11:55 a.m., Edouard Gaulué wrote:
> Hi Marcus,
> Well that just an URL rewriter program. You can just test it from the
> command line :
> echo "URL" | /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> Before I understood it was possible to precise the redirect code I got
> that:
> #> echo
> "https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?
> - - GET"|/usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> #> OK
> rewrite-url="https://proxyweb.XXXXX.XXXXX/cgi-bin/squidGuard-simple.cgi?clientaddr=-pipo&clientname=&clientuser=&clientgroup=default&targetgroup=unknown&url=https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?"
> After a little change in the squidguard.conf, I get:
> #> OK status=302
> url="https://proxyweb.echoppe.lan/cgi-bin/squidGuard-simple.cgi?clientaddr=-pipo&clientname=&clientuser=&clientgroup=default&targetgroup=unknown&url=https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?"
> It's not so better handled by my browser saying "can't connect to
> https://ad.doubleclick.net" message. But, I don't get the squid message
> anymore regarding http/https.

What Squid version?
 There was a bug about the wrong SNI being sent to servers on bumped
traffic that got re-written. That got fixed in Squid-3.5.7 and
re-writers should have been fully working since then.

Note that CONNECT requests should not be re-written though. We dont
prevent it automatically because it is sometimes actually useful, but SG
cannot handle them correctly.

> It may be that rewrite_rule_program come after peek and splice stuff
> leading squid to an unpredictable situation. Is there a way to play on
> order things happen in squid?

debug_options to raise the amount of output each part of Squid produces
in cache.log.

A lits of the sections can be found at
<http://wiki.squid-cache.org/KnowledgeBase/DebugSections> - slightly
outdated, but not much changes with these. Or the latest list in
doc/debug-sections.txt of the Squid sources.


More information about the squid-users mailing list