Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Squid allow short names for local sites

bgstack15

Comments

In my transparent web proxy, I wanted to make it so I could still visit http://server2:631 for my local cups instance. Even with the hosts_file configured in squid.conf, squid does not accept short hostnames that can be resolved. But what you can do, is configure squid to append your domain on unqualified domain names, and configure an ACL with all the local host names! Set up squid.conf with these additional entries:

apped_domain .ipa.example.com
acl localdst dstdomain "/etc/squid/axfr.txt"
always_direct allow localdst

And you need a command to populate that axfr.txt file. Thankfully, I run my own dns and I left zone transfers on (security considerations notwithstanding). So here's my comments around what is basically a one-liner.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
#!/bin/sh
# File: /mnt/public/Support/Systems/server4/usr/local/bin/squid_local_hosts.sh
# License: CC-BY-SA 4.0
# Location: server1
# Author: bgstack15
# Startdate: 2020-11-17 19:30
# Title: Script that Lists Net-Local Hosts
# Purpose: list all net-local hosts without the domain name, for squid on vm4
# Usage:
#    in a cron entry, nominally in /etc/cron.d/90_squid_local_hosts.cron
#    0 12 * * *   root   /mnt/public/Support/Systems/server4/usr/local/bin/squid_local_hosts.sh 2>/dev/null 1>/etc/squid/axfr.txt
#    And where axfr.txt was already established with proper mode and context
# Reference:
# Improve:
# Dependencies:
#    zone transfers are on in local dns
#    Settings in squid.conf:
#       append_domain .ipa.example.com
#       acl localdst dstdomain "/etc/squid/axfr.txt"
#       always_direct allow localdst

test -z "${domain}" && export domain="ipa.example.com"

get_net_local_hosts() {
   # Awk methodology
   # exclude the ones that start with underscore, which users will not be looking up for visiting via a web browser.
   # print unique ones
   # Grep methodology
   # exclude blanks and comments
   dig -t AXFR "${domain}" | awk "{gsub(\".?${domain}.?\",\"\",\$1);} \$1 !~ /^_/ && !x[\$1]++{print \$1}" | grep -viE '^[\s;]*$'
}

get_net_local_hosts

And as described, I have a cron entry.

0  *  *  *  *  root   /mnt/public/Support/Systems/vm4/usr/local/bin/squid_local_hosts.sh 2>/dev/null 1>/etc/squid/axfr.txt

Now, I haven't been running this long enough and with enough network changes to test things fully, so I don't know if squid will dynamically read the new axfr.txt contents should they change. I seriously doubt it. So one could probably adjust the service script or systemd unit to have a pre-exec hook of running the same contents as the cronjob. And now I can reach my cups instance without having to type in the full hostname, and without setting up client- side exceptions for using the proxy. I realize this whole thing is not very KISS, but it's fun anyways.

Comments