On 21/10/2025 15:01, Dmitry Melekhov wrote:
There is third way- revert change, which breaks rewrites,
this is what I did.
Sending all "blocked" visitors to whatever server whose DNS name starts
with "http." is not a fix. It is breaking things in worse ways that are
not visible to you.
All it takes is for Squid to find it has a record for domain "http.*"
and all your so-called blocked visitors will be hijacked by that server.
Silently.
The officially patched Squid is rejecting the CONNECT tunnel (as you
want) and also telling you the helper needs fixing. If the error message
is annoying, do one of the fixes I mentioned earlier.
[
Dmitry; I highly recommend that you immediately ensure that your
/etc/hosts on the Squid machine(s) with patch 963ff14 reverted contains
these lines as a workaround to that risk:
255.255.255.255 http. https. ftp.
ffff:ffff::ffff http. https. ftp.
]
FTR, Rejik v3.2.12 or later should be able to work via the Squid
external_acl_type interface. Like so:
external_acl_type redirector %>ru %>a/%>A %un %>rm \
/usr/local/rejik3/redirector \
/usr/local/rejik3/redirector.conf
acl rejik external redirector
deny_info 302:%note{rewrite-url} rejik
http_access deny rejik
Also, the Rejik allow_ip and work_ip lists are supported by the Squid
"src" ACL type. You can load and use the files in Squid instead of the
helper to improve performance.
acl rejikGlobalAllowIp src "/path/to/file"
acl rejikGlobalWorkIp src "/path/to/file"
http_access deny !rejikGlobalAllowIp rejikGlobalWorkIp rejik
Those are just a few examples of how Squid can itself do what the helper
is being used for. Just with different config settings.
Cheers
Amos
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
