[squid-users] How to use request headers in external_acl_type

Yosi Greenfield ygreenfield at kewsystems.com
Wed Jun 30 17:17:19 UTC 2021 

Amos,

As always, thank you for your dedication answering all our questions.

Ok, turns out, as you noted, the browser is sending the correct request
headers. However, on https requests the external acl program is not getting
the custom header we're sending. SSL Bump is set, and works for our
redirector program, but not for the external acl program.

Here are the relevant lines from squid.conf:

   http_port 3128 name=non-bumped
   http_port 3130 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl/newCA.pem name=bumped
options=ALL

   acl non-bumped myportname non-bumped
   acl bumped myportname bumped

   acl step1 at_step SslBump1
   acl broken_sites dstdomain "/etc/squid/nobump/domains"
   acl broken_sites_regex dstdom_regex -i "/etc/squid/nobump/regexes"
   ssl_bump splice broken_sites
   ssl_bump splice broken_sites_regex
   ssl_bump peek step1
   ssl_bump bump all

   external_acl_type portal_gatekeeper  %SRC %>{Connection} %>{Accept}
%>{abc_session} %>{Host} /etc/squid/portal.pl
   acl check-portal external portal_gatekeeper
   deny_info http://www.our_portal_site.com/ check-portal

   acl myIP1 src 10.200.10.2
   http_access deny myIP1 !check-portal

   sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
   sslcrtd_children 15 startup=5

   sslproxy_cert_error allow all
   request_header_access Surrogate-Capability deny all

   url_rewrite_access allow non-bumped
   url_rewrite_access deny bumped CONNECT
   url_rewrite_children 15  startup=7

   acl our_users src 10.10.0.0/24 10.10.1.0/24 10.200.0.0/16
   http_access allow our_users


Is it possible to get the custom abc_session header on https requests?

Thank you again.



> -----Original Message-----
> From: squid-users 
> [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf 
> Of squid3 at treenet.co.nz
> Sent: Friday, June 25, 2021 7:20 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] How to use request headers in 
> external_acl_type
> 
> On 2021-06-26 07:18, Yosi Greenfield wrote:
> > Hello all,
> > 
> > I'm trying to use request headers in an external acl, and 
> I'm probably 
> > doing it incorrectly, and it's not working.
> > 
> 
> Looks like its working fine.
> 
> 
> > Here's my acl definiton:
> > 
> > external_acl_type ext_acl_program  %SRC %>{Connection} %>{Accept} 
> > %>{Custom_header} %>{Host} /etc/squid/ext_acl_program.pl
> > 
> > The program ext_acl_program.pl simply prints out the input
> > 
> >    chomp ($line);
> >    @fields          = split(' ', $line);
> >    my $ip           = $fields[0];
> >    my $connection   = $fields[1];
> >    my $accept       = $fields[2];
> >    my $custom       = $fields[3];
> >    my $host         = $fields[4];
> > 
> >    print LOGFILE  "IP: $ip\n Conn: $connection\n Accept: $accept\n
> > Custom: $custom\n Host: $host";
> > 
> > The output looks like this:
> > 
> > IP: 10.200.10.2
> > Conn: keep-alive
> > Accept: -
> > Custom: -
> > Host: www.wsws.com:443 [1]
> > 
> > As you see, it has values for %SRC, %>{Connection} and 
> %>{Host}.  It 
> > does not have values for %>{Accept} and %>{Custom_header}
> > 
> > So the question is, are these %>{} substitutions coming from 
> > request_headers (as I thought)?
> 
> The Host header only exists in request messages so I would 
> say they are.
> It may not be the request message you are thinking about 
> though. Request headers can come from clients, but they could 
> also be generated by Squid or ICAP/eCAP services.
> 
> > 
> > If yes, why does it only have Connection and Host, and not 
> Accept or 
> > my custom header?
> > 
> 
> Because those are the headers the message being printed contain.
> You do not provide enough details about where the request 
> came from. eg how it was created and/or changed between 
> creation and the helper being called.
> 
> 
> > If they are not coming from request headers, where are they coming 
> > from?
> > 
> 
> You can use "debug_options 11,2" to see the HTTP messages 
> Squid is processing.
> 
> 
> > And mostly, how can I pass my custom header into the program?
> 
> Exactly as you configured above. Assuming that the header is actually 
> "Custom_header: ..." with that underscore included.
> 
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list