[squid-users] deny_info and squid's own IP address?

Wed May 2 04:20:09 UTC 2018

On Tuesday 01 May 2018 07:47 PM, Amos Jeffries wrote:
> On 01/05/18 23:10, Amish wrote:
>> On Tuesday 01 May 2018 02:41 PM, Amos Jeffries wrote:
>>> On 01/05/18 19:44, Amish wrote:
>>>> Hello,
>>>>
>>>> First of thanks a lot for taking your time out for replying to my query.
>>>>
>>>> My replies are inline.
>>>>
>>>> On Tuesday 01 May 2018 09:10 AM, Amos Jeffries wrote:
>>>>> On 01/05/18 00:54, Amish wrote:
>>>>>> Hello
>>>>>>
>>>>>> I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
>>>>>> and department B (192.168.2.1/24)
>>>>>>
>>>>>> I have few banned sites. Say Facebook.
>>>>>>
>>>>>> I have HTTP server (running on same server as squid) which shows
>>>>>> custom
>>>>>> pages with custom logo based on IP address.
>>>>>>
>>>>>> When request comes for a banned site I would like client to be
>>>>>> redirected based on squid's own IP.
>>>>> Firstly, is there any particular reason you are requiring it to be a
>>>>> redirect?
>>>>>    from what you have said it appears you can achieve the same outcome
>>>>> without the extra web server by using a custom error page.
>>>> No I cant use custom error page as Javascript will leak the IP range of
>>>> department A to department B.
>>>> (I had simplified my example, its actually two companies and not two
>>>> departments infact I have 4-5 companies/subnets)
>>>>
>>>>> Thirdly, on the issue of %h - the Squid hostname is *required* to
>>>>> resolve in DNS explicitly so clients can access things like these URLs.
>>>>> If your network and DNS is configured correctly each client subnet
>>>>> should resolve that hostname to the relevant IP which you are trying to
>>>>> "pass" to the web server in your redirect URL. So they will naturally
>>>>> (and only) connect to the web server (or Squid itself) using the right
>>>>> IP anyway - the web server should be able to detect what it needs from
>>>>> its own inbound TCP/IP connection instead of using raw-IPs in the
>>>>> traffic.
>>>>>
>>>> Some company uses OpenDNS, other Cloudflare, other Google etc.
>>>>
>>>> So DNS will not resolve the hostname to same as %MYADDR.
>>> I suspect something is going screwy there. How are these clients getting
>>> to the proxy if they resolve its name to a different IP than they
>>> connect to?
>> They connect by putting IP address in Proxy setting.
> Then all their traffic goes through the proxy, which does the DNS
> portion on their behalf - including the fetch for the redirection URL.
>
> That means you can have the proxy do whatever you want with it on the
> second fetch.
> For example;
>
>   http_port 3128
>
>   acl toSquid dstdomain squid-domain.example.com
>   acl banUrl urlpath_regex ^/banned.html$
>   deny_info 302:http://%h/banned.html blockedsites
>   http_access deny blockedsites
>
> ... the simplest way is just to pass a Forwarded header for the server
> to use:
>
>   request_header_add Forwarded "for=%>a;by=%la" toSquid banUrl
>
>   OR, you can setup explicit hostname replacement with cache_peer
> forcedomain= for each client "interface":
>
>   acl clients1 localip 192.168.1.1
>   cache_peer localhost 80 0 name=server1 originserver \
>    forcedomain=192.168.1.1
>   cache_peer_access server1 allow clients1 toSquid banUrl
>
>   acl clients2 localip 192.168.2.1
>   cache_peer localhost 80 0 name=server2 originserver \
>    forcedomain=192.168.2.1
>   cache_peer_access server2 allow clients2 toSquid banUrl
>
That all makes it complicated and I prefer simpler solution. (which I 
now know)

Some clients are intercepted too. (so they may not have proxy configured 
in browser)
>>>> _*Feature request:*_
>>>> Can we have the following switch-case in file errorpage.cc?
>>>>
>>>> Source:
>>>> https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857
>>>>
>>>> Currently case 'I' (capital i) for building_deny_info_url returns string
>>>> "[unknown]"
>>>>
>>>> Can it be modified to return "interface" address? i.e. same as MYADDR
>>>>
>>>> I believe it would be just few (may be one) line change in code.
>>>>
>>>> I can create a PR if required but can you or someone guide me on how to
>>>> fetch MYADDR?
>>> A PR is welcome, but re-using a %macro which already has a different
>>> definition will add problems in the long-term plan of conversion to
>>> logformat %macro codes. So picking a letter that has not yet been used
>>> for anything would be best.
>>>
>>> The Squid IP:port on client requests should be available to that code as
>>> request->masterXaction->tcpClient->local , the request and tcpClient
>>> pointers may be nil since not all transactions have a client or the
>>> error may be about the lack of an HTTP request on the TCP connection.
>> I chose I (capital i) as it is not used for deny_info (and not
>> documented either) and also properly reflects that it means interface
>> address.
Does request->masterXaction->tcpClient->local hold Squid IP incase of 
intercepted traffic too?

> The issue is that deny_info is a subset of ERR_* %macros and "%I"
> already means server-IP to the Convert() function. So when the Convert()
> function is replaced with the generic logformat macros we will have to
> add extra code complexity to determine the use instead of adding it as
> an alias for the logformat "%<a" (your data is actually %la in logformat
> terms).
>
> Since we already know that conversion is going to happen it is a bad
> idea to knowingly make it harder to do. Which means picking a completely
> unused letter - "AbCGjJkKnNOqQrvVXyYZ" are available, or numbers.
>
>
>> Document source: http://www.squid-cache.org/Doc/config/deny_info/
>>
>> %i (small i) is used for client IP address
>> %I (capital i) may be used for interface (own) IP address
> Squid has no knowledge of "interfaces" all it has is a TCP connection,
> so that definition is not consistent with what Squid has available. L
> for 'local address/IP' would be better but is also already taken by
> another definition.
>
> There is not really any meaningful mapping for these one-letter codes
> and has not been for years. Which is part of why the logformat
> conversion is planned.
Yes by interface I meant - the IP on which packet landed on / redirected 
to. (which is most cases is also interface IP)
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Thanks,

Amish.