On 01/05/18 15:40, Amos Jeffries wrote: > On 01/05/18 00:54, Amish wrote: >> Hello >> >> I have 2 LAN interface on squid box, say department A (192.168.1.1/24) >> and department B (192.168.2.1/24) >> >> I have few banned sites. Say Facebook. >> >> I have HTTP server (running on same server as squid) which shows custom >> pages with custom logo based on IP address. >> >> When request comes for a banned site I would like client to be >> redirected based on squid's own IP. > > Firstly, is there any particular reason you are requiring it to be a > redirect? > from what you have said it appears you can achieve the same outcome > without the extra web server by using a custom error page. > >> >> Something like this: >> >> acl blockedsites url_regex facebook >> http_access deny blockedsites >> deny_info http://SQUID-IP/banned.html blockedsites >> >> I need SQUID-IP to be replaced by 192.168.1.1 or 192.168.2.1 depending >> on the IP on which connection came to. >> > > Secondly, I think you are probably looking at this from the wrong > direction. With the topology you have described each of these "Squid > IPs" is actually just the IP facing a certain client subnet. So the > client subnet is what you want to be detecting, not the specific Squid IP. > > > Thirdly, on the issue of %h - the Squid hostname is *required* to > resolve in DNS explicitly so clients can access things like these URLs. > If your network and DNS is configured correctly each client subnet > should resolve that hostname to the relevant IP which you are trying to > "pass" to the web server in your redirect URL. So they will naturally > (and only) connect to the web server (or Squid itself) using the right > IP anyway - the web server should be able to detect what it needs from > its own inbound TCP/IP connection instead of using raw-IPs in the traffic. > > > There are three options available to work around broken DNS: > > > Option 1) to do exactly (and only) what you asked for. > > Currently this can be done with an external helper: > > external_acl_type getIp concurrency=100 %MYADDR /path/to/script > deny_info 302:http://%et/banned.html getIp > > where the script just echos back to Squid the IP it was given like so: > [channel-id] OK message="<input-IP>"\n > > > Option 2) to use the client IP and have your web server respond based on > those subnets instead of Squid IP. > > acl clients1 src 192.168.1.0/24 > deny_info 302:http://%h/banned.html?%i clients1 > http_access deny blockedsites clients1 > > acl clients2 src 192.168.2.0/24 > deny_info 302:http://%h/banned.html?%i clients2 > http_access deny blockedsites clients2 > > > ** If you really *have* to use Squid-IP, this can work with localip ACL > type instead of src. But then you have to bake each Squid-IP variation > into the deny_info URL instead of using %i. > > > > Option 3) to use a custom error page instead of a redirect. > > Place your banned.html page into /etc/squid/banned.html and either a) > write it with javascripts that pull in the right images/branding based > on client IPs. or b) use multiple pages with different branding. > > deny_info 403:/etc/squid/banned.html blockedsites > > ** Like (2) above this can use Squid-IP (via localip ACL type) if you > really have to. But with the same limitation of using different files > for branding instead of javascript for dynamic sub-resource/image fetching. > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
