[squid-users] Routing Internally And/Or Externally?

[Amos Jeffries]

On 21/04/2016 2:12 a.m., nkingsquid wrote:
> Amos, I have changed the code around a bit to reflect what you guys have been
> telling me.  The Netscaler is NATing.  Security before, after, and around
> the device is substantial, I will tweak the coded to reflect that at a later
> time, at the moment I am desperately looking for that 1 answer I mentioned
> in the post above.
> 
> I did make a mistake originally saying that traffic that did NOT meet the
> rules for internal sites goes back to the Netscaler, it will instead go to
> another proxy (and various security measures) before it goes out to the
> internet.
> 
> That's the code I am looking for.  redirect traffic to 2nd proxy if its not
> trying to go to an internal resource.
> 


Unfortunately no amount of security checks work in the presence of an
interception proxy. By definition the intercept itself is an attack that
has to be let through and there are major side effects of the secondary
things that become possible once it is through.

The security built into Squid itself to prevent CVE-2009-0801 and
related holes from bypassing everything else is also substantial and
forbids D-NAT being done externally to the machine Squid is running on.

Squid requires direct access to the kernel NAT table to de-obfuscate the
TCP traffic and validate that it is going to the place the client
intended it to. In the event of that validation failing Squid will act
transparently and ensure the packets continue where they were supposed
to if it were not there.

You need to:
* policy-route the traffic from the NetScaler to Squid,
* do the NAT on the Squid machine dirctly,
* use 'intercept' on the http_port receiving the NAT'ed traffic.

You can re-NAT the traffic outbound from Squid after it leaves Squid and
into your other proxy if you like, or "never_direct allow all". That
other proxy will be responsible for its own version of the CVE
protections all over again.

Amos