Re: [squid-users] squid 7.1 , url_rewrite_program does not work

Mon, 20 Oct 2025 23:11:48 -0700 

21.10.2025 09:20, Amos Jeffries пишет:

On 21/10/2025 15:01, Dmitry Melekhov wrote:


There is third way- revert change, which breaks rewrites,

this is what I did.




Sending all "blocked" visitors to whatever server whose DNS name 
starts with "http." is not a fix. 


If browser expects https and gets http it results in error, not in breach.




It is breaking things in worse ways that are not visible to you.


All it takes is for Squid to find it has a record for domain "http.*" 
and all your so-called blocked visitors will be hijacked by that 
server. Silently.




I can't understand which server are you talking about.



The officially patched Squid is rejecting the CONNECT tunnel (as you 
want) and also telling you the helper needs fixing. If the error 
message is annoying, do one of the fixes I mentioned earlier.




No, squid passes traffic. This is problem. Errors messages is not a problem.





[

 Dmitry; I highly recommend that you immediately ensure that your 
/etc/hosts on the Squid machine(s) with patch 963ff14 reverted 
contains these lines as a workaround to that risk:


 255.255.255.255    http. https. ftp.
 ffff:ffff::ffff    http. https. ftp.
]



FTR, Rejik v3.2.12 or later should be able to work via the Squid 
external_acl_type interface. Like so:


 external_acl_type redirector %>ru %>a/%>A %un %>rm \
    /usr/local/rejik3/redirector \
    /usr/local/rejik3/redirector.conf

 acl rejik external redirector
 deny_info 302:%note{rewrite-url} rejik

 http_access deny rejik



Also, the Rejik allow_ip and work_ip lists are supported by the Squid 
"src" ACL type. You can load and use the files in Squid instead of the 
helper to improve performance.


 acl rejikGlobalAllowIp src "/path/to/file"
 acl rejikGlobalWorkIp src "/path/to/file"

 http_access deny !rejikGlobalAllowIp rejikGlobalWorkIp rejik


Those are just a few examples of how Squid can itself do what the 
helper is being used for. Just with different config settings.




Thank you, I'll look into this later.


May be it works as you said, may be it passes traffic too instead of 
blocking it  ;-)






Cheers
Amos

_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users






















					Reply via email to