[squid-users] Squid and url modifying

Egoitz Aurrekoetxea egoitz at sarenet.es
Mon Mar 4 18:20:25 UTC 2019 

Hi Alex, 

I'm so sorry... have tried explaining the best I could... sorry.... 

Clients, will ask : 

https://oooeeee.eeee.ttt.thesquidserver.org/ 

but redirector if site is virus free (checked with an icap daemon)
should return a 302 to https://oooeeee.eeee.ttt/ [2] 

For the second question, I say I have DNAT rules, for being able to
redirect tcp/80 and tcp/443 to squid's port silently. So the answer I
assume should be yes. 

I'll try to say again, what I'm trying to do. 

I wanted to setup a proxy machine which I wanted to be able to receive
url like : 

- www.iou.net.theproxy.com/hj.php?ui=9 [3] 

If this site returns clean content (scanned by Icap server) the url
redirector should return : 

- www.iou.net/hj.php?ui=9 [4] (the real url) as URL. 

I'm using this config https://pastebin.com/raw/mP73fame and this
redirector code https://pastebin.com/p6Usmq75 

So I would say my questions are : 

- Is it possible with Squid to achieve my goal?. With Squid, a
redirector, and a Icap daemon which performs virus scanning... 

- For plain http the config and the URL seem to be working BUT the virus
are not being scanned. Could the config be adjusted for that?. 

Cheers! 

---

EGOITZ AURREKOETXEA 
Dpto. de sistemas 
944 209 470
Parque Tecnológico. Edificio 103
48170 Zamudio (Bizkaia) 
egoitz at sarenet.es 
www.sarenet.es [1] 
Antes de imprimir este correo electrónico piense si es necesario
hacerlo. 

El 2019-03-04 17:23, Alex Rousskov escribió:

> On 3/4/19 12:53 AM, Egoitz Aurrekoetxea wrote:
> 
>> My idea is simple. I wanted specific url, to be filtered through the
>> proxy. How can I manage this URL to be checked by the proxy?.
> 
> To answer your questions correctly, we need to translate the vague
> description above into one of the many Squid configurations that may
> match that vague description. In hope to do that, I am asking these two
> basic questions:
> 
> 1. Do clients/browsers request
> https://oooeeee.eeee.ttt.thesquidserver.org/... URLs? Or do they request
> https://oooeeee.eeee.ttt/... URLs?
> 
> For the purpose of the next question, lets assume that the answer to the
> above question is: "Clients request https://publicDomain/... URLs"
> (where "publicDomain" is one of the two domains mentioned in that
> question). Let's further assume that when clients do a DNS lookup for
> publicDomain they get a publicIp IP address back.
> 
> 2. Does your Squid listen on port 443 of publicIp?
> 
> Alex.
> 
>> I assumed,
>> I could modify the real and original content where urls appeared by
>> setting for instance :
>> 
>> - Being the real url : https://oooeeee.eeee.ttt/u?ii=99&j=88
>> <https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88>
>> 
>> - I would rewrite in the own content the URL so that  the new URL is now
>> : https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88
>> 
>> The domain thesquidserver.org
>> <https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88> will be used
>> for doing wilcards. For instance : *.thesquidserver.org
>> *.*.thesquidserver.org etc... will resolve to the ip of the Squid
>> server. But I don't want any url being asked as
>> whatever.thesquidserver.org to be checked... just those ones I have
>> wrote in some place...
>> 
>> So I was trying to write some content managing script, which should
>> check if that URL is needed to be checked and in case it should, check
>> it against an icap service. If Icap service gives you all to be right,
>> redirect you to the real site (just removing the thesquidserver.org for
>> the URL for instance). If that URL contains malware for instance, give
>> you an error page.
>> 
>> This is all what I was trying to do... Some time ago, I used Squid with
>> Dansguardian for this kind of purposes, but now I wanted to do something
>> slightly different. I wanted to pass a request (if should be passed) to
>> an icap service and later depeding in the result of that ICAP service
>> (which I don't really know how could I check with an script) redirect to
>> the real site or give an error page.
>> 
>> For this purpose is perhaps the reason because url redirector programs
>> exist?. I'm trying to see the entire puzzle :)
> 
> El 2019-03-02 23:21, Alex Rousskov escribió:
> 
> On 3/1/19 5:59 AM, Egoitz Aurrekoetxea wrote:
> 
> Is it possible for Squid to do something like : 
> - Receive request :
> https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88 
> and 
> to really perform a request as : https://oooeeee.eeee.ttt/u?ii=99&j=88 
> How does your Squid receive the former request? Amos' answer probably
> assumes that your Squid is _not_ oooeeee.eeee.ttt.thesquidserver.org,
> but the name you have chosen for your example may imply that it is.
> 
> * If your Squid is _intercepting_ traffic destined for the real
> oooeeee.eeee.ttt.thesquidserver.org, then see Amos' answer.
> 
> * If your Squid is representing oooeeee.eeee.ttt.thesquidserver.org,
> then your Squid is a reverse proxy that ought to have the certificate
> key for that domain, and none of the SslBump problems that Amos
> mentioned apply.
> 
> Please clarify what your use case is.
> 
> Alex.
> 
> I mean not to redirect users with url redirection. Just act as a proxy
> but having Squid the proper acknoledge internally for being able to make
> the proper request to the destination?. Is it possible without
> redirecting url, to return for instance a 403 error to the source web
> browser in order to not be able to access to the site if some kind of
> circumstances are given?.
> 
> If the last config, was not possible... perhaps I needed to just to
> redirect forcibly?. I have read for that purpose you can use URL
> redirectors.... so I assume the concept is :
> 
> - Receive request :
> https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88
> 
> and
> 
> to really perform a request as : https://oooeeee.eeee.ttt/u?ii=99&j=88
> <https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88>
> 
> If all conditions for allowing to see the content are OK, return the web
> browser a 301 redirect answer with the
> https://oooeeee.eeee.ttt/u?ii=99&j=88
> <https://oooeeee.eeee.ttt.thesquidserver.org/u?ii=99&j=88> URL. Else,
> just return a 403 or redirect you to a Forbidden page... I think this
> could be implemented with URL redirectors...but... the fact is... which
> kind of conditions or env situations can you use for validating the
> content inside the url redirector?.
> 
> Thanks a lot for your time :)
> 
> Cheers!
> 
> -- 
> sarenet
> *Egoitz Aurrekoetxea*
> Dpto. de sistemas
> 944 209 470
> Parque Tecnológico. Edificio 103
> 48170 Zamudio (Bizkaia)
> egoitz at sarenet.es <mailto:egoitz at sarenet.es>
> <mailto:egoitz at sarenet.es <mailto:egoitz at sarenet.es>>
> www.sarenet.es [1] <http://www.sarenet.es> <http://www.sarenet.es>
> 
> Antes de imprimir este correo electrónico piense si es necesario hacerlo.
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 

Links:
------
[1] http://www.sarenet.es
[2] https://oooeeee.eeee.ttt.thesquidserver.org/
[3] http://www.iou.net.theproxy.com/hj.php?ui=9
[4] http://www.iou.net/hj.php?ui=9
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190304/f1a1387e/attachment-0001.html>

More information about the squid-users mailing list