[squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL
Amos Jeffries
squid3 at treenet.co.nz
Thu Aug 16 01:50:30 UTC 2018
On 16/08/18 11:58, David Touzeau wrote:
> Hi,
>
>
>
> I have written my own url_rewrite helper
>
>
>
> On SSL sites, the helper answering a redirect to a remote denied php page.
>
No your helper *rewrite* the URL without changing any other properties
of the request message. This can be seen clearly in the use of
"rewrite-url=" instead of "url=".
The difference is important when it comes to the type of message being
processed.
>
> With HTTP, no issue but on SSL there is a different behavior
>
> My helper return
>
> rewrite-url= https://192.168.1.122:443/myguard.php?rule-id=0&....
>
> but according to debug, the Uri.cc understand : host='https',
> port='443', path=''
>
> In this case, squid try to connect to an https machine name and return
> bad 503
>
>
...
>
> Did i miss something ???
>
Look at the input received by the helper. HTTPS uses CONNECT requests.
Those messages have authority-form URI not URLs. The above behaviour is
what happens when your helpers response is interpreted according to
authority-form syntax.
<https://tools.ietf.org/html/rfc7230#section-5.3.3>
You can prevent the SSL-Bump CONNECT messages being sent to the
re-writer with:
url_rewrite_access deny CONNECT
OR,
you can try to do a proper redirect by having the helper send:
OK status=302 url=...
The latter *might* work. Depending on whether the client handles
redirection on CONNECT requests. Browsers don't support anything other
than 200 status. Other clients have a mix of behaviours so its somewhat
unreliable.
Amos
More information about the squid-users
mailing list