[squid-users] How to do transparent rewrite with https requests?
Alex Rousskov
rousskov at measurement-factory.com
Tue May 27 16:19:06 UTC 2025
On 2025-05-27 10:37, Yves MARTIN wrote:
> My team expects to transparently rewrite requests through squid,
> replacing original URL/hostname by another target URL/host.
>
> Main objective is to redirect original HTTPS requests triggered by
> “docker pull alpine” to a local mirrored registry without obvious
> information in user client that the obtained image comes from mirror:
> original image location is preserved, no specific proxy or mirror
> configuration in docker client/daemon to set.
>
> To do so, we have used squid-urlrewrite and it works well for HTTP
> request, even if rewrite targets HTTPS URL.
>
> But when original request is HTTPS, connection still goes to original
> URL/hostname IP address
> https://github.com/rchunping/squid-urlrewrite/issues/3
>
> According to debug logs, the original request hostname is resolved to IP
> early and kept in internal context after squid-urlrewrite is invoked.
In most cases, when bumping connections from a TLS client to Squid and
from Squid to TLS server, Squid "pins" (i.e. remembers) the
Squid-to-server connection and then (re)uses that pinned connection for
all requests received on the client-to-Squid connection.
I have not checked, but speculate that rewriting request target does not
trigger opening a new Squid-to-server TLS connection and re-pinning.
IIRC, a Squid that is configured to bump during SslBump step1 does not
pin. Such a configuration is rarely usable on a modern internet, but YMMV.
HTH,
Alex.
More information about the squid-users
mailing list