D90 Tools & Techniques

"So I can remember how I did stuff in the future…"

• Home
• About

Topics

• Auditing
• General Security
• Linux
• Networking
• Sysadmin Tools
• Uncategorized
• Web Hosting Tools
  • Lighttpd
  • Squid
• Windows

Archives

• November 2010
• October 2010
• February 2010
• January 2010
• December 2009
• October 2009
• September 2009
• August 2009
• July 2009
• June 2009
• May 2009
• March 2009
• February 2009
• December 2008
• November 2008
• October 2008
• July 2008
• May 2008
• April 2008
• January 2008
• December 2007
• October 2007
• September 2007

Handy References

• (Draft)
• SED One Liners
• Advanced Bash
• Advaned Bash (D90 Archive)
• ASCII Table
• Windows ALT Codes
• XHTML Codes
• CSS Codes
• SQL Reference
• Country / Language Codes
• CISCO IOS Reference

Search

Quick Reference Posts

• Favorite Commands
• Terms & Speeds
• Pre-press & Media
• Security Articles

Handy Services

• Whois
• IP Lookup
• MAC Address Lookup
• DIG
• Internet Traceroute
• MX Record Lookup
• File Transfer Speed
• Mac Address Lookup
• chmod calculator
• Internet Latency
• Akami Internet Visualization
• Unit Convertor
• Reverse Hash Database

Some Favorite Sites

• Schneier on Security
• Krebs on Security
• MalwareInt Blog
• CSO Online
• The Register
• Internet Storm Center
• Chronology of Data Breaches
• SANS Forensics Blog

More Favorite Posts

• Baloney Detector
• Default Passwords
• Data Center Naming
• Whole Building Design Guide

How do I do that again?

• Interpreting TOP
• Yahoo's Website Optimization Rules

Security Resources

• Professional Security Testers
• Open Source Security Test Methodology
• ISO 17799
• NIST Security Assessment Framework
• CERT OCTAVE Assessment Framework
• NSA System Hardening Guidelines
• Microsoft Baseline Security Analyzer, Other Tools, and Frameworks
• WebGoat Web Vulnerability Practice
• OWASP Web Application Vulnerabilities
• CyberCrime.gov Updated list of incidents
• Information Systems Audit Methodology
• Terry Ritter's Guideline for safe PC Banking
• Open Source Forensics

Forensic Resources

• Sleuth Kit

More Security Resources

• Typo Squatting

« Lighttpd, virtual hosts, alternative ports | Main | Elastifox & FirefoxPortable »

Squid handling http –> https redirects

By Matt | May 29, 2009

In configuring Squid to handle both our port 80 and 443 traffic, we have the issue that we can use redirects at the webserver level to redirect certain pages to https:// .

So this is handled in Squid.

First, make a simple script.  There’s a possibility another redirector like Squirm might do a better job, but I haven’t played with them.

!/usr/bin/perl
$|=1;
while (<>) {
s@http://www7.getmiro.(com|net|org)/adopt(.*)$@301:https://www7.getmiro.com/adopt$2@;
print;
}

Saved at /etc/squid3/squid_redirector.pl and chown/chmod so the user “proxy” that squid runs under can run it.  Your path, of course, may vary.

The key part for what we need is that we pre-pend “301″ before https:  in the rewrite.  When this is returned to the user’s browser it redirects them to the secure page.  This script also takes anything at com, net, or org and forces them to a tld of .com as well.

It’s easy to test this perl script.  Simply type ./squid_redirector.pl which launches it interactively.

# ./squid_redirector.pl
http://www7.getmiro.com/foo

http://www7.getmiro.com/foo

http://www7.getmiro.com/adopt/test
301:https://www7.getmiro.com/adopt/test
http://www7.getmiro.net/adopt/matt/is/an/evil/genius
301:https://www7.getmiro.com/adopt/matt/is/an/evil/genius

Next, tell Squid to use it.  We need to enable these lines in the squid.conf file:

url_rewrite_program /etc/squid3/squid_redirector.pl
url_rewrite_children 10
url_rewrite_host_header off
url_rewrite_bypass on

The first line tells Squid what to use to rewrite URLs, the second tells it to spawn 10 instances on startup.  I’m not sure, in the end, if host_header needs to be off.  url_rewrite_bypass on allows Squid to skip the re-writing step if all the redirectors are busy.  That’s a decision knowing our security risks, users, and needs — and I’m going with more reliability over absolute security.  We’ll should see skips showing up in the logs and adjust settings from there if necessary.

Restart Squid, give it a test.  Famous last words — it should work now.

References:

http://wiki.squid-cache.org/Features/Redirectors

http://brainextender.blogspot.com/2009/01/simple-squid-redirector-perl-script.html

Topics: Linux, Squid, Sysadmin Tools | No Comments »

Comments

You must be logged in to post a comment.

D90 Tools & Techniques is proudly powered by WordPress - Designed by RFDN
Entries (RSS) and Comments (RSS)