On 01/05/18 19:44, Amish wrote: > Hello, > > First of thanks a lot for taking your time out for replying to my query. > > My replies are inline. > > On Tuesday 01 May 2018 09:10 AM, Amos Jeffries wrote: >> On 01/05/18 00:54, Amish wrote: >>> Hello >>> >>> I have 2 LAN interface on squid box, say department A (192.168.1.1/24) >>> and department B (192.168.2.1/24) >>> >>> I have few banned sites. Say Facebook. >>> >>> I have HTTP server (running on same server as squid) which shows custom >>> pages with custom logo based on IP address. >>> >>> When request comes for a banned site I would like client to be >>> redirected based on squid's own IP. >> Firstly, is there any particular reason you are requiring it to be a >> redirect? >> from what you have said it appears you can achieve the same outcome >> without the extra web server by using a custom error page. > > No I cant use custom error page as Javascript will leak the IP range of > department A to department B. > (I had simplified my example, its actually two companies and not two > departments infact I have 4-5 companies/subnets) > >> Thirdly, on the issue of %h - the Squid hostname is *required* to >> resolve in DNS explicitly so clients can access things like these URLs. >> If your network and DNS is configured correctly each client subnet >> should resolve that hostname to the relevant IP which you are trying to >> "pass" to the web server in your redirect URL. So they will naturally >> (and only) connect to the web server (or Squid itself) using the right >> IP anyway - the web server should be able to detect what it needs from >> its own inbound TCP/IP connection instead of using raw-IPs in the traffic. >> > Some company uses OpenDNS, other Cloudflare, other Google etc. > > So DNS will not resolve the hostname to same as %MYADDR. I suspect something is going screwy there. How are these clients getting to the proxy if they resolve its name to a different IP than they connect to? > >> There are three options available to work around broken DNS: >> >> >> Option 1) to do exactly (and only) what you asked for. >> >> Currently this can be done with an external helper: >> >> external_acl_type getIp concurrency=100 %MYADDR /path/to/script >> deny_info 302:http://%et/banned.html getIp >> >> where the script just echos back to Squid the IP it was given like so: >> [channel-id] OK message="<input-IP>"\n >> > > Based on documentation of FORMAT for deny_info, I think you mean %o and > not %et Ah, yes. Sorry. Getting my legacy formats mixed up. > > Also will this "message" be available if I change by http_access line to: > deny_info 302:http://%o/banned.html blockedsites > http_access deny blockedsites getIp > > will "message" of getIp be available to deny_info of blockedsites? The message will persist as an annotation in the transaction, but only from the point the external ACL is tested. So the deny_info has to be attached to the external ACL or something following it. Also, deny_info only works if it is attached to the *last* ACL named on a line. So: deny_info 302:http://%o/banned.html getIp http_access deny blockedsites getIp or, deny_info 302:http://%o/banned.html blockedsites http_access deny getIp blockedsites or, deny_info 302:http://%o/banned.html blockedsites http_access deny getIp !all ... http_access deny blockedsites should work, but other orderings do not. > > I will give this a try*, **however please see the end of the e-mail for > a feature request.* > >> Option 2) to use the client IP and have your web server respond based on >> those subnets instead of Squid IP. >> >> acl clients1 src 192.168.1.0/24 >> deny_info 302:http://%h/banned.html?%i clients1 >> http_access deny blockedsites clients1 >> >> acl clients2 src 192.168.2.0/24 >> deny_info 302:http://%h/banned.html?%i clients2 >> http_access deny blockedsites clients2 >> >> >> ** If you really *have* to use Squid-IP, this can work with localip ACL >> type instead of src. But then you have to bake each Squid-IP variation >> into the deny_info URL instead of using %i. >> > > I will have to do this for each company. But I would like to keep > squid.conf simple and minimal. > >> >> Option 3) to use a custom error page instead of a redirect. >> >> Place your banned.html page into /etc/squid/banned.html and either a) >> write it with javascripts that pull in the right images/branding based >> on client IPs. >> >> deny_info 403:/etc/squid/banned.html blockedsites >> >> ** Like (2) above this can use Squid-IP (via localip ACL type) if you >> really have to. But with the same limitation of using different files >> for branding instead of javascript for dynamic sub-resource/image fetching. > > As stated earlier, this would leak IP range information. > > > _*Feature request:*_ > Can we have the following switch-case in file errorpage.cc? > > Source: > https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857 > > Currently case 'I' (capital i) for building_deny_info_url returns string > "[unknown]" > > Can it be modified to return "interface" address? i.e. same as MYADDR > > I believe it would be just few (may be one) line change in code. > > I can create a PR if required but can you or someone guide me on how to > fetch MYADDR? A PR is welcome, but re-using a %macro which already has a different definition will add problems in the long-term plan of conversion to logformat %macro codes. So picking a letter that has not yet been used for anything would be best. The Squid IP:port on client requests should be available to that code as request->masterXaction->tcpClient->local , the request and tcpClient pointers may be nil since not all transactions have a client or the error may be about the lack of an HTTP request on the TCP connection. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
