Skip to content

CHill's Ramblings

Thoughts, ideas, and other such things I feel like putting here. About basically any topic.

Squid 3.1, mod_python, and how I have fixed my reverse proxy redirects…

Posted on March 29, 2012August 2, 2021 By darkhelm No Comments on Squid 3.1, mod_python, and how I have fixed my reverse proxy redirects…
0 0
Read Time:3 Minute, 42 Second

Ahh squid, how I love to hate to love you… most of the time, you work great for me. But sometimes… grr. Anyway…

So here’s my problem — have squid (3.1.18) being used in both a transparent and reverse proxy configuration (transparent proxy for everything inside my network going out to the internet, reverse proxy to redirect certain CNAME virtual hosts to my various other servers on my network). However, I do not want to permit http traffic to go through the reverse proxy peers, I want everything https. No problem, right? Simple configuration directive for just one of my cache peers:

cache_peer 10.18.75.1 parent 80 0 no-query originserver login=PASS name=xlorep
acl sites_xlorep url_regex ^https://xlorep.darkhelm.org
cache_peer_access xlorep allow sites_xlorep
http_access allow sites_xlorep
acl http_xlorep url_regex ^http://xlorep.darkhelm.org
http_access deny http_xlorep
deny_info https://xlorep.darkhelm.org/ http_xlorep

Basically, it uses a couple regular expressions to figure out when someone is accessing the xlorep.darkhelm.org host. If it is https, it connects to that server. If it is http, if denies access, and sends a HTTP redirect command to send the person to the https equivalent.

Perfectly fine configuration, unless the person wants to, let’s say, go to http://xlorep.darkhelm.org/some/other/path.html. Rather than going to https://xlorep.darkhelm.org/some/other/path.html, the person is sent to https://xlorep.darkhelm.org/. Because squid 3.1 is too dumb to do anything better. For almost every request I use, this is *perfectly fine* — most of my redirects go to sites that all handle themselves in a friendly way to this kind of scenario.

Enter mpd‘s client175, and suddenly this causes a problem. For some reason, client175 likes to send links to the unsecured version of the URL (http rather than https), which gets hosed because of the deny_info redirecting going on in my squid configuration. So… client175 becomes only partway functional. I needed to find some way to properly change the URL to the exact https equivalent of the http url.

Well, I found out that squid 3.2 did exactly that. Oh, other than it being beta software and completely crippling my configuration from the ground up preventing any http to https redirects from happening, even those from the transparent proxy side of things… so… 3.2 didn’t work.

Solution #2 came to me rather simply — I write a simple redirect script that could do the work for me, and put the URL for that in my deny_info directive above. So… after installing mod_python into my in-house apache server (why mod_python? because I like python — same thing for client175, it is a python-based mpd client). So… get mod_python configured with a simple addition to the default site for apache:

<Directory /var/www/py>
AddHandler mod_python .py
PythonHandler mod_python.publisher
PythonDebug On
</Directory>

And then write a simple python script to solve my problem:
from mod_python import apache, util

import re, urllib

def redir(req):
req.log_error('handler')
reqURI = req.unparsed_uri

patt = re.compile(r"^/py/redirect.py/redir?uri=")

reSearch = re.search(patt, reqURI)

oldURL = urllib.unquote(reqURI[reSearch.end():])

newURL = re.sub(r"^http://","https://",oldURL)

# req.content_type = 'text/html'
# req.send_http_header()
# req.write('')
# req.write('' + reqURI + '<br />')
# req.write('' + newURL + '<br />')
# req.write('')
# return apache.OK
return util.redirect(req, newURL)

I configure this to be handled through redirect.darkhelm.org, and it basically translates a given URL parameter from http to https. I can then go back to that squid configuration, and change it as follows:

cache_peer 10.18.75.1 parent 80 0 no-query originserver login=PASS name=xlorep
acl sites_xlorep url_regex ^https://xlorep.darkhelm.org
cache_peer_access xlorep allow sites_xlorep
http_access allow sites_xlorep
acl http_xlorep url_regex ^http://xlorep.darkhelm.org
http_access deny http_xlorep
deny_info https://redirect.darkhelm.org/py/redirect.py/redir?uri=%s http_xlorep

And now, if someone goes to http://xlorep.darkhelm.org/some/other/path.html they get redirected to https://xlorep.darkhelm.org/some/other/path.html — exactly what I want. And it makes client175 work perfectly! As we used to say in the Army, HOOAH! problem solved.

Share

Facebook
Twitter
Pinterest
LinkedIn

About Post Author

darkhelm

chill@darkhelm.org
http://darkhelm.org
Happy
Happy
0 0 %
Sad
Sad
0 0 %
Excited
Excited
0 0 %
Sleepy
Sleepy
0 0 %
Angry
Angry
0 0 %
Surprise
Surprise
0 0 %
Uncategorized

Post navigation

Previous Post: Jonah, Jonah, did not obey God immediately…
Next Post: Music Playlist Generator… or how I like to make things complicated…

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%
(Add your review)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Archives

  • October 2021
  • August 2021
  • October 2019
  • November 2018
  • October 2016
  • September 2016
  • November 2015
  • September 2013
  • May 2013
  • October 2012
  • April 2012
  • March 2012
  • December 2010
  • November 2010
  • September 2010
  • August 2010
  • July 2010
  • January 2010

Categories

  • america
  • bitsy
  • blueprints
  • ejb
  • glassfish
  • gwt-syntaxhighlighter
  • jpa
  • jython
  • lies
  • network
  • politics
  • Uncategorized

Recent Posts

  • To Dave Hines, my friend, may you now have the joy you had spread to everyone around you.
  • Router Fun
  • False Peace
  • Moving away from the google universe.
  • The problem with people abusing scripture to attack entertainment

Recent Comments

  1. darkhelm on To Dave Hines, my friend, may you now have the joy you had spread to everyone around you.
  2. Matt Sutton on To Dave Hines, my friend, may you now have the joy you had spread to everyone around you.
  3. Unknown on Jonah, Jonah, did not obey God immediately…
  4. 1seanv on A Christian’s Response To: A Christian’s View of World of Warcraft (published in 2008)
  5. Unknown on Jonah, Jonah, did not obey God immediately…

Copyright © 2023 CHill's Ramblings.

Powered by PressBook WordPress theme