[squid-users] Squid IPv4:port to IPv6

Amos Jeffries squid3 at treenet.co.nz
Sat Aug 19 12:43:04 UTC 2017 

On 19/08/17 18:15, Walter H. wrote:
> On 19.08.2017 04:03, davidjesse091 wrote:
>> I'm trying to connect to Squid with one IPv4 IP and based on the port 
>> I'm connecting with, I want Squid to use a different IPv6 IP for the 
>> connection.

NP: you are making two wrong assumptions here.

1) that Squid only uses outbound IPv6.

Ideally it would, but not all servers are IPv6-enabled, nor the 
connection to any that are guaranteed to be working. As a proxy part of 
Squids job is to detect failures and seamlessly workaround them "at 
line-speed".


2) that the inbound connection has any relationship to the outbound one.

HTTP is stateless and multiplexed. That means any client request can go 
out any outbound connection, or none, or *multiple* servers. Likewise 
for server responses being delivered to any client, or none, or multiple 
clients.

HTTP and Squid permit what you are doing, but neither implies anything 
about whether it is a good idea or not. Be aware that by forcing 
specific traffic flows you are artificially inhibiting what Squid can do 
and potentially causing breakage in normal HTTP behaviour.


>>
>> Below is my config file
>>
>> |acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 
>> acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 
>> acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports 
>> port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT 
>> method CONNECT http_access deny !Safe_ports http_access deny CONNECT 
>> !SSL_ports http_access allow localhost manager http_access deny 
>> manager http_access allow localhost #http_access deny all http_port 
>> 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 
>> 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i 
>> (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

>> # Allow all 
>> machines to all sites http_access allow all

Really *anybody* on the entire Internet is allowed to use this 
anonymizing proxy to perform any abuse they want to?
  Including bypassing hardware-level protection on your 'lo' NIC 
hardware to attack the proxy machine from the inside?
  uh.

There are definitely far better ways to configure client access. But we 
need to know what your intended use of the proxy really is make good 
suggestions.



>> #Privacy Things via off 
>> forwarded_for off follow_x_forwarded_for deny all

Question is "privacy for whom?" - these settings are hiding the proxy. 
Increasing the *proxy* privacy. While leaving the client details exposed 
to servers.

If you are seeking to increase client and end-user privacy, you want to 
be telling the server that there is a proxy in the way so it cannot 
trust any of the 'user' values it sees to be user-unique.



>>  ## designate acl 
>> based on inbound connection name acl user1 myportname 3128 acl user2 
>> myportname 3129 acl user3 myportname 3130 acl user4 myportname 3131 
>> acl user5 myportname 3132 ## define outgoing IPv6 per user 
>> tcp_outgoing_address 2000:3c03:e000:25f::1:0 user1 
>> tcp_outgoing_address 2000:3c03:e000:25f::1:1 user2 
>> tcp_outgoing_address 2000:3c03:e000:25f::1:2 user3 
>> tcp_outgoing_address 2000:3c03:e000:25f::1:3 user4 
>> tcp_outgoing_address 2000:3c03:e000:25f::1:4 user5|
>>

Here you are mixing up the concepts of authentication, IP address, and 
port numbers in a way which is horribly confusing.

The entity which connects to a port is a *client* not a user.


A) Why don't you let Squid just perform HTTP the way it is supposed to work?
  HTTP is stateless with proxying as a designed part of the protocol. 
The more people go out of their way to hide proxies existence from 
server scripts the more the server-side script developers write broken 
code assuming proxies don't exist. Reality is that almost all web 
traffic goes through at least a handful of proxies. Bad scripts need to 
be eradicated and the only way that is going to happen is if it is made 
very clear to the naive authors how broken they are.

B) If you really have to break the stateless behaviour of HTTP why not 
use the clients IP (or Squid receiving IP) instead of the Squid 
receiving port?



>>
>> The issue I'm facing is that I can only use the proxy with port 3128, 
>> and it does proxy it to "2000:3c03:e000:25f::1:0" as it should. But if 
>> I use port 3129 then I can not connect to the proxy.
> because you only have
> http_port 3128
> you also need
> http_port 3129
> http_port 3130
> http_port 3131
> http_port 3132
> and in case there is a firewall, these ports must be open, too ...
> 
> by the way this setting only makes sense, when there is a restriction, 
> that only a specific IP can use port 3128,
> a specific IP can use port 3129, ....
> need not be IPv4 can also be IPv6 ...
> 
> Walter
> 

As Walter said that is your current problem. But when you get over that 
you will hit the ones I've mentioned above - though they may not be 
easily noticed.


Amos

More information about the squid-users mailing list