Squid redirector

A Squid proxy server redirector replaces certain URLs with others. It can therefore be used as an ad-blocker. Speeding up page load speeds and reducing tracking. It can also be used to block malicious scripts.

Squid redirector with RBL support

This redirector matches URLs against entries in a file. It can match against the beginning of an URL, the end of an URL and a sub-string of an URL.
It can also lookup host-names and IP addresses in DNS-based blacklists or RBLs.
Keep in mind that this will lead to false positives. Often there are many websites sharing the same IP address(es). Blacklisting a single IP address will block access to all of those sites. Including those which are not malicious.

Version

Current version is: 2021-07-19 19:10:51 UTC (I'm too lazy to make up version numbers).

Files

/etc/sredir/

Directory for conf files.

sredir.conf

checkaddr: Optional. 'checkaddr on' will lookup IP addresses in hosts.deny. See Host ACL examples below.
debug: Optional. 'debug on' will enable debugging.
redirurl: Mandatory. Syntax:
redirurl URL
The redirurl is the URL the redirector redirects to. Usually a link to a small transparent GIF. E.G.;
redirurl http://www.example.org/images/transparant.gif
This won't work for HTTPS: The browser will complain. The site still gets blocked though.
tolow: Optional. 'tolow on' will convert hostnames to lower case. In case of non-ASCII, UTF-8 is assumed.
dnsbl: Optional. Syntax;
dnsbl mode name
E.G.;
dnsbl 4 blacklist.example.net

dnsbl mode

A value between 1 and 15. It's an OR of;

Mode	Check	Type
1	Check host-name	Domain
2	If alias, check CNAME	Domain
4	Check IP address(es)	Address
8	Log TXT record

Most RBLs list either IP addresses or domains/hostnames. Domain/hostname blacklists are also know as RHSBL. Don't get them mixed up!
Below some Lookup examples;

Host or IP	Type	Modes	Lookup
www.example.org	Domain	1-3, 9-11	www.example.org.blacklist.example.net
192.168.2.1	Address	4, 12	1.2.168.192.blacklist.example.net
2001:db8:2::1	Address	4, 12	1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.8.b.d.0.1.0.0.2.blacklist.example.net

You can use multiple blacklists (one entry per line).
Below more info;

Some DNS based blacklists have ridiculously low negative cache TTL times. You may want to force these higher. In Bind config;

min-ncache-ttl 60;

Configuring a lot of blacklists may slow down surfing due to extensive lookups.

ACL files

hosts.allow	Whitelisted hosts
hosts.deny	Blacklisted hosts
urls.allow	Whitelisted URLs
urls.deny	Blacklisted URLs

The ACLS are checked in the above order and before the RBLs. The program stops checking at the first match.
Not all ACL files need to exist. The software will complain about not being able to open and read a missing file, but it will work anyway.

ACL file syntax

Grep	This program
^Foobar$	Foobar
^Foobar	Foobar*
Foobar$	*Foobar
.Foobar.	Foobar
Foobar	Foobar* Foobar Foobar*

Note: This behaviour is different from version '2021-01-06 15:49:08 UTC' and older! If you want the old behaviour, uncomment the line '#define USE_OLD_ACL 1'.

The maximum line length is 4094 bytes (4095 including newline). The software uses a linear search, so you can use any order.

Host ACL examples

ad.doubleclick.net	Matches any URL with host-name 'ad.doubleclick.net'.
*.doubleclick.net	Matches any URL with host-name in the 'doubleclick.net' domain.
doubleclick	Matches any URL with host-name which contains the string 'doubleclick'.

You can put IP addresses in the host ACL files if you like. The software however, will not look up hostnames in order to see if their IP addresses are in hosts.allow.
It does lookup CNAMEs to see if they are in hosts.deny, provided there is at least one RBL defined. This check is always on, independent of dnsbl mode.
With 'checkaddr on' in the config file it will also lookup IP addresses in hosts.deny (provided there is at least one RBL defined). Below some examples;

CIDR	This program
192.168.2.0/24	192.168.2.*
192.168.2.0/23	192.168.2.* 192.168.3.*
2001:db8:2::/48	2001:db8:2:*

If you want your own IP address based RBL, see 'Convert blacklists into zone files' below.

URL ACL examples

http://ad.doubleclick.net/*	Matches any URL that begins with 'http://ad.doubleclick.net/'.
*count.gif	Matches any URL that ends in 'count.gif'.
doubleclick	Matches any URL that contains 'doubleclick'.

In case of HTTPS, Squid passes the host-name to the redirector, not the URL. And the URL ACLs aren't used.

Remarks

A line beginning with a hash or number-sign ('#'). E.G.;
# Remark.
Statement
White-space and anything at the right hand side of white-space. E.G.;
Statement # Remark.
This means that host-names and URLs cannot contain spaces.
Hashes which are not on the first position of a line, are not considered to be a remark, except when preceded by whitespace.

/var/local/log/squid/

Directory for log files. The directory has to be writable by the Squid process owner.

sredir.log

Format;
epoch.ms pid blocked_host_or_ip blacklist A lookup TXT

epoch: Number seconds since the 1st of January 1970 00:00:00 UTC.
ms: Milliseconds.
pid: Process ID of redirector. Squid may spawn several. This way you can tell their log entries apart.
blocked_host_or_ip: Host-name or IP address of blocked website.
blacklist: The blacklist that blocked it.
'local' in case of local deny-list.
A: RBLs return an IP address just above 127.0.0.1. E.G.: 127.0.0.2.
'-' in case of local deny-list.
lookup: The actual lookup that resulted in the above IP address.
'hosts.deny' or 'urls.deny' in case of local deny-list.
TXT: TXT record for the same lookup. Usually a link to a web-page explaining why this IP address is blacklisted.
'-' in case of local deny-list.

Before log-file rotation you need to reload Squid. This will kill the redirectors and close the logfile.

Download

Source

rblsredir.c
For TXT look-ups to work you need to remove the comment at '#define RSD_TXT_LKP 1'. If you do this you need to compile with -lresolv;

~$ cc -O2 -Wall -lresolv -o rblsredir rblsredir.c

The maximum number of RBLs is eight. If you want more you need to increase the number next to '#define RSD_MAXLISTS'.
Put the binary in /usr/local/sbin/ (or /usr/sbin/ if you prefer).

Some compilers may issue a warning;

rblsredir.c:794:2: warning:
'strncpy' output may be truncated copying between 0 and 4095 bytes from a string of length 4095 [-Wstringop-truncation]
 strncpy(str, line, chrcnt);
 ^~~~~~~~~~~~~~~~~~~~~~~~~~

This is no cause for alarm.

Man pages

rblsredir.8, redirector manual.
sredir.conf.5, config file manual.
sredir_acls.5, hosts.allow, hosts.deny, urls.allow and urls.deny manual.
sredir.log.5, log file manual.

Put 'rblsredir.8' in /usr/local/share/man/man8/ and the rest in /usr/local/share/man/man5/ (or /usr/share/man/man8/ and /usr/share/man/man5/ if you prefer) and gzip them. It's probably a nice idea to create symlinks from 'sredir_acls.5.gz' to 'urls.allow.5.gz' and 'urls.deny.5.gz'. Do not link to 'hosts.allow.5.gz' or 'hosts.deny.5.gz'. These already point to libwrap's 'hosts_access.5.gz'!

Tar

Tar of source and man pages: rblsredir.tar.gz.

Convert blacklists into zone files

The Spamhaus DROP (Don't Route Or Peer, Requires JavaScript and cookies) list consists of a number of files in network/netmask format. They are meant to be part of a firewall. You can however, convert them in a blacklist zone file instead.
The stuff below does this for you;

get-dnsbl.sh: Script that does most of the work. Edit to suit your needs.
local-rbl-head: Header for Bind style zone file. Edit to suit your needs.
procdrop.c: Program that generates the zone file entries.
The '-t' option adds TXT records.

You can add your own entries if you want.
E.G.;

malice.example.com	IN	A	127.0.0.2

Squid redirector