[squid-users] Routing Internally And/Or Externally?

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 20 06:13:46 UTC 2016

On 20/04/2016 6:16 a.m., nkingsquid wrote:
> Trying to figure out if I need to write a script for this or not... 
> I am Brand new to Squid but have done a ton of searches and can't find this.
> I have authenticated traffic coming to my squid server from the Internet
> (Via a NetScaler).

How exactly is the NetScalar sending it?
 via NAT or explicit-proxy configuration on the NetScalar?
 how is the Squid expected to validate that the traffic received is from
the NetScalar and not some malware?

>  If the request is for an INTERNAL resource I want it to
> continue on its journey.  However, if it is anything else I want it
> re-directed back to the internet via the netscaler.  (just going to list the
> applicable portion and throw in example data)

As you have described it sounds like an "open proxy". Having one of
these in your network is an instant security fail.

> acl localnetPAC src                        #resource within
> my network
> acl localnetPAC src internal.resources.com              #resource within my
> network
> acl localnetPAC src internal1.resources.com            #resource within my
> network
> acl localnetPAC src internal2.resources.com            #resource within my
> network
> acl localnetPAC src internal3.resources.com            #resource within my
> network
> acl InboundNet scr           #NetScaler
> acl OutboundNet scr           #NetScaler
> http_access allow localnetPAC                     #user will be let thru to
> the local resources
> InboundNet !localnetPAC allow OutboundNet    #this is what I WANT to do but
> isn't working
>                                                                #can anyone
> steer me to the right track?

You seem to have made one of the usual beginners mistakes, thinking of
things from a client perspective where source is the place data comes from.

In HTTP we deal with request message orientation. Source (src) is the
place the request came from (the client IP) and destination is where it
is going to (the URL domain, dstdomain).

So what you have configured is that when an *LAN* generated request is
received it is allowed through.

For any request that is allowed to be processed, Squid will lookup where
to send it in DNS and send it there. Use your networks normal recursive
DNS resolver with split-DNS / views delivering the right
internal/external IPs things will "just work" in regards to Squid
delivering the requests. You do have one of those right?

Notice that "internal" and "external" are meaningless. There is simply
"where DNS told me/Squid to go for this URL domain".

The part you need to work on is what traffic is allowed to be processed.
And how Squid knows that. I suggest at minimum limiting it to only
accepting traffic arriving from the NetScalar IP:

 # The usual security protections go first.
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_Ports

 # Your local custom permissions go here:
 acl NetScalar src
 http_access allow NetScalar

 # deny anything not explicitly permitted.
 http_access deny all

How you have configured the NetScalar to receive traffic and/or to relay
it to Squid may affect what you need to configure. Or may allow better
security protections on the channel between NetScalar and Squid.


More information about the squid-users mailing list