[squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL

Amos Jeffries squid3 at treenet.co.nz
Thu Aug 16 01:50:30 UTC 2018

On 16/08/18 11:58, David Touzeau wrote:
> Hi,
> I have written my own url_rewrite helper
> On SSL sites, the helper answering a redirect to a remote denied php  page.

No your helper *rewrite* the URL without changing any other properties
of the request message. This can be seen clearly in the use of
"rewrite-url=" instead of "url=".

The difference is important when it comes to the type of message being

> With HTTP, no issue but on SSL there is a different behavior
> My helper return
> rewrite-url=
> but according to debug, the Uri.cc understand : host='https',
> port='443', path=''
> In this case, squid try to connect to an https machine name and return
> bad 503
> Did i miss something ???

Look at the input received by the helper. HTTPS uses CONNECT requests.
Those messages have authority-form URI not URLs. The above behaviour is
what happens when your helpers response is interpreted according to
authority-form syntax.


You can prevent the SSL-Bump CONNECT messages being sent to the
re-writer with:
  url_rewrite_access deny CONNECT

 you can try to do a proper redirect by having the helper send:
  OK status=302 url=...

The latter *might* work. Depending on whether the client handles
redirection on CONNECT requests. Browsers don't support anything other
than 200 status. Other clients have a mix of behaviours so its somewhat


More information about the squid-users mailing list