Search squid archive

Re: squid support for passing in URLs over HTTP in a URI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Blake Dournaee wrote:

Hi Amos -

Thanks for your follow-up.
To answer your question on "why" - the reason is because we are iframing some content from a partner website and we want to plug-in a high performing caching proxy. At the end of the day we'd like to be able to say something like <iframe src="ourdomain.com:3128/?url=partnerdomain.com/partner-url" /> and have squid handle the actual retrieval of the URI. On the server side if squid is running we'd like to be able to access is.
Would it be possible to elaborate on the "complicated and fragile" configuration option?
Also, can anyone elaborate on how the HTTP request format that the browser uses today to pass in the destination URL to retrieve? How is it actually done under the covers of the browser today?
When speaking to a proxy browsers send the full "http://domain/path"; URI and don't do any DNS lookups themselves. For web servers they only pass the path and Host: header for the domain portion and do DNS and security lookups to ensure the machine they are talking to really is the domain host wanted.
For what you what to achieve using Squid as a reverse-proxy with a URL re-writer would be best.
* Allocate a specific sub-domain for the partners (ie ads.example.com, seems to be popular). * Add a url_rewrite_program to squid.conf which takes the URI format you want and strips away your domain name. Returning the partner URL. * Add url_rewrite_access and ACLs (acl ads dstdomain ads.example.com) to catch only the 'ads.example.com' traffic for the re-writer. * Add a "http_port 80 accel defaultsite=ads.example.com" to receive the requests. * Add a "always_direct allow ads" to permit the partner traffic to be relayed (default is to prevent open proxy behavior on accel ports). 
 * Set DNS to point 'ads.example.com' at the proxy IP address.
 * Add the links to pages as you want.

It's fragile because:
* URL re-write only affects the requested URL, not any page URL or other header URI. * The partners can screw you over very easily and unknowingly by simply using absolute URL in their pages. * Malicious outsiders can see the URI syntax and use you as a relay for their own domains unless you add extra security into the re-writer to prevent it. 

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
  Current Beta Squid 3.1.0.15
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux