[squid-users] redirect based on url (302)

Eliezer Croitoru eliezer at ngtech.co.il
Sat Oct 6 19:41:03 UTC 2018 

Amos,

Would an ICAP service that sits on the RESPMOD vector would be a better 
solution other then opening a new session?

Thanks,
Eliezer

On 2018-09-24 12:30, Amos Jeffries wrote:
> On 24/09/18 6:38 PM, uppsalanet wrote:
>> Hi Amos,
>> Today I have a conf like this:
>> ....
>> acl *LIB_domains* dstdomain .almedalsbiblioteket.se .alvin-portal.org
>> .bibliotekuppsala.se
>> http_access allow *LIB_domains*
>> ....
>> 
>> Now I also need to open for *.browzine.com*. The problem with
>> *.browzine.com* is that it is a portal with many links to other sites. 
>> So I
>> basically need to open up and maintain 400 sites in a squid ACL.
>> 
>> I would like to take another approach then (but I don't know if it's
>> possible):
>> I know that browzine.com will reply 302 when trying to access a link 
>> on
>> their site. *So I would like to accept all redirect (302) sites from
>> browzine.com*.
> 
> Aha, that is clearer. Thank you.
> 
> I think you can possibly achieve this, but *only* because of those 302
> existing. If the site were just a collection of links it would be very
> much more difficult.
> 
> 
> What I am thinking of is to use a custom external ACL script that
> creates a temporary browsing session for a client when the 302 arrives
> then the SQL session helper to allow matching traffic through for the
> followup request from that client.
> 
> You will need a database with a table created like this:
> 
>  CREATE TABLE sessions (
>   id VARCHAR(256) NOT NULL PRIMARY KEY,
>   enabled DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
> )
> 
> You need to write a script which receives an IP and a URL from Squid,
> extracts the domain name from the URL, then adds a string "$ip $domain"
> to that table as the id column, then returns the "OK" result to Squid.
> 
> The page at
> <http://www.squid-cache.org/Versions/v4/manuals/ext_sql_session_acl.html> 
> has
> details of the SQL session helper that uses that table to check for
> whitelisted domains.
> 
> 
> Your config would look like:
> 
>  acl 302 http_status 302
>  acl browzine dstdomain .browzine.com
> 
>  external_acl_type whitelist_add %SRC %{Location} \
>   /path/to/whitelist_script
> 
>  acl add_to_whitelist external whitelist_add
> 
>  http_reply_access allow browzine 302 add_to_whitelist
>  http_reply_access allow all
> 
> 
>  external_acl_type whitelist ttl=60 %SRC %DST \
>    /usr/lib/squid/ext_session_db_acl \
>    --dsn ... --user ... --password ... \
>    --table sessions --cond ""
> 
>  acl whitelisted external whitelist
>  http_access allow whitelisted
> 
> 
> To have sessions expire simply remove them from the database table.
> Squid will start rejecting traffic there within 60 seconds of the 
> removal.
> 
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

More information about the squid-users mailing list