Disable 302 redirect in squid, but only to http://eais.rkn.gov.ru

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Disable 302 redirect in squid, but only to http://eais.rkn.gov.ru

Igor Rylov
It is known, that RosComNadzor is blocking certain domains/IPs.
Often it is bloking by rewriting url in place, i.e., when I try to access http(s)://blocked.domain, it changes in the location bar of the browser to http://eais.rkn.gov.ru (RosComNadzor's bloking page) in place, i.e. no ability to click the back button to see which url was blocked. RosComNadzor's blocking page has no mention of what url was blocked either. When I try to use Firefox'es or Chrom(e|ium)'s Developer Tools's Network section on blocked page to see, if I can find out what page was blocked by looking at Referer param of the HTTP header, it's already too late, because those Network sections don't show anything, because they were not started in advance, before the page was blocked. I have to reload the page, in order to see something in that networking section, but I would be reloading http://eais.rkn.gov.ru page already, not the required url and http://eais.rkn.gov.ru doesn't show any Referer in HTTP header, because, it's reloaded in place, and did not come from some other page. It's frustrating, because, when you have many tabs open, you have no way of knowing, which url's were blocked and no way of recovering the blocked address. squid's access log doesn't help either, because you can't tell for certain, that the log entry, previous to log entry with http://eais.rkn.gov.ru address belongs to the same tab of the browser.

I've found out, one of the urls, that is being blocked, because it happened in front of my eyes, so I've tested it with:
$ curl -v 'http://blocked.domain/'

I got the dump:
---DUMP START---
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)
> GET http://blocked.domain/ HTTP/1.1
> Host: blocked.domain
> User-Agent: curl/7.47.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 302 Found
< Date: Wed, 11 Sep 2019 08:48:44 GMT
< Content-Length: 205
< Location: http://eais.rkn.gov.ru
< Content-Type: text/html; charset=UTF-8
< X-Cache: MISS from ls02800008008u
< X-Cache-Lookup: MISS from ls02800008008u:3128
< X-Cache: MISS from ws02800008006
< X-Cache-Lookup: MISS from ws02800008006:3128
< X-Cache: MISS from cooldown-nb
< X-Cache-Lookup: MISS from cooldown-nb:3128
< Via: 1.1 ls02800008008u (squid/3.5.12), 1.1 ws02800008006 (squid/3.5.27), 1.1 cooldown-nb (squid/3.5.12)
< Connection: keep-alive
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Found</TITLE></HEAD><BODY>
<H1>302 Found</H1>
The document has moved
<A HREF="http://eais.rkn.gov.ru">here</A>
* Connection #0 to host 127.0.0.1 left intact
---DUMP END---

So, there is a 302 redirect, that happens automatically:

How do I disable 302 redirect in squid, but only to http://eais.rkn.gov.ru address, so, in browser I see that page is blocked, but at least, I don't loose the information of what page is blocked, because it's not automatically redirected to http://eais.rkn.gov.ru and the location in the browser showing the original url?

After I've wrote my question, I thought, if it's possible to to do it with:

acl sites_blocking_redirect url_regex eais\.rkn\.gov\.ru
reply_header_access Location deny sites_blocking_redirect

Is it a workable or the correct way to do it, so it solves my problem?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Disable 302 redirect in squid, but only to http://eais.rkn.gov.ru

Amos Jeffries
Administrator
On 12/09/19 7:45 am, Igor Rylov wrote:
> After I've wrote my question, I thought, if it's possible to to do it with:
>
> acl sites_blocking_redirect url_regex eais\.rkn\.gov\.ru
> <http://eais.rkn.gov.ru>
> reply_header_access Location deny sites_blocking_redirect
>
> Is it a workable or the correct way to do it, so it solves my problem?

It is close. That would stop the Location header getting to the client
Browser. But the 302 status still will, and given that the Browser back
button functionality is not working like it used to (a browser bug?),
the full result may still not be worth it.

I would use the http_reply_access to deny instead. That way the client
gets a 403 status from Squid and definitely none of the upstream's redirect.

If you want to be more fancy than 403, the current Squid can attach a
deny_info to the ACL to make the denial have 451 status with custom
template page explaining the block to any user that sees it.
 (Which is what your upstream should have been doing.)

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Disable 302 redirect in squid, but only to http://eais.rkn.gov.ru

Alex Rousskov
On 9/12/19 1:25 AM, Amos Jeffries wrote:
> On 12/09/19 7:45 am, Igor Rylov wrote:
>> After I've wrote my question, I thought, if it's possible to to do it with:
>>
>> acl sites_blocking_redirect url_regex BLOCKER
>> reply_header_access Location deny sites_blocking_redirect
>>
>> Is it a workable or the correct way to do it, so it solves my problem?

> It is close. That would stop the Location header getting to the client

The url_regex ACL matches the request URL, and the request URL is not
BLOCKER in this example. I would use the rep_header ACL instead.

Alex.


> Browser. But the 302 status still will, and given that the Browser back
> button functionality is not working like it used to (a browser bug?),
> the full result may still not be worth it.
>
> I would use the http_reply_access to deny instead. That way the client
> gets a 403 status from Squid and definitely none of the upstream's redirect.
>
> If you want to be more fancy than 403, the current Squid can attach a
> deny_info to the ACL to make the denial have 451 status with custom
> template page explaining the block to any user that sees it.
>  (Which is what your upstream should have been doing.)
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users