Category Archives: Tips

Access Squid proxy HTTP traffic using the url_rewrite_program option

Squid is one of the most well known caching proxy. It works as a proxy server for protocols such as HTTP and FTP, but utilizes caching when possible to greatly improve content delivery. When I first came across Squid, one of the things I became curious about is how to access and modify HTTP traffic, more specifically just the URLs requested, in real-time. An use case for this is logging to a database for auditing.

Quick research led me to something called the “url_rewrite_program”, which is simply an option available in the Squid configuration file. The path for that is typically something like this:


The way this option works is that in the config file, you simply add a line like the following where that option name is followed by the path to your rewriter:

url_rewrite_program /home/aktarer/squid/rewriter.php

What Squid does on start is that it spawns several instances of this program (defined by the option “url_rewrite_children”). If you’re using a script file like I am, make sure you set the executable mode. You can do that with a command like the following:

chmod +x /home/aktarer/squid/rewriter.php

As Squid gets requests, it pipes data in the following format to the standard input of your program:

URL <SP> client_ip “/” fqdn <SP> user <SP> method [<SP> kvpairs]<NL>

Your program can simply be a loop waiting on this. Here’s an example of what you might get: – GET – myip= myport=3128

You can parse this like any other string and do as you please like insert to your database. You’ll notice that simply reading input data might cause your proxy to no longer work. Something I didn’t mention earlier is that Squid watches your standard output and requires a response for every input. So when you get the above line as input, you are expected to output something like the following as output, followed by the new line character.

Now let’s say you simply can’t allow people using your proxy to access something like Bing, what can you do? Well instead of outputting the above for such requests, you can output the following:


This will cause a redirect to Google.

Now you might be wondering, how can you access more information such as the request body? As far as I know, there’s no easy way to do this. However, Squid is open source! This means, you can build your own version to do just that.

Use cases for SSH tunneling (port forwarding)

SHH tunneling, as you might know, allows for transferring data through an encrypted channel. The data being transferred itself may or may not be encrypted. Setting up these tunnels is actually an easy process. But let’s briefly discuss how SSH works first.

SSH stands for “Secure Shell” and is simply a protocol for secure communication. This is commonly used by people to access their servers. On the server side, there is a program like OpenSSH that listens on port 22. On the client side, there is a program such as PuTTY that connects to the server through the given port. The two authenticate through means such as passwords and/or keys. Once this is done, the client is given access to the default shell for the target user and any communication that occurs is encrypted with what’s defined in the SSH protocol.

Back to SSH tunneling. The three types are dynamic, local, and remote. To help you understand the usefulness of each, I will go through three example use cases.


Facebook is blocked at my school. I WANT FACEBOOK!!!

Let’s make this more generic and say you want to access any blocked website on your local network. Being blocked essentially implies that your network activity is being monitored. With the help of dynamic tunneling, you can access any blocked content (provided your server has access to it), and pretty much conceal your network activity to the point where the only thing that can be known by your network administrator or an adversary is that you’re having communication through the SSH protocol.

So how can you can you set up these? In your client program, look for something like “Tunnels” or “SSH port forwarding”. In PuTTY, you’ll find this section in Connection -> SSH -> Tunnels. Under “Add new forwarded port”, select “Dynamic”. For the IP type, leave at “Auto”. For the “Source port”, put down a port that you computer is most likely not utilizing like 32568. The port is limited to 16-bits, meaning the maximum number is 65535. For the destination, leave empty as we want this forwarding to happen through the local interface (i.e. localhost). Click on “Add” and connect normally.

Once you’re done, open up your browser such as Chrome and head over to the settings page. Look for the proxy connection section and set the Socks to be localhost:32568. You can now browse the web securely…well at least like your server and its network.

What if you want to secure the network activity of any application, one that may not support setting the Socks server? Well for that, Google “socksifier” and pick one.


I want to access VNC running on my server securely!

VNC (Virtual Network Computing) is a popular way of accessing your computer desktop remotely. It works through the RFB (Remote Framebuffer) protocol, which is NOT a secure protocol. Let’s say that you have a window system such as X running on your Linux server. If you want to access it through the network on another computer, what you might do is run a program on your server such as TightVNC. TightVNC server will listen on a port like 5901, on maybe the LAN interface like eth0. On your main computer, you’ll run TightVNC client to connect to the server given the network address and port. After maybe authentication, you’ll essentially have access to your server’s desktop! The problem is, what if you’re main computer is on a network that can easily be monitored?

An adversary can easily capture and possibly decrypt your VNC password. However, that’s not all. The data being sent for you to be able to control the server’s desktop is not encrypted. This effectively means the adversary can monitor and maybe even modify what occurs in your VNC session. Not good.

Thankfully, with SSH local port forwarding, you can rest assured of privacy. First what you should do is have the TightVNC server listen on the local interface. A command such as the following should do the trick:

tightvncserver -nolisten tcp -localhost :1

What this does is tells TightVNC to listen on port 5901 for the local interface. This means you will no longer be able to VNC through simply the server’s address and that port from your main computer.

Now that you have this set up, go to your SSH client and find the tunneling section again. Set the type to be “Local”. For the “Destination”, set it to be “localhost:5901″. For the “Source Port”, set it to something like 5910. Add it and connect as usual. Now, to access the server’s desktop, in your VNC client, set the target to simply be “localhost:5910″. You should notice that you are able to connect like before, only now you’re doing it very securely!


I’m at college. How can I allow my friend from his college network to access an application running and accessible to only my college network?!?

If you consider yourself to know anything about college networks, you’ll know that firewalls play a crucial role. In my college network for example, incoming connections from outside the network are blocked by default for most clients. The only way to go around this is to ask for a firewall exception. However, for the sake of this example, let’s say you don’t have that privilege and neither does your friend. So how can you get this to work?

Well since neither you nor your friend can contact each other directly, one option is to have a third node that’s accessible by both you and your friend. For example, that Linux server you have lying around.

Let’s say the application you want your friend to access is accessible by you through the following address “″. Go back to your SSH client and find the tunneling section. This time, set the type to be “Remote”. For the “Destination”, set it be “″. For the “Source Port”, set it to something probably not being used on your server like 5329. Add this and connect as usual.

Your friend should now be able to access the application through YOUR_SERVER_ADDRESS:5329. Awesome! If this does not work, the most likely reason for it is that the OpenSSH server running on your server is listening on port 5329 for only the local interface. To change this, open up your SSH daemon config file, which is probably the following:


Look for “GatewayPorts”. If it exists, set it to “yes”. If it doesn’t, simply add it. It should look like the following:

GatewayPorts yes

Save and restart the SSH server. Connect again with your SSH client while making sure the port forwarding is still set. This should now work!


Note (s):

Don’t have a Linux server? No problem. Amazon will give you one for FREE! Check out AWS Free Usage Tier.