Squid redirector

Written in vi editor

A Squid proxy server redirector replaces certain URLs with others. It can therefore be used as an ad-blocker. Speeding up page load speeds and reducing tracking. It can also be used to block malicious scripts. Here a list of Squid Related Redirectors Software.

Squid redirector with RBL support

This redirector matches URLs against entries in a file. It can match against the beginning of an URL, the end of an URL and a sub-string of an URL.
It can also lookup host-names and IP addresses in DNS-based blacklists or RBLs.
Keep in mind that this will lead to false positives. Often there are many websites sharing the same IP address(es). Blacklisting a single IP address will block access to all of those sites. Including those which are not malicious.

Version

Current version is: 2021-07-19 19:10:51 UTC (I'm too lazy to make up version numbers).

Files

/etc/sredir/

Directory for conf files.

sredir.conf

checkaddr
Optional. 'checkaddr on' will lookup IP addresses in hosts.deny. See Host ACL examples below.
debug
Optional. 'debug on' will enable debugging.
redirurl
Mandatory. Syntax:
redirurl URL
The redirurl is the URL the redirector redirects to. Usually a link to a small transparent GIF. E.G.;
redirurl http://www.example.org/images/transparant.gif
This won't work for HTTPS: The browser will complain. The site still gets blocked though.
tolow
Optional. 'tolow on' will convert hostnames to lower case. In case of non-ASCII, UTF-8 is assumed.
dnsbl
Optional. Syntax;
dnsbl mode name
E.G.;
dnsbl 4 blacklist.example.net
dnsbl mode

A value between 1 and 15. It's an OR of;

ModeCheckType
1 Check host-name  Domain 
2 If alias, check CNAME  Domain 
4 Check IP address(es)  Address 
8 Log TXT record 

Most RBLs list either IP addresses or domains/hostnames. Domain/hostname blacklists are also know as RHSBL. Don't get them mixed up!
Below some Lookup examples;

Host or IPTypeModesLookup
 www.example.org   Domain   1-3, 9-11   www.example.org.blacklist.example.net 
 192.168.2.1   Address   4, 12   1.2.168.192.blacklist.example.net 
 2001:db8:2::1   Address   4, 12   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.8.b.d.0.1.0.0.2.blacklist.example.net 

You can use multiple blacklists (one entry per line).
Below more info;

Some DNS based blacklists have ridiculously low negative cache TTL times. You may want to force these higher. In Bind config;

min-ncache-ttl 60;

Configuring a lot of blacklists may slow down surfing due to extensive lookups.

ACL files

hosts.allow Whitelisted hosts
hosts.deny Blacklisted hosts
urls.allow Whitelisted URLs
urls.deny Blacklisted URLs

The ACLS are checked in the above order and before the RBLs. The program stops checking at the first match.
Not all ACL files need to exist. The software will complain about not being able to open and read a missing file, but it will work anyway.

ACL file syntax
Grep This program 
 ^Foobar$  Foobar
 ^Foobar  Foobar*
 Foobar$  *Foobar
 .*Foobar.*  *Foobar*
 Foobar   Foobar*
 *Foobar
 *Foobar*

Note: This behaviour is different from version '2021-01-06 15:49:08 UTC' and older! If you want the old behaviour, uncomment the line '#define USE_OLD_ACL 1'.

The maximum line length is 4094 bytes (4095 including newline). The software uses a linear search, so you can use any order.

Host ACL examples
ad.doubleclick.net  Matches any URL with host-name 'ad.doubleclick.net'.
*.doubleclick.net  Matches any URL with host-name in the 'doubleclick.net' domain.
*doubleclick*  Matches any URL with host-name which contains the string 'doubleclick'.

You can put IP addresses in the host ACL files if you like. The software however, will not look up hostnames in order to see if their IP addresses are in hosts.allow.
It does lookup CNAMEs to see if they are in hosts.deny, provided there is at least one RBL defined. This check is always on, independent of dnsbl mode.
With 'checkaddr on' in the config file it will also lookup IP addresses in hosts.deny (provided there is at least one RBL defined). Below some examples;

CIDR This program 
 192.168.2.0/24 192.168.2.*
 192.168.2.0/23  192.168.2.*
 192.168.3.*
 2001:db8:2::/48  2001:db8:2:*

If you want your own IP address based RBL, see 'Convert blacklists into zone files' below.

URL ACL examples
http://ad.doubleclick.net/*  Matches any URL that begins with 'http://ad.doubleclick.net/'.
*count.gif Matches any URL that ends in 'count.gif'.
*doubleclick* Matches any URL that contains 'doubleclick'.

In case of HTTPS, Squid passes the host-name to the redirector, not the URL. And the URL ACLs aren't used.

Remarks

/var/local/log/squid/

Directory for log files. The directory has to be writable by the Squid process owner.

sredir.log

Format;
epoch.ms pid blocked_host_or_ip blacklist A lookup TXT

epoch
Number seconds since the 1st of January 1970 00:00:00 UTC.
ms
Milliseconds.
pid
Process ID of redirector. Squid may spawn several. This way you can tell their log entries apart.
blocked_host_or_ip
Host-name or IP address of blocked website.
blacklist
The blacklist that blocked it.
'local' in case of local deny-list.
A
RBLs return an IP address just above 127.0.0.1. E.G.: 127.0.0.2.
'-' in case of local deny-list.
lookup
The actual lookup that resulted in the above IP address.
'hosts.deny' or 'urls.deny' in case of local deny-list.
TXT
TXT record for the same lookup. Usually a link to a web-page explaining why this IP address is blacklisted.
'-' in case of local deny-list.

Before log-file rotation you need to reload Squid. This will kill the redirectors and close the logfile.

Download

Source

rblsredir.c
For TXT look-ups to work you need to remove the comment at '#define RSD_TXT_LKP 1'. If you do this you need to compile with -lresolv;

cc -O2 -Wall -lresolv -o rblsredir rblsredir.c

The maximum number of RBLs is eight. If you want more you need to increase the number next to '#define RSD_MAXLISTS'.
Put the binary in /usr/local/sbin/ (or /usr/sbin/ if you prefer).

Some compilers may issue a warning;

rblsredir.c:794:2: warning:
'strncpy' output may be truncated copying between 0 and 4095 bytes from a string of length 4095 [-Wstringop-truncation]
 strncpy(str, line, chrcnt);
 ^~~~~~~~~~~~~~~~~~~~~~~~~~

This is no cause for alarm.

Man pages

Put 'rblsredir.8' in /usr/local/share/man/man8/ and the rest in /usr/local/share/man/man5/ (or /usr/share/man/man8/ and /usr/share/man/man5/ if you prefer) and gzip them. It's probably a nice idea to create symlinks from 'sredir_acls.5.gz' to 'urls.allow.5.gz' and 'urls.deny.5.gz'. Do not link to 'hosts.allow.5.gz' or 'hosts.deny.5.gz'. These already point to libwrap's 'hosts_access.5.gz'!

Tar

Tar of source and man pages: rblsredir.tar.gz.

Convert blacklists into zone files

The Spamhaus DROP (Don't Route Or Peer) list consists of a number of files in network/netmask format. They are meant to be part of a firewall. You can however, convert them in a blacklist zone file instead.
The stuff below does this for you;

get-dnsbl.sh
Script that does most of the work. Edit to suit your needs.
local-rbl-head
Header for Bind style zone file. Edit to suit your needs.
procdrop.c
Program that generates the zone file entries.
The '-t' option adds TXT records.

You can add your own entries if you want.
E.G.;

malice.example.com	IN	A	127.0.0.2

Search