[squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL

David Touzeau david at articatech.com
Thu Aug 16 07:34:47 UTC 2018

Thanks Amos for details.

Working like a charm now.

Instead of sending 

Helper sends 

" url_rewrite_access deny CONNECT" is not a solution because, everything using SSL today ( thanks to Google that wants to encrypt all the Net and make proxies/Firewall/ICAP unusable )  and many Porn/Malwares/Hacking/Hacked websites using SSL.

-----Message d'origine-----
De : squid-users <squid-users-bounces at lists.squid-cache.org> De la part de Amos Jeffries
Envoyé : jeudi 16 août 2018 03:51
À : squid-users at lists.squid-cache.org
Objet : Re: [squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL

On 16/08/18 11:58, David Touzeau wrote:
> Hi,
> I have written my own url_rewrite helper
> On SSL sites, the helper answering a redirect to a remote denied php  page.

No your helper *rewrite* the URL without changing any other properties of the request message. This can be seen clearly in the use of "rewrite-url=" instead of "url=".

The difference is important when it comes to the type of message being processed.

> With HTTP, no issue but on SSL there is a different behavior
> My helper return
> rewrite-url=
> but according to debug, the Uri.cc understand : host='https', 
> port='443', path=''
> In this case, squid try to connect to an https machine name and return 
> bad 503
> Did i miss something ???

Look at the input received by the helper. HTTPS uses CONNECT requests.
Those messages have authority-form URI not URLs. The above behaviour is what happens when your helpers response is interpreted according to authority-form syntax.


You can prevent the SSL-Bump CONNECT messages being sent to the re-writer with:
  url_rewrite_access deny CONNECT

 you can try to do a proper redirect by having the helper send:
  OK status=302 url=...

The latter *might* work. Depending on whether the client handles redirection on CONNECT requests. Browsers don't support anything other than 200 status. Other clients have a mix of behaviours so its somewhat unreliable.

squid-users mailing list
squid-users at lists.squid-cache.org

More information about the squid-users mailing list