[squid-users] squid 7.1 , url_rewrite_program does not work

Dmitry Melekhov dm at belkam.com
Tue Oct 21 05:59:55 UTC 2025

Previous message (by thread): [squid-users] squid 7.1 , url_rewrite_program does not work
Next message (by thread): [squid-users] squid 7.1 , url_rewrite_program does not work
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

21.10.2025 09:20, Amos Jeffries пишет:
> On 21/10/2025 15:01, Dmitry Melekhov wrote:
>>
>> There is third way- revert change, which breaks rewrites,
>>
>> this is what I did.
>
>
> Sending all "blocked" visitors to whatever server whose DNS name 
> starts with "http." is not a fix. 

If browser expects https and gets http it results in error, not in breach.



> It is breaking things in worse ways that are not visible to you.
>
> All it takes is for Squid to find it has a record for domain "http.*" 
> and all your so-called blocked visitors will be hijacked by that 
> server. Silently.
>
>
I can't understand which server are you talking about.


> The officially patched Squid is rejecting the CONNECT tunnel (as you 
> want) and also telling you the helper needs fixing. If the error 
> message is annoying, do one of the fixes I mentioned earlier.
>

No, squid passes traffic. This is problem. Errors messages is not a problem.


>
>
> [
>  Dmitry; I highly recommend that you immediately ensure that your 
> /etc/hosts on the Squid machine(s) with patch 963ff14 reverted 
> contains these lines as a workaround to that risk:
>
>  255.255.255.255    http. https. ftp.
>  ffff:ffff::ffff    http. https. ftp.
> ]
>
>
> FTR, Rejik v3.2.12 or later should be able to work via the Squid 
> external_acl_type interface. Like so:
>
>  external_acl_type redirector %>ru %>a/%>A %un %>rm \
>     /usr/local/rejik3/redirector \
>     /usr/local/rejik3/redirector.conf
>
>  acl rejik external redirector
>  deny_info 302:%note{rewrite-url} rejik
>
>  http_access deny rejik
>
>
> Also, the Rejik allow_ip and work_ip lists are supported by the Squid 
> "src" ACL type. You can load and use the files in Squid instead of the 
> helper to improve performance.
>
>  acl rejikGlobalAllowIp src "/path/to/file"
>  acl rejikGlobalWorkIp src "/path/to/file"
>
>  http_access deny !rejikGlobalAllowIp rejikGlobalWorkIp rejik
>
> Those are just a few examples of how Squid can itself do what the 
> helper is being used for. Just with different config settings.
>

Thank you, I'll look into this later.

May be it works as you said, may be it passes traffic too instead of 
blocking it  ;-)



>
> Cheers
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

Previous message (by thread): [squid-users] squid 7.1 , url_rewrite_program does not work
Next message (by thread): [squid-users] squid 7.1 , url_rewrite_program does not work
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list