|
Hello, First of thanks a lot for taking your time out for replying to my query. My replies are inline. On Tuesday 01 May 2018 09:10 AM, Amos
Jeffries wrote:
On 01/05/18 00:54, Amish wrote:Hello I have 2 LAN interface on squid box, say department A (192.168.1.1/24) and department B (192.168.2.1/24) I have few banned sites. Say Facebook. I have HTTP server (running on same server as squid) which shows custom pages with custom logo based on IP address. When request comes for a banned site I would like client to be redirected based on squid's own IP.Firstly, is there any particular reason you are requiring it to be a redirect? from what you have said it appears you can achieve the same outcome without the extra web server by using a custom error page. No I cant use custom error page as _javascript_ will leak the IP range of department A to department B. (I had simplified my example, its actually two companies and not two departments infact I have 4-5 companies/subnets) Some company uses OpenDNS, other Cloudflare, other Google etc.Thirdly, on the issue of %h - the Squid hostname is *required* to resolve in DNS explicitly so clients can access things like these URLs. If your network and DNS is configured correctly each client subnet should resolve that hostname to the relevant IP which you are trying to "pass" to the web server in your redirect URL. So they will naturally (and only) connect to the web server (or Squid itself) using the right IP anyway - the web server should be able to detect what it needs from its own inbound TCP/IP connection instead of using raw-IPs in the traffic. So DNS will not resolve the hostname to same as %MYADDR. There are three options available to work around broken DNS: Option 1) to do exactly (and only) what you asked for. Currently this can be done with an external helper: external_acl_type getIp concurrency=100 %MYADDR /path/to/script deny_info 302:http://%et/banned.html getIp where the script just echos back to Squid the IP it was given like so: [channel-id] OK message="<input-IP>"\n Based on documentation of FORMAT for deny_info, I think you mean %o and not %et Also will this "message" be available if I change by http_access line to: deny_info 302:http://%o/banned.html blockedsites http_access deny blockedsites getIp will "message" of getIp be available to deny_info of blockedsites? I will give this a try, however please see the end of the e-mail for a feature request. Option 2) to use the client IP and have your web server respond based on those subnets instead of Squid IP. acl clients1 src 192.168.1.0/24 deny_info 302:http://%h/banned.html?%i clients1 http_access deny blockedsites clients1 acl clients2 src 192.168.2.0/24 deny_info 302:http://%h/banned.html?%i clients2 http_access deny blockedsites clients2 ** If you really *have* to use Squid-IP, this can work with localip ACL type instead of src. But then you have to bake each Squid-IP variation into the deny_info URL instead of using %i. I will have to do this for each company. But I would like to keep squid.conf simple and minimal. Option 3) to use a custom error page instead of a redirect. Place your banned.html page into /etc/squid/banned.html and either a) write it with _javascript_s that pull in the right images/branding based on client IPs. deny_info 403:/etc/squid/banned.html blockedsites ** Like (2) above this can use Squid-IP (via localip ACL type) if you really have to. But with the same limitation of using different files for branding instead of _javascript_ for dynamic sub-resource/image fetching. As stated earlier, this would leak IP range information. Feature request: Can we have the following switch-case in file errorpage.cc? Source: https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857 Currently case 'I' (capital i) for building_deny_info_url returns string "[unknown]" Can it be modified to return "interface" address? i.e. same as MYADDR I believe it would be just few (may be one) line change in code. I can create a PR if required but can you or someone guide me on how to fetch MYADDR? After this feature - all I would need to do is: deny_info http://%I/banned.html blockedsites Thank you again for your help. Amish Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
