A Squid proxy server redirector replaces certain URLs with others. It can therefore be used as an ad-blocker. Speeding up page load speeds and reducing tracking. It can also be used to block malicious scripts. Here a list of Squid Related Redirectors Software.
This redirector matches URLs against entries in a file. It can match against
the beginning of an URL, the end of an URL and a sub-string of an URL.
It can also lookup host-names and IP addresses in DNS-based blacklists or RBLs.
Keep in mind that this will lead to false positives. Often there are many websites sharing the same IP address(es). Blacklisting a single IP address will block access to all of those sites. Including those which are not malicious.
Current version is: 2021-07-19 19:10:51 UTC (I'm too lazy to make up version numbers).
Directory for conf files.
A value between 1 and 15. It's an OR of;
|2||If alias, check CNAME||Domain|
|4||Check IP address(es)||Address|
|8||Log TXT record|
Most RBLs list either IP addresses or domains/hostnames.
Domain/hostname blacklists are also know as RHSBL.
Don't get them mixed up!
Below some Lookup examples;
|Host or IP||Type||Modes||Lookup|
You can use multiple blacklists (one entry per line).
Below more info;
Some DNS based blacklists have ridiculously low negative cache TTL times. You may want to force these higher. In Bind config;
Configuring a lot of blacklists may slow down surfing due to extensive lookups.
The ACLS are checked in the above order and before the RBLs.
The program stops checking at the first match.
Not all ACL files need to exist. The software will complain about not being able to open and read a missing file, but it will work anyway.
Note: This behaviour is different from version '2021-01-06 15:49:08 UTC' and older! If you want the old behaviour, uncomment the line '#define USE_OLD_ACL 1'.
The maximum line length is 4094 bytes (4095 including newline). The software uses a linear search, so you can use any order.
|ad.doubleclick.net||Matches any URL with host-name 'ad.doubleclick.net'.|
|*.doubleclick.net||Matches any URL with host-name in the 'doubleclick.net' domain.|
|*doubleclick*||Matches any URL with host-name which contains the string 'doubleclick'.|
You can put IP addresses in the host ACL files if you like. The software
however, will not look up hostnames in order to see if their IP addresses are
It does lookup CNAMEs to see if they are in hosts.deny, provided there is at least one RBL defined. This check is always on, independent of dnsbl mode.
With 'checkaddr on' in the config file it will also lookup IP addresses in hosts.deny (provided there is at least one RBL defined). Below some examples;
If you want your own IP address based RBL, see 'Convert blacklists into zone files' below.
|http://ad.doubleclick.net/*||Matches any URL that begins with 'http://ad.doubleclick.net/'.|
|*count.gif||Matches any URL that ends in 'count.gif'.|
|*doubleclick*||Matches any URL that contains 'doubleclick'.|
In case of HTTPS, Squid passes the host-name to the redirector, not the URL. And the URL ACLs aren't used.
Directory for log files. The directory has to be writable by the Squid process owner.
epoch.ms pid blocked_host_or_ip blacklist A lookup TXT
Before log-file rotation you need to reload Squid. This will kill the redirectors and close the logfile.
For TXT look-ups to work you need to remove the comment at '#define RSD_TXT_LKP 1'. If you do this you need to compile with -lresolv;
cc -O2 -Wall -lresolv -o rblsredir rblsredir.c
The maximum number of RBLs is eight. If you want more you need to increase
the number next to '#define RSD_MAXLISTS'.
Put the binary in /usr/local/sbin/ (or /usr/sbin/ if you prefer).
Some compilers may issue a warning;
rblsredir.c:794:2: warning: 'strncpy' output may be truncated copying between 0 and 4095 bytes from a string of length 4095 [-Wstringop-truncation] strncpy(str, line, chrcnt); ^~~~~~~~~~~~~~~~~~~~~~~~~~
This is no cause for alarm.
Put 'rblsredir.8' in /usr/local/share/man/man8/ and the rest in /usr/local/share/man/man5/ (or /usr/share/man/man8/ and /usr/share/man/man5/ if you prefer) and gzip them. It's probably a nice idea to create symlinks from 'sredir_acls.5.gz' to 'urls.allow.5.gz' and 'urls.deny.5.gz'. Do not link to 'hosts.allow.5.gz' or 'hosts.deny.5.gz'. These already point to libwrap's 'hosts_access.5.gz'!
Tar of source and man pages: rblsredir.tar.gz.
The Spamhaus DROP (Don't Route Or
Peer) list consists of a number of files in network/netmask format. They are
meant to be part of a firewall. You can however, convert them in a blacklist
zone file instead.
The stuff below does this for you;
You can add your own entries if you want.
malice.example.com IN A 127.0.0.2