[squid-users] Help: squid restarts and squidGuard die

Flashdown flashdown at data-core.org
Thu Sep 20 12:40:28 UTC 2018


> I'm saying the purpose of the url_rewrite_* API in Squid is to tell
> Squid whether the URL (only) needs some mangling in order for the
> server/origin to understand it.
>  It can re-write transparently with all the problems that causes to
> security scopes and URL sync between the endpoints. Or redirect the
> client to the "correct" URL.
> 
> 
> The Squid http_access and similar *access controls* are the place for
> access control - hint is in the naming. With external ACL type for
> anything Squid does not support natively or well. As Flashdown 
> mentioned
> even calls to SquidGuard etc. can be wrapped and used as external ACLs.
> 

Just want to add, in the beginning I thought about using a wrapper or 
writing one but as I found out during testing during these time, 
SquidGuard gives back the right responses to Squid, so a wrapper was not 
needed, and the rewrite adding in such a respone is simply ignored by 
Squid and it works like a charm, hope ufdbguard can be used as external 
acl helper natively as well. My config line:
external_acl_type squidguard ipv4 concurrency=0 children-max=XXX 
children-startup=XX ttl=60 %URI %SRC %{-} %un %METHOD 
/usr/bin/squidGuard

Taken out from my internal documentation:

"Manual testing:

echo "website.com 10.0.0.1/ - - GET" | squidGuard

Explaination of Responses:

     ERR tells us: The access was not denied by Squidguard, so wether its 
not part of the blacklists or it is listed in the whitelist
     BH message=“squidGuard error parsing squid line” tells us: there was 
an error when checking your input, may you had a syntax error or there 
is an issue in SquidGuard, the message param gives more insight.
     OK rewrite-url=“https://127.0.0.1/” tells us: the item was found on 
the blacklists and is blocked. BTW Squid only sees the OK and ignores 
the rewrite command, since we didn't integrate it as an URL-rewrite 
program which would have many disadvantages.

PS: This is just how an external ACL Helper for Squid must work/respond. 
So Squid only takes ERR and BH including the message and OK. Thats why I 
was able to implement it this way without writing a wrapper for it. "

Hope it helps and hope I can do the same with ufdbguard, the SquidGuard 
Version I use is the latest one from the official Debian Repositories.



---
Best regards,
Flashdown


More information about the squid-users mailing list