[squid-users] Attempting to use follow_x_forwarded_for in ACL

Thu Jun 6 14:38:43 UTC 2019

Greetings all,

squid.conf references the ability to use the x-forwarded-for header in ACLs by using the follow_x_forwarded_for in ACL, referenced here: http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/ and here http://www.squid-cache.org/Doc/config/acl_uses_indirect_client/

There appear to be three pre-reqs, which I've met:

squid.conf: acl_uses_indirect_client on
squid built with --enable-follow-x-forwarded-for (confirmed)
and the appropriate ACL entries (see below)

In my scenario, I have a pair of squid hosts (squid ver 3.5.6) sitting behind a pair of haproxy/keepalived hosts which provide balancing and redundancy/availability.  Haproxy is configured to add an x-forwarded-for header (if one doesn't already exist) and I can see the x-forwarded-for header in the request if I run packet capture on the squid hosts.

For this scenario, I have a box sitting on the 192.168.4.0/24 network, which has access to three IPs on 192.168.2.0/24 network (2.30, 2.31, and 2.32 which are haproxy1, haproxy2, and keepalived vIP respectively).  Hosts wanting internet access must using the haproxy-vip as a proxy IP, which is then forwarded to the real squid backends.  To sum up:

haproxy1 - 192.168.2.30
haproxy2 - 192.168.2.31
haproxy-vip - 192.168.2.32
squid1 - 192.168.2.128
squid2 - 192.168.2.129
zone1 - 192.168.3.0/24 with hosts having a proxy configured as 192.168.2.32:3128
client1 - 192.168.4.31 with a proxy configured as 192.168.2.32:3128

Squid will see the real-ip of the client connection as the haproxy-vip endpoint and not the real-client IP.  If I understand the documentation correctly, I should be able to perform something like the following in an ACL:

# create acl source references
acl zone1 src 192.168.3.0/24
acl client1 src 192.168.4.31/32

# acl to test x-forwarded-for matching header
acl testing_proxy_dst dstdomain .google.com
follow_x_forwarded_for allow zone1 testing_proxy_dst
follow_x_forwarded_for allow client1 testing_proxy_dst

When I attempt to perform a wget (testing) to www.google.com<http://www.google.com> from my client1, I'm getting a permission denied:

# wget www.google.com
--2019-06-06 08:20:30--  http://www.google.com/
Connecting to 192.168.2.32:3128... connected.
Proxy request sent, awaiting response... 403 Forbidden
2019-06-06 08:20:30 ERROR 403: Forbidden.

If I change the proxy (and corresponding relevant http_access acl ) so that the client goes direct to the squid host, the client is allowed.

Any help would be greatly appreciated.

Joey

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190606/5ebe3646/attachment.html>