1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
<TITLE>SQUID Frequently Asked Questions: Redirectors</TITLE>
<LINK HREF="FAQ-16.html" REL=next>
<LINK HREF="FAQ-14.html" REL=previous>
<LINK HREF="FAQ.html#toc15" REL=contents>
</HEAD>
<BODY>
<A HREF="FAQ-16.html">Next</A>
<A HREF="FAQ-14.html">Previous</A>
<A HREF="FAQ.html#toc15">Contents</A>
<HR>
<H2><A NAME="s15">15.</A> <A HREF="FAQ.html#toc15">Redirectors</A></H2>
<H2><A NAME="ss15.1">15.1</A> <A HREF="FAQ.html#toc15.1">What is a redirector?</A>
</H2>
<P>Squid has the ability to rewrite requested URLs. Implemented
as an external process (similar to a dnsserver), Squid can be
configured to pass every incoming URL through a <EM>redirector</EM> process
that returns either a new URL, or a blank line to indicate no change.</P>
<P>The <EM>redirector</EM> program is <B>NOT</B> a standard part of the Squid
package. However, some examples are provided below, and in the
"contrib/" directory of the source distribution. Since everyone has
different needs, it is up to the individual administrators to write
their own implementation.</P>
<H2><A NAME="ss15.2">15.2</A> <A HREF="FAQ.html#toc15.2">Why use a redirector?</A>
</H2>
<P>A redirector allows the administrator to control the locations to which
his users goto. Using this in conjunction with interception proxies
allows simple but effective porn control.</P>
<H2><A NAME="ss15.3">15.3</A> <A HREF="FAQ.html#toc15.3">How does it work?</A>
</H2>
<P>The redirector program must read URLs (one per line) on standard input,
and write rewritten URLs or blank lines on standard output. Note that
the redirector program can not use buffered I/O. Squid writes
additional information after the URL which a redirector can use to make
a decision. The input line consists of four fields:
<PRE>
URL ip-address/fqdn ident method
</PRE>
</P>
<H2><A NAME="ss15.4">15.4</A> <A HREF="FAQ.html#toc15.4">Do you have any examples?</A>
</H2>
<P>A simple very fast redirector called
<A HREF="http://squirm.foote.com.au/">SQUIRM</A> is a good place to
start, it uses the regex lib to allow pattern matching.</P>
<P>Also see
<A HREF="http://ivs.cs.uni-magdeburg.de/%7eelkner/webtools/jesred/">jesred</A>.</P>
<P>The following Perl script may also be used as a template for writing
your own redirector:
<PRE>
#!/usr/local/bin/perl
$|=1;
while (<>) {
s@http://fromhost.com@http://tohost.org@;
print;
}
</PRE>
</P>
<H2><A NAME="ss15.5">15.5</A> <A HREF="FAQ.html#toc15.5">Can I use the redirector to return HTTP redirect messages?</A>
</H2>
<P>Normally, the <EM>redirector</EM> feature is used to rewrite requested URLs.
Squid then transparently requests the new URL. However, in some situations,
it may be desirable to return an HTTP "301" or "302" redirect message
to the client. This is now possible with Squid version 1.1.19.</P>
<P>Simply modify your redirector program to prepend either "301:" or "302:"
before the new URL. For example, the following script might be used
to direct external clients to a secure Web server for internal documents:
<PRE>
#!/usr/local/bin/perl
$|=1;
while (<>) {
@X = split;
$url = $X[0];
if ($url =~ /^http:\/\/internal\.foo\.com/) {
$url =~ s/^http/https/;
$url =~ s/internal/secure/;
print "302:$url\n";
} else {
print "$url\n";
}
}
</PRE>
</P>
<P>Please see sections 10.3.2 and 10.3.3 of
<A HREF="ftp://ftp.isi.edu/in-notes/rfc2068.txt">RFC 2068</A>
for an explanation of the 301 and 302 HTTP reply codes.</P>
<H2><A NAME="redirectors-exit"></A> <A NAME="ss15.6">15.6</A> <A HREF="FAQ.html#toc15.6">FATAL: All redirectors have exited!</A>
</H2>
<P>A redirector process must exit (stop running) only when its
<EM>stdin</EM> is closed. If you see
the ``All redirectories have exited'' message, it probably means your
redirector program has a bug. Maybe it runs out of memory or has memory
access errors. You may want to test your redirector program outside of
squid with a big input list, taken from your <EM>access.log</EM> perhaps.
Also, check for
<A HREF="FAQ-11.html#coredumps">coredump</A> files from the redirector program.</P>
<H2><A NAME="ss15.7">15.7</A> <A HREF="FAQ.html#toc15.7">Redirector interface is broken re IDENT values</A>
</H2>
<P><I>I added a redirctor consisting of</I>
<PRE>
#! /bin/sh
/usr/bin/tee /tmp/squid.log
</PRE>
<I>and many of the redirector requests don't have a username in the
ident field.</I></P>
<P>Squid does not delay a request to wait for an ident lookup,
unless you use the ident ACLs. Thus, it is very likely that
the ident was not available at the time of calling the redirector,
but became available by the time the request is complete and
logged to access.log.</P>
<P>If you want to block requests waiting for ident lookup, try something
like this:
<PRE>
acl foo ident REQUIRED
http_access allow foo
</PRE>
</P>
<HR>
<A HREF="FAQ-16.html">Next</A>
<A HREF="FAQ-14.html">Previous</A>
<A HREF="FAQ.html#toc15">Contents</A>
</BODY>
</HTML>
|
