[squid-users] deny_info and squid's own IP address?

Amos Jeffries squid3 at treenet.co.nz
Tue May 1 03:40:13 UTC 2018


On 01/05/18 00:54, Amish wrote:
> Hello
> 
> I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
> and department B (192.168.2.1/24)
> 
> I have few banned sites. Say Facebook.
> 
> I have HTTP server (running on same server as squid) which shows custom
> pages with custom logo based on IP address.
> 
> When request comes for a banned site I would like client to be
> redirected based on squid's own IP.

Firstly, is there any particular reason you are requiring it to be a
redirect?
 from what you have said it appears you can achieve the same outcome
without the extra web server by using a custom error page.

> 
> Something like this:
> 
> acl blockedsites url_regex facebook
> http_access deny blockedsites
> deny_info http://SQUID-IP/banned.html blockedsites
> 
> I need SQUID-IP to be replaced by 192.168.1.1 or 192.168.2.1 depending
> on the IP on which connection came to.
> 

Secondly, I think you are probably looking at this from the wrong
direction. With the topology you have described each of these "Squid
IPs" is actually just the IP facing a certain client subnet. So the
client subnet is what you want to be detecting, not the specific Squid IP.


Thirdly, on the issue of %h - the Squid hostname is *required* to
resolve in DNS explicitly so clients can access things like these URLs.
If your network and DNS is configured correctly each client subnet
should resolve that hostname to the relevant IP which you are trying to
"pass" to the web server in your redirect URL. So they will naturally
(and only) connect to the web server (or Squid itself) using the right
IP anyway - the web server should be able to detect what it needs from
its own inbound TCP/IP connection instead of using raw-IPs in the traffic.


There are three options available to work around broken DNS:


Option 1) to do exactly (and only) what you asked for.

Currently this can be done with an external helper:

 external_acl_type getIp concurrency=100 %MYADDR /path/to/script
 deny_info 302:http://%et/banned.html getIp

where the script just echos back to Squid the IP it was given like so:
    [channel-id] OK message="<input-IP>"\n


Option 2) to use the client IP and have your web server respond based on
those subnets instead of Squid IP.

 acl clients1 src 192.168.1.0/24
 deny_info 302:http://%h/banned.html?%i clients1
 http_access deny blockedsites clients1

 acl clients2 src 192.168.2.0/24
 deny_info 302:http://%h/banned.html?%i clients2
 http_access deny blockedsites clients2


** If you really *have* to use Squid-IP, this can work with localip ACL
type instead of src. But then you have to bake each Squid-IP variation
into the deny_info URL instead of using %i.



Option 3) to use a custom error page instead of a redirect.

Place your banned.html page into /etc/squid/banned.html and either a)
write it with javascripts that pull in the right images/branding based
on client IPs.

  deny_info 403:/etc/squid/banned.html blockedsites

** Like (2) above this can use Squid-IP (via localip ACL type) if you
really have to. But with the same limitation of using different files
for branding instead of javascript for dynamic sub-resource/image fetching.


Amos


More information about the squid-users mailing list