[squid-users] Parent proxy chaining

Phillip McCollum pcmccollum at gmail.com
Tue Nov 27 16:33:52 UTC 2018 

Hi folks,

First off, I'll make the requisite disclaimer that I'm a squid newbie. I've
been banging my head against this problem for nearly a week--trial and
error, google searches, FAQ reviews, etc. Like Obi-Wan Kenobi, you guys are
my last resort! :)

I have a deployment in AWS in where a VPC has a transparent proxy deployed,
which forwards 80/443 requests to a parent proxy in another VPC, which I
then need to forward to another parent proxy (SaaS provider).

Essentially:
[[Client PC]] --> [[Squid Proxy (10.52.0.20)]] --> [[Parent Squid Proxy
(10.52.0.168)]] --> [[Parent SaaS Proxy]]

This is being done to centralize proxy functions and limit the number of
public IPs that the parent SaaS needs to whitelist.

I'm getting "Access Denied" messages and a review of Squid Parent proxy
access.log shows the following common errors:

HTTP:
2018/11/27 16:22:54 kid1| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
Gecko
Accept-Encoding: gzip, deflate
Cookie: B=8nra62ldvb83a&b=3&s=ik
Via: 1.1 squid (squid/3.5.27)
X-Forwarded-For: 10.184.0.26
Cache-Control: max-age=259200
Connection: keep-alive
Host: www.yahoo.com

HTTPS:
2018/11/27 16:21:51 kid1| SECURITY ALERT: Host header forgery detected on
local=10.52.0.168:8443 remote=10.52.0.20:45520 FD 15 flags=33 (intercepted
port does not match 443)
2018/11/27 16:21:51 kid1| SECURITY ALERT: on URL: 13.82.28.61:443

Here are the various squid.conf files and iptables configurations:

[[Transparent Proxy]]:
visible_hostname squid
http_port 3129 intercept
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl HTTP_PORT port 80
acl HTTPS_PORT port 443
http_access allow all
ssl_bump splice
dns_v4_first on
#cache_peer proxy.threatpulse.net parent 8080 0 name=symantec_http no-query
proxy-only default
cache_peer 10.52.0.168 parent 8443 0 name=symantec_http no-query proxy-only
default
cache_peer_access symantec_http allow HTTP_PORT
cache_peer_access symantec_http allow HTTPS_PORT
never_direct allow all

Chain PREROUTING (policy ACCEPT 32 packets, 1704 bytes)
 pkts bytes target     prot opt in     out     source
 destination
   30  1560 REDIRECT   tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80 redir ports 3129
   89  4628 REDIRECT   tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:443 redir ports 3130

Chain INPUT (policy ACCEPT 131 packets, 6852 bytes)
 pkts bytes target     prot opt in     out     source
 destination

Chain OUTPUT (policy ACCEPT 660 packets, 58073 bytes)
 pkts bytes target     prot opt in     out     source
 destination

Chain POSTROUTING (policy ACCEPT 680 packets, 59113 bytes)
 pkts bytes target     prot opt in     out     source
 destination

[[Squid Parent Proxy]]:
visible_hostname squid
http_port 3129 intercept
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
http_port 3031 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl HTTP_PORT port 80
acl HTTPS_PORT port 443
acl FORWARD_PORT port 8443
http_access allow all
ssl_bump splice
cache_peer proxy.threatpulse.net parent 8080 0 name=symantec_http no-query
proxy-only default
cache_peer_access symantec_http allow HTTP_PORT
cache_peer_access symantec_http allow HTTPS_PORT
cache_peer_access symantec_http allow FORWARD_PORT
never_direct allow all

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
 destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80 redir ports 3129
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:443 redir ports 3130
   35  2100 REDIRECT   tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:8443 redir ports 3031

Chain INPUT (policy ACCEPT 35 packets, 2100 bytes)
 pkts bytes target     prot opt in     out     source
 destination

Chain OUTPUT (policy ACCEPT 2 packets, 121 bytes)
 pkts bytes target     prot opt in     out     source
 destination

Chain POSTROUTING (policy ACCEPT 2 packets, 121 bytes)
 pkts bytes target     prot opt in     out     source
 destination

---

Any thoughts or suggestions are greatly appreciated. Thanks for your time!

-Phillip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181127/b40b5fd1/attachment-0001.html>

More information about the squid-users mailing list