[squid-users] redirect based on url (302)

Amos Jeffries squid3 at treenet.co.nz
Mon Sep 24 09:30:39 UTC 2018 

On 24/09/18 6:38 PM, uppsalanet wrote:
> Hi Amos,
> Today I have a conf like this:
> ....
> acl *LIB_domains* dstdomain .almedalsbiblioteket.se .alvin-portal.org
> .bibliotekuppsala.se
> http_access allow *LIB_domains*
> ....
> 
> Now I also need to open for *.browzine.com*. The problem with
> *.browzine.com* is that it is a portal with many links to other sites. So I
> basically need to open up and maintain 400 sites in a squid ACL.
> 
> I would like to take another approach then (but I don't know if it's
> possible):
> I know that browzine.com will reply 302 when trying to access a link on
> their site. *So I would like to accept all redirect (302) sites from
> browzine.com*. 

Aha, that is clearer. Thank you.

I think you can possibly achieve this, but *only* because of those 302
existing. If the site were just a collection of links it would be very
much more difficult.


What I am thinking of is to use a custom external ACL script that
creates a temporary browsing session for a client when the 302 arrives
then the SQL session helper to allow matching traffic through for the
followup request from that client.

You will need a database with a table created like this:

 CREATE TABLE sessions (
  id VARCHAR(256) NOT NULL PRIMARY KEY,
  enabled DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
)

You need to write a script which receives an IP and a URL from Squid,
extracts the domain name from the URL, then adds a string "$ip $domain"
to that table as the id column, then returns the "OK" result to Squid.

The page at
<http://www.squid-cache.org/Versions/v4/manuals/ext_sql_session_acl.html> has
details of the SQL session helper that uses that table to check for
whitelisted domains.


Your config would look like:

 acl 302 http_status 302
 acl browzine dstdomain .browzine.com

 external_acl_type whitelist_add %SRC %{Location} \
  /path/to/whitelist_script

 acl add_to_whitelist external whitelist_add

 http_reply_access allow browzine 302 add_to_whitelist
 http_reply_access allow all


 external_acl_type whitelist ttl=60 %SRC %DST \
   /usr/lib/squid/ext_session_db_acl \
   --dsn ... --user ... --password ... \
   --table sessions --cond ""

 acl whitelisted external whitelist
 http_access allow whitelisted


To have sessions expire simply remove them from the database table.
Squid will start rejecting traffic there within 60 seconds of the removal.

HTH
Amos

More information about the squid-users mailing list