[squid-users] ACL and outgoing IP

Amos Jeffries squid3 at treenet.co.nz
Thu Dec 29 06:35:00 UTC 2016

On 2016-12-28 05:03, qdmetro wrote:
> Hello,
> I have an issue with acl and outgoing ip address.
> I have a squid connected behind a firewall. On the firewall, only the 
> Ip of
> the squid ( is allowed to go on Internet.
> Usually, when a user authenticate itself on the proxy, all the requests 
> use
> the outgoing IP of the squid ( so the can access to the 
> website.
> I want to allow some websites to be reachable without authentication
> (especially for the activation of windows licences). I've tried this :
> /acl Microsoft dstdomain .microsoft.com
> http_access allow Microsoft/
> With this configuration, the requests don't use the outgoing Ip of the 
> proxy
> anymore, so they come to my firewall with the source IP of the client 
> (which
> is not allowed to go on the Internet).
> I've tried this to force the outgoing IP for this acl :
> /tcp_outgoing_address Microsoft/
> but the request still don't use the IP of the proxy.
> Maybe this kind of configuration isn't possible, or I miss something...
> Any idea to help me ?

Something other than Squid is causing that. Connections outgoing Squid 
have their IPs selected by the OS. Usually there is one main/primary IP 
on the machine and that gets selected. But things like routing rules or 
NAT can alter that.

Setting tcp_outgoing_address Squid tells the OS it should select that IP 
unless there is a specific admin config forcing something else (like a 
NAT on outgoing traffic).

I've added some comments about changes to improve your config below, but 
nothing that will fix the address issue.

On 2016-12-28 21:22, qdmetro wrote:
> Here the squid.conf :
> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s
> GSS_C_NO_NAME HTTP/hostname.domain.com
> auth_param negotiate children 200
> auth_param negotiate keep_alive on
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -b
> "ou=users,dc=ref,dc=local" -u uid ref.domain.com
> url_rewrite_program /usr/bin/squidGuard -c 
> /etc/squidguard/squidGuard.conf
> url_rewrite_children 80
> acl SSL_ports port 443 4443
> acl SSL_ports port 563 4431
> acl SSL_ports port 873
> acl SSL_ports port 7071
> acl SSL_ports port 33333 33334
> acl SSL_ports port 83
> acl Safe_ports port 21
> acl Safe_ports port 22
> acl Safe_ports port 80 81
> acl Safe_ports port 443
> acl CONNECT method CONNECT
> acl domain_auth proxy_auth REQUIRED
> acl localhost src
> acl password proxy_auth REQUIRED

Since "password" and "domain_auth" ACLs are defined identically and 
neither is tied to anything fancy like deny_inf. You can pick one of 
them and remove it.

> visible_hostname name
> snmp_port 3401
> acl acl_snmp snmp_community com_name
> snmp_access allow acl_snmp
> acl localnet src
> acl Microsoft dstdomain .microsoft.com
> delay_pools 2
> delay_class 2 2
> delay_access 2 allow localnet
> delay_parameters 2 12233386/12233386 12233386/12233386
> forwarded_for on
> follow_x_forwarded_for allow localnet

That tells Squid that all clients within the localnet (LAN) are allowed 
to forge XFF headers.

Proper use of this directive is to "allow" only the client proxies you 
are confident will not send your proxy fake values in that header. 
Usually you are managing the downstream proxy yourself, or at least have 
contact with its admin if not.

NP: The follow_* directive has nothing to do with your Squid producing 
or updating the XFF headers. "forwarded_for on" does that.

The forwarded_for directive is set to its default. So unless there is 
any reason you need follow-* to be set for some clients you should just 
remove those XFF related lines and let Squid do the default action.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

I advise placing this rule here:
   http_access deny !localnet

After that you can then remove the 'localnet' ACL from the below lines.

> http_access allow Microsoft
> tcp_outgoing_address Microsoft
> http_access allow localnet password
> http_access allow localnet domain_auth
> http_access deny all
> http_reply_access allow localnet

After the http_access change above, you can also remove this 
http_reply_access line.

> icp_access deny all
> htcp_access deny all

Since you are just denying ICP and HTCP usage it would be better to 
remove all icp_* and htcp_* lines from your config. The default in 
current Squid versions is to no even open those ports.

> http_port 3128
> icp_port 3130
> dns_v4_first on


More information about the squid-users mailing list