[squid-users] How to do transparent rewrite with https requests?

Amos Jeffries squid3 at treenet.co.nz
Tue May 27 20:12:51 UTC 2025 

On 28/05/25 04:19, Alex Rousskov wrote:
> On 2025-05-27 10:37, Yves MARTIN wrote:
> 
>> My team expects to transparently rewrite requests through squid, 
>> replacing original URL/hostname by another target URL/host.
>>
>> Main objective is to redirect original HTTPS requests triggered by 
>> “docker pull alpine” to a local mirrored registry without obvious 
>> information in user client that the obtained image comes from mirror: 
>> original image location is preserved, no specific proxy or mirror 
>> configuration in docker client/daemon to set.

Okay. If I am correctly understanding that your primary goal is to have 
the "original ... location is preserved". Then please discard the terms 
"transparent" and "redirect" from your thoughts on this matter. They 
both introduce requirements that break what you are wanting.


To operate a mirror that can be used in place of an origin server. That 
mirror needs to be configured to both receive and understand the URLs 
produced by that origin server.

After which Squid simply uses the mirror as cache_peer to handle the 
traffic for the domain(s) that origin server provides. Like so:

   # define what can go to the mirror
   acl foo dstdomain foo.example.com
   # how to contact the mirror
   cache_peer mirror.server 80 0 originserver
   cache_peer_access allow foo
   cache_peer_access deny all

If the mirror only knows its local mirror domain instead of the origin 
servers public domain. Then use the cache_peer option 
"forceddomain=mirror-foo.example.com".


( Whether you URL-rewrite the path and query details before sending it 
to the mirror cache_peer is up to you. Just be aware that it is quite 
dangerous to do on a domain where you do not fully understand the 
meaning of those URL parts. YHBW. I advise not doing so.)


For the HTTPS, the complications are that:

1) you add another cache_peer with port 443. Same ACL setup.

2) Squid must receive the TLS traffic via:

  a) "https_port 443 accel ..."
     with local network routing client requests for the foo.example.com 
domain/IPs to this Squid listening port.


   OR/AND,

  b) SSL-Bump intercept of client CONNECT requests. Like so:

   # using 'foo' dstdomain ACL(s) from cache_peer_access rule(s)
   http_access allow CONNECT foo

   # same domains listed in 'foo' ACL(s)
   # but checking TLS ServerName instead of URL domain.
   acl fooS ssl::server_name ...

   # or peek, YMMV. I just think stare is better for this use-case.
   ssl_bump stare atStep1

   # decrypt so we can decide whether URLs go to mirror or origin
   ssl_bump bump atStep2 fooS

   # pass anything else to origin untouched
   ssl_bump splice atStep2 !fooS


HTH
Amos

More information about the squid-users mailing list