[squid-users] redirect directly to error page
Amos Jeffries
squid3 at treenet.co.nz
Tue Sep 15 09:50:15 UTC 2015
On 15/09/2015 3:13 a.m., Matus UHLAR - fantomas wrote:
> Hello,
>
> we have squidguard on a few servers and I'd like to redirect client's
> request
> directly to squid's error page, e.g. ERR_ACCESS_DENIED
> Is that possible directly through e.g. internal URL, or do I have to play
> with special page and acl?
> (it should work for CONNECT requests too)
>
> squid-3.1.20 (debian 7) here
>
This is a very good example of how SG and tools like it are abusing
Squid. The URL-rewrite/redirect interface they are plugged into is
intended and designed to mangle the URL. Nothing more.
By the time the URL-rewrite helper lookup is sent the access controls
have already determined that the request access is *accepted* and
*allowed*. It is even almost finished being processed. Far too late to
deny it.
The right way to perform access authorization is with the http_access or
adapted_http_access rules. That is also the only way to *generate*
ERR_ACCESS_DENIED.
Those rules have an external_acl_type helper interface for performing
helper lookups and dont need any fancy trickery with URLs or web
servers. deny_info is provided for presenting custom pages (or HTTP
redirect URLs) from any ACL results.
And yes, doing it the right way will work with CONNECT too. In so far as
Squid output is concerned anyway. The popular browsers are still
refusing to honour any kind of non-200 response from proxies.
Amos
More information about the squid-users
mailing list