[squid-users] Help: squid restarts and squidGuard die
Flashdown
flashdown at data-core.org
Thu Sep 20 12:40:28 UTC 2018
> I'm saying the purpose of the url_rewrite_* API in Squid is to tell
> Squid whether the URL (only) needs some mangling in order for the
> server/origin to understand it.
> It can re-write transparently with all the problems that causes to
> security scopes and URL sync between the endpoints. Or redirect the
> client to the "correct" URL.
>
>
> The Squid http_access and similar *access controls* are the place for
> access control - hint is in the naming. With external ACL type for
> anything Squid does not support natively or well. As Flashdown
> mentioned
> even calls to SquidGuard etc. can be wrapped and used as external ACLs.
>
Just want to add, in the beginning I thought about using a wrapper or
writing one but as I found out during testing during these time,
SquidGuard gives back the right responses to Squid, so a wrapper was not
needed, and the rewrite adding in such a respone is simply ignored by
Squid and it works like a charm, hope ufdbguard can be used as external
acl helper natively as well. My config line:
external_acl_type squidguard ipv4 concurrency=0 children-max=XXX
children-startup=XX ttl=60 %URI %SRC %{-} %un %METHOD
/usr/bin/squidGuard
Taken out from my internal documentation:
"Manual testing:
echo "website.com 10.0.0.1/ - - GET" | squidGuard
Explaination of Responses:
ERR tells us: The access was not denied by Squidguard, so wether its
not part of the blacklists or it is listed in the whitelist
BH message=“squidGuard error parsing squid line” tells us: there was
an error when checking your input, may you had a syntax error or there
is an issue in SquidGuard, the message param gives more insight.
OK rewrite-url=“https://127.0.0.1/” tells us: the item was found on
the blacklists and is blocked. BTW Squid only sees the OK and ignores
the rewrite command, since we didn't integrate it as an URL-rewrite
program which would have many disadvantages.
PS: This is just how an external ACL Helper for Squid must work/respond.
So Squid only takes ERR and BH including the message and OK. Thats why I
was able to implement it this way without writing a wrapper for it. "
Hope it helps and hope I can do the same with ufdbguard, the SquidGuard
Version I use is the latest one from the official Debian Repositories.
---
Best regards,
Flashdown
More information about the squid-users
mailing list