[squid-users] redirecting one url to another

Amos Jeffries squid3 at treenet.co.nz
Fri Feb 8 02:08:37 UTC 2019


On 8/02/19 4:55 am, Walid A. Shaari wrote:
> On Thu, 7 Feb 2019 at 15:24, Amos Jeffries wrote:
> 
>     On 8/02/19 12:28 am, Walid A. Shaari wrote:
>     > Greetings,
>     >
>     > due to architectural or workflow issue, I would like to utilize
>     squid to
>     > redirect one url to another.
>     >
>     > e.g.  bing.com to google.com 
>     > however, keep the parameters, is that doable?
>     >
> 
>     There are two problems;
> 
>     First is that those services no longer use HTTP. So you will need to
>     decrypt the HTTPS to get any access to the URLs.
> 
> 
> thats doable correct via bump and splice?

SSL-Bump is the feature for decrypting, yes.

> 
>  Second is that they are different services by different organizations.
> 
>     So the parameters have different meanings. Retaining them can cause more
>     problems than it solves.
> 
> 
> in my case actually it is the same, it is an issue DNS whitlisting at
> work. as when a cname resolution happens it happens at the proxy end not
> the host end, does that make any sense?

Not really. Are you saying that when your users request DNS entries for
bing.com your DNS server hands them the IPs for google.com ?



> so for example
> 
> dc.services.visualstudio.com <http://dc.services.visualstudio.com>
> requsted is actually a CNAME for dc.applicationinsights.microsoft.com
> <http://dc.applicationinsights.microsoft.com>

CNAME is irrelevant unless your DNS resolver is broken. In that case the
only way to get things to work is to fix the resolver, or use a
different one.


> 
> I always thought DNS resolution happens first, then that is passed to
> the proxy server,

Not always. Only for intercepted and reverse-proxy traffic - the client
thinks it is talking directly to an origin server so it has to do its
own DNS lookups to find that origin.

With Forward/explicit proxy the client only has to lookup the proxy IP
and send requests there. The proxy performs origin server lookups and
selection on behalf of the client.


> in my case from tcpdump, I belive the http payload
> host is the one that gets resolved by the proxy,

Proxy always resolves the DNS records. Different HTTP traffic modes use
it for different things. Access controls may also need DNS resolution
for things.

[ Assuming here that by "payload host" you mean Origin Server. All HTTP
agents produce payloads. ]


> and if the proxy has a
> web gateway in front of it, this is where the whitelisting/black listing
> happens before any name resoultion/alias are resolved. am I right?

No. A web gateway is just another proxy. Access control can and does
happen at each hop. What each proxy does is up to their admins config
choices and traffic types.


> I
> apperciate any good resources on how and where name resolution happens
> when proxises, load balancers and web gateways  are involved 

Each agent which needs DNS resolution for anything does its own resolution.

What DNS is used for depends on what each agent does. It is very tricky
to give certainties about specific actions when only describing the
general role types.

Many of your questions may be resolve by reading section 2.1 to 2.3 of
the HTTP/1.1 specification
(<https://tools.ietf.org/html/rfc7230#section-2.1>).

Amos


More information about the squid-users mailing list