[squid-users] deny_info and squid's own IP address?

Amish anon.amish at gmail.com
Tue May 1 07:44:32 UTC 2018 

Hello,

First of thanks a lot for taking your time out for replying to my query.

My replies are inline.

On Tuesday 01 May 2018 09:10 AM, Amos Jeffries wrote:
> On 01/05/18 00:54, Amish wrote:
>> Hello
>>
>> I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
>> and department B (192.168.2.1/24)
>>
>> I have few banned sites. Say Facebook.
>>
>> I have HTTP server (running on same server as squid) which shows custom
>> pages with custom logo based on IP address.
>>
>> When request comes for a banned site I would like client to be
>> redirected based on squid's own IP.
> Firstly, is there any particular reason you are requiring it to be a
> redirect?
>   from what you have said it appears you can achieve the same outcome
> without the extra web server by using a custom error page.

No I cant use custom error page as Javascript will leak the IP range of 
department A to department B.
(I had simplified my example, its actually two companies and not two 
departments infact I have 4-5 companies/subnets)

> Thirdly, on the issue of %h - the Squid hostname is *required* to
> resolve in DNS explicitly so clients can access things like these URLs.
> If your network and DNS is configured correctly each client subnet
> should resolve that hostname to the relevant IP which you are trying to
> "pass" to the web server in your redirect URL. So they will naturally
> (and only) connect to the web server (or Squid itself) using the right
> IP anyway - the web server should be able to detect what it needs from
> its own inbound TCP/IP connection instead of using raw-IPs in the traffic.
>
Some company uses OpenDNS, other Cloudflare, other Google etc.

So DNS will not resolve the hostname to same as %MYADDR.

> There are three options available to work around broken DNS:
>
>
> Option 1) to do exactly (and only) what you asked for.
>
> Currently this can be done with an external helper:
>
>   external_acl_type getIp concurrency=100 %MYADDR /path/to/script
>   deny_info 302:http://%et/banned.html getIp
>
> where the script just echos back to Squid the IP it was given like so:
>      [channel-id] OK message="<input-IP>"\n
>

Based on documentation of FORMAT for deny_info, I think you mean %o and 
not %et

Also will this "message" be available if I change by http_access line to:
deny_info 302:http://%o/banned.html blockedsites
http_access deny blockedsites getIp

will "message" of getIp be available to deny_info of blockedsites?

I will give this a try*, **however please see the end of the e-mail for 
a feature request.*

> Option 2) to use the client IP and have your web server respond based on
> those subnets instead of Squid IP.
>
>   acl clients1 src 192.168.1.0/24
>   deny_info 302:http://%h/banned.html?%i clients1
>   http_access deny blockedsites clients1
>
>   acl clients2 src 192.168.2.0/24
>   deny_info 302:http://%h/banned.html?%i clients2
>   http_access deny blockedsites clients2
>
>
> ** If you really *have* to use Squid-IP, this can work with localip ACL
> type instead of src. But then you have to bake each Squid-IP variation
> into the deny_info URL instead of using %i.
>

I will have to do this for each company. But I would like to keep 
squid.conf simple and minimal.

>
> Option 3) to use a custom error page instead of a redirect.
>
> Place your banned.html page into /etc/squid/banned.html and either a)
> write it with javascripts that pull in the right images/branding based
> on client IPs.
>
>    deny_info 403:/etc/squid/banned.html blockedsites
>
> ** Like (2) above this can use Squid-IP (via localip ACL type) if you
> really have to. But with the same limitation of using different files
> for branding instead of javascript for dynamic sub-resource/image fetching.

As stated earlier, this would leak IP range information.


_*Feature request:*_
Can we have the following switch-case in file errorpage.cc?

Source: 
https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857

Currently case 'I' (capital i) for building_deny_info_url returns string 
"[unknown]"

Can it be modified to return "interface" address? i.e. same as MYADDR

I believe it would be just few (may be one) line change in code.

I can create a PR if required but can you or someone guide me on how to 
fetch MYADDR?

After this feature - all I would need to do is:

deny_info http://%I/banned.html blockedsites

Thank you again for your help.

Amish

>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180501/5041253b/attachment.html>

More information about the squid-users mailing list