[squid-users] squid 7.1 , url_rewrite_program does not work

[Amos Jeffries]

On 21/10/2025 15:01, Dmitry Melekhov wrote:
> 
> There is third way- revert change, which breaks rewrites,
> 
> this is what I did.


Sending all "blocked" visitors to whatever server whose DNS name starts 
with "http." is not a fix. It is breaking things in worse ways that are 
not visible to you.

All it takes is for Squid to find it has a record for domain "http.*" 
and all your so-called blocked visitors will be hijacked by that server. 
Silently.


The officially patched Squid is rejecting the CONNECT tunnel (as you 
want) and also telling you the helper needs fixing. If the error message 
is annoying, do one of the fixes I mentioned earlier.



[
  Dmitry; I highly recommend that you immediately ensure that your 
/etc/hosts on the Squid machine(s) with patch 963ff14 reverted contains 
these lines as a workaround to that risk:

  255.255.255.255	http. https. ftp.
  ffff:ffff::ffff	http. https. ftp.
]


FTR, Rejik v3.2.12 or later should be able to work via the Squid 
external_acl_type interface. Like so:

  external_acl_type redirector %>ru %>a/%>A %un %>rm \
	/usr/local/rejik3/redirector \
	/usr/local/rejik3/redirector.conf

  acl rejik external redirector
  deny_info 302:%note{rewrite-url} rejik

  http_access deny rejik


Also, the Rejik allow_ip and work_ip lists are supported by the Squid 
"src" ACL type. You can load and use the files in Squid instead of the 
helper to improve performance.

  acl rejikGlobalAllowIp src "/path/to/file"
  acl rejikGlobalWorkIp src "/path/to/file"

  http_access deny !rejikGlobalAllowIp rejikGlobalWorkIp rejik

Those are just a few examples of how Squid can itself do what the helper 
is being used for. Just with different config settings.


Cheers
Amos