Re: [squid-users] Rewriting URL

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 17 Feb 2012 19:26:25 +1300

On 17/02/2012 6:10 p.m., Roman Gelfand wrote:
> Consider the following configuration...
>
> acl host1 dst host1.dom.com

"dst" is not a good idea. Any phisher attacker who wants to make their
website resolve to your servers internal IP can do so and connect
through this proxy to it.

"dstdomain" is the recomended ACL type. That way the domain is accepted
or denied. The client can only reach Squid by resolving the domain IP as
this Squid box, so no security worries there. It also lets you scale out
the backend with any number of servers or peers, and swap them about
without involving DNS alterations (think TTL lag on every change).

> http_port 80 accel defaultsite=host1.dom.com vhost
> cache_peer 192.168.1.42 parent 80 0 no-query originserver name=host1server
> never_direct allow host1
> http_access allow host1
> cache_peer_access host1server allow host1
> cache_peer_access host1server deny all
>
> This is a case of forwarding requests internal server without changing header.
>
> What changes would I need to make if I wanted to
> a) listen for http://www.maindom.com/host1
> b) forward these requests to http://host1.dom.com
>
> Thanks in advance

The proper way to do it is:
  * configure the web server at host1.dom.com to accept
http://www.maindom.com/host1 and strip it away before interpreting (ie
for Apache "Alias ^/host1/(.*) /$1")
  * add www.maindom.com to the accepted domain ACL ("host1").

The hack:
  * write a url_rewrite_program script that does the stripping (awk script?)
  * cross your fingers and hope nobody nasty finds a way around it.

Amos
Received on Fri Feb 17 2012 - 06:26:34 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 17 2012 - 12:00:03 MST