[squid-users] deny_info and squid's own IP address?

Amos Jeffries squid3 at treenet.co.nz
Tue May 1 14:17:42 UTC 2018


On 01/05/18 23:10, Amish wrote:
> On Tuesday 01 May 2018 02:41 PM, Amos Jeffries wrote:
>> On 01/05/18 19:44, Amish wrote:
>>> Hello,
>>>
>>> First of thanks a lot for taking your time out for replying to my query.
>>>
>>> My replies are inline.
>>>
>>> On Tuesday 01 May 2018 09:10 AM, Amos Jeffries wrote:
>>>> On 01/05/18 00:54, Amish wrote:
>>>>> Hello
>>>>>
>>>>> I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
>>>>> and department B (192.168.2.1/24)
>>>>>
>>>>> I have few banned sites. Say Facebook.
>>>>>
>>>>> I have HTTP server (running on same server as squid) which shows
>>>>> custom
>>>>> pages with custom logo based on IP address.
>>>>>
>>>>> When request comes for a banned site I would like client to be
>>>>> redirected based on squid's own IP.
>>>> Firstly, is there any particular reason you are requiring it to be a
>>>> redirect?
>>>>   from what you have said it appears you can achieve the same outcome
>>>> without the extra web server by using a custom error page.
>>> No I cant use custom error page as Javascript will leak the IP range of
>>> department A to department B.
>>> (I had simplified my example, its actually two companies and not two
>>> departments infact I have 4-5 companies/subnets)
>>>
>>>> Thirdly, on the issue of %h - the Squid hostname is *required* to
>>>> resolve in DNS explicitly so clients can access things like these URLs.
>>>> If your network and DNS is configured correctly each client subnet
>>>> should resolve that hostname to the relevant IP which you are trying to
>>>> "pass" to the web server in your redirect URL. So they will naturally
>>>> (and only) connect to the web server (or Squid itself) using the right
>>>> IP anyway - the web server should be able to detect what it needs from
>>>> its own inbound TCP/IP connection instead of using raw-IPs in the
>>>> traffic.
>>>>
>>> Some company uses OpenDNS, other Cloudflare, other Google etc.
>>>
>>> So DNS will not resolve the hostname to same as %MYADDR.
>> I suspect something is going screwy there. How are these clients getting
>> to the proxy if they resolve its name to a different IP than they
>> connect to?
> 
> They connect by putting IP address in Proxy setting.

Then all their traffic goes through the proxy, which does the DNS
portion on their behalf - including the fetch for the redirection URL.

That means you can have the proxy do whatever you want with it on the
second fetch.
For example;

 http_port 3128

 acl toSquid dstdomain squid-domain.example.com
 acl banUrl urlpath_regex ^/banned.html$
 deny_info 302:http://%h/banned.html blockedsites
 http_access deny blockedsites

... the simplest way is just to pass a Forwarded header for the server
to use:

 request_header_add Forwarded "for=%>a;by=%la" toSquid banUrl

 OR, you can setup explicit hostname replacement with cache_peer
forcedomain= for each client "interface":

 acl clients1 localip 192.168.1.1
 cache_peer localhost 80 0 name=server1 originserver \
  forcedomain=192.168.1.1
 cache_peer_access server1 allow clients1 toSquid banUrl

 acl clients2 localip 192.168.2.1
 cache_peer localhost 80 0 name=server2 originserver \
  forcedomain=192.168.2.1
 cache_peer_access server2 allow clients2 toSquid banUrl



>>> _*Feature request:*_
>>> Can we have the following switch-case in file errorpage.cc?
>>>
>>> Source:
>>> https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857
>>>
>>> Currently case 'I' (capital i) for building_deny_info_url returns string
>>> "[unknown]"
>>>
>>> Can it be modified to return "interface" address? i.e. same as MYADDR
>>>
>>> I believe it would be just few (may be one) line change in code.
>>>
>>> I can create a PR if required but can you or someone guide me on how to
>>> fetch MYADDR?
>> A PR is welcome, but re-using a %macro which already has a different
>> definition will add problems in the long-term plan of conversion to
>> logformat %macro codes. So picking a letter that has not yet been used
>> for anything would be best.
>>
>> The Squid IP:port on client requests should be available to that code as
>> request->masterXaction->tcpClient->local , the request and tcpClient
>> pointers may be nil since not all transactions have a client or the
>> error may be about the lack of an HTTP request on the TCP connection.
> 
> I chose I (capital i) as it is not used for deny_info (and not
> documented either) and also properly reflects that it means interface
> address.

The issue is that deny_info is a subset of ERR_* %macros and "%I"
already means server-IP to the Convert() function. So when the Convert()
function is replaced with the generic logformat macros we will have to
add extra code complexity to determine the use instead of adding it as
an alias for the logformat "%<a" (your data is actually %la in logformat
terms).

Since we already know that conversion is going to happen it is a bad
idea to knowingly make it harder to do. Which means picking a completely
unused letter - "AbCGjJkKnNOqQrvVXyYZ" are available, or numbers.


> 
> Document source: http://www.squid-cache.org/Doc/config/deny_info/
> 
> %i (small i) is used for client IP address
> %I (capital i) may be used for interface (own) IP address

Squid has no knowledge of "interfaces" all it has is a TCP connection,
so that definition is not consistent with what Squid has available. L
for 'local address/IP' would be better but is also already taken by
another definition.

There is not really any meaningful mapping for these one-letter codes
and has not been for years. Which is part of why the logformat
conversion is planned.


Amos


More information about the squid-users mailing list