[squid-users] Squid and url modifying

Mon Mar 4 16:23:49 UTC 2019

On 3/4/19 12:53 AM, Egoitz Aurrekoetxea wrote:

> My idea is simple. I wanted specific url, to be filtered through the
> proxy. How can I manage this URL to be checked by the proxy?.

To answer your questions correctly, we need to translate the vague
description above into one of the many Squid configurations that may
match that vague description. In hope to do that, I am asking these two
basic questions:

1. Do clients/browsers request
https://oooeeee.eeee.ttt.thesquidserver.org/... URLs? Or do they request
https://oooeeee.eeee.ttt/... URLs?

For the purpose of the next question, lets assume that the answer to the
above question is: "Clients request https://publicDomain/... URLs"
(where "publicDomain" is one of the two domains mentioned in that
question). Let's further assume that when clients do a DNS lookup for
publicDomain they get a publicIp IP address back.

2. Does your Squid listen on port 443 of publicIp?

Alex.

> I assumed,
> I could modify the real and original content where urls appeared by
> setting for instance :
> 
> 
> - Being the real url : https://oooeeee.eeee.ttt/u?ii=99&j=88
> <https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88>
> 
> - I would rewrite in the own content the URL so that  the new URL is now
> : https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88
> 
> The domain thesquidserver.org
> <https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88> will be used
> for doing wilcards. For instance : *.thesquidserver.org
> *.*.thesquidserver.org etc... will resolve to the ip of the Squid
> server. But I don't want any url being asked as
> whatever.thesquidserver.org to be checked... just those ones I have
> wrote in some place...
> 
> 
> So I was trying to write some content managing script, which should
> check if that URL is needed to be checked and in case it should, check
> it against an icap service. If Icap service gives you all to be right,
> redirect you to the real site (just removing the thesquidserver.org for
> the URL for instance). If that URL contains malware for instance, give
> you an error page.
> 
> 
> This is all what I was trying to do... Some time ago, I used Squid with
> Dansguardian for this kind of purposes, but now I wanted to do something
> slightly different. I wanted to pass a request (if should be passed) to
> an icap service and later depeding in the result of that ICAP service
> (which I don't really know how could I check with an script) redirect to
> the real site or give an error page.
> 
> 
> For this purpose is perhaps the reason because url redirector programs
> exist?. I'm trying to see the entire puzzle :)

> El 2019-03-02 23:21, Alex Rousskov escribió:
> 
>> On 3/1/19 5:59 AM, Egoitz Aurrekoetxea wrote:
>>
>>> Is it possible for Squid to do something like :
>>
>>> - Receive request :
>>> https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88
>>
>>> and
>>
>>> to really perform a request as : https://oooeeee.eeee.ttt/u?ii=99&j=88
>>
>> How does your Squid receive the former request? Amos' answer probably
>> assumes that your Squid is _not_ oooeeee.eeee.ttt.thesquidserver.org,
>> but the name you have chosen for your example may imply that it is.
>>
>> * If your Squid is _intercepting_ traffic destined for the real
>> oooeeee.eeee.ttt.thesquidserver.org, then see Amos' answer.
>>
>> * If your Squid is representing oooeeee.eeee.ttt.thesquidserver.org,
>> then your Squid is a reverse proxy that ought to have the certificate
>> key for that domain, and none of the SslBump problems that Amos
>> mentioned apply.
>>
>> Please clarify what your use case is.
>>
>> Alex.
>>
>>
>>
>>> I mean not to redirect users with url redirection. Just act as a proxy
>>> but having Squid the proper acknoledge internally for being able to make
>>> the proper request to the destination?. Is it possible without
>>> redirecting url, to return for instance a 403 error to the source web
>>> browser in order to not be able to access to the site if some kind of
>>> circumstances are given?.
>>>
>>>
>>> If the last config, was not possible... perhaps I needed to just to
>>> redirect forcibly?. I have read for that purpose you can use URL
>>> redirectors.... so I assume the concept is :
>>>
>>>
>>> - Receive request :
>>> https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88
>>>
>>>
>>> and
>>>
>>>
>>> to really perform a request as : https://oooeeee.eeee.ttt/u?ii=99&j=88
>>> <https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88>
>>>
>>>
>>> If all conditions for allowing to see the content are OK, return the web
>>> browser a 301 redirect answer with the
>>> https://oooeeee.eeee.ttt/u?ii=99&j=88
>>> <https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88> URL. Else,
>>> just return a 403 or redirect you to a Forbidden page... I think this
>>> could be implemented with URL redirectors...but... the fact is... which
>>> kind of conditions or env situations can you use for validating the
>>> content inside the url redirector?.
>>>
>>>
>>>
>>> Thanks a lot for your time :)
>>>
>>>
>>> Cheers!
>>>
>>>
>>>
>>>
>>> -- 
>>> sarenet
>>> *Egoitz Aurrekoetxea*
>>> Dpto. de sistemas
>>> 944 209 470
>>> Parque Tecnológico. Edificio 103
>>> 48170 Zamudio (Bizkaia)
>>> egoitz at sarenet.es <mailto:egoitz at sarenet.es>
>>> <mailto:egoitz at sarenet.es <mailto:egoitz at sarenet.es>>
>>> www.sarenet.es <http://www.sarenet.es> <http://www.sarenet.es>
>>>
>>> Antes de imprimir este correo electrónico piense si es necesario hacerlo.
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> <mailto:squid-users at lists.squid-cache.org>
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> <mailto:squid-users at lists.squid-cache.org>
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 