Re: [squid-users] squid support for passing in URLs over HTTP in a URI

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 11 Jan 2010 11:25:32 +1300

Blake Dournaee wrote:
> Hi Amos -
>
> Thanks for your follow-up.
>
> To answer your question on "why" - the reason is because we are iframing
> some content from a partner website and we want to plug-in a high
> performing caching proxy. At the end of the day we'd like to be able to
> say something like <iframe
> src="ourdomain.com:3128/?url=partnerdomain.com/partner-url" /> and have
> squid handle the actual retrieval of the URI. On the server side if
> squid is running we'd like to be able to access is.
>
> Would it be possible to elaborate on the "complicated and fragile"
> configuration option?
>
> Also, can anyone elaborate on how the HTTP request format that the
> browser uses today to pass in the destination URL to retrieve? How is it
> actually done under the covers of the browser today?

When speaking to a proxy browsers send the full "http://domain/path" URI
and don't do any DNS lookups themselves. For web servers they only pass
the path and Host: header for the domain portion and do DNS and security
lookups to ensure the machine they are talking to really is the domain
host wanted.

For what you what to achieve using Squid as a reverse-proxy with a URL
re-writer would be best.

  * Allocate a specific sub-domain for the partners (ie ads.example.com,
seems to be popular).
  * Add a url_rewrite_program to squid.conf which takes the URI format
you want and strips away your domain name. Returning the partner URL.
  * Add url_rewrite_access and ACLs (acl ads dstdomain ads.example.com)
to catch only the 'ads.example.com' traffic for the re-writer.
  * Add a "http_port 80 accel defaultsite=ads.example.com" to receive
the requests.
  * Add a "always_direct allow ads" to permit the partner traffic to be
relayed (default is to prevent open proxy behavior on accel ports).
  * Set DNS to point 'ads.example.com' at the proxy IP address.
  * Add the links to pages as you want.

It's fragile because:
  * URL re-write only affects the requested URL, not any page URL or
other header URI.
  * The partners can screw you over very easily and unknowingly by
simply using absolute URL in their pages.
  * Malicious outsiders can see the URI syntax and use you as a relay
for their own domains unless you add extra security into the re-writer
to prevent it.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
   Current Beta Squid 3.1.0.15
Received on Sun Jan 10 2010 - 22:25:40 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 11 2010 - 12:00:03 MST