[squid-users] How to do transparent rewrite with https requests?

Alex Rousskov rousskov at measurement-factory.com
Tue May 27 16:19:06 UTC 2025


On 2025-05-27 10:37, Yves MARTIN wrote:

> My team expects to transparently rewrite requests through squid, 
> replacing original URL/hostname by another target URL/host.
> 
> Main objective is to redirect original HTTPS requests triggered by 
> “docker pull alpine” to a local mirrored registry without obvious 
> information in user client that the obtained image comes from mirror: 
> original image location is preserved, no specific proxy or mirror 
> configuration in docker client/daemon to set.
> 
> To do so, we have used squid-urlrewrite and it works well for HTTP 
> request, even if rewrite targets HTTPS URL.
> 
> But when original request is HTTPS, connection still goes to original 
> URL/hostname IP address 
> https://github.com/rchunping/squid-urlrewrite/issues/3 
> 
> According to debug logs, the original request hostname is resolved to IP 
> early and kept in internal context after squid-urlrewrite is invoked.

In most cases, when bumping connections from a TLS client to Squid and 
from Squid to TLS server, Squid "pins" (i.e. remembers) the 
Squid-to-server connection and then (re)uses that pinned connection for 
all requests received on the client-to-Squid connection.

I have not checked, but speculate that rewriting request target does not 
trigger opening a new Squid-to-server TLS connection and re-pinning.

IIRC, a Squid that is configured to bump during SslBump step1 does not 
pin. Such a configuration is rarely usable on a modern internet, but YMMV.


HTH,

Alex.


More information about the squid-users mailing list