[squid-users] squid 7.1 , url_rewrite_program does not work

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 22 04:17:27 UTC 2025

Previous message (by thread): [squid-users] squid 7.1 , url_rewrite_program does not work
Next message (by thread): [squid-users] squid 7.1 , url_rewrite_program does not work
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 21/10/2025 18:59, Dmitry Melekhov wrote:
> 21.10.2025 09:20, Amos Jeffries пишет:
>> On 21/10/2025 15:01, Dmitry Melekhov wrote:
>>>
>>> There is third way- revert change, which breaks rewrites,
>>>
>>> this is what I did.
>>
>>
>> Sending all "blocked" visitors to whatever server whose DNS name 
>> starts with "http." is not a fix. 
> 
> If browser expects https and gets http it results in error, not in breach.


Any server could easily respond with HTTPS on port 80 - especially since 
the domain "http" is rare and likely crafted to exist by an attacker.


> 
>> It is breaking things in worse ways that are not visible to you.
>>
>> All it takes is for Squid to find it has a record for domain "http.*" 
>> and all your so-called blocked visitors will be hijacked by that 
>> server. Silently.
>>
>>
> I can't understand which server are you talking about.
> 

Any server where Squid resolves the http.* domain name to point at.


> 
>> The officially patched Squid is rejecting the CONNECT tunnel (as you 
>> want) and also telling you the helper needs fixing. If the error 
>> message is annoying, do one of the fixes I mentioned earlier.
>>
> 
> No, squid passes traffic. This is problem. Errors messages is not a 
> problem.
> 

Ah, there is the missing piece. Thank you for correcting me.



Amos

Previous message (by thread): [squid-users] squid 7.1 , url_rewrite_program does not work
Next message (by thread): [squid-users] squid 7.1 , url_rewrite_program does not work
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list