[squid-users] Explicitly use direct client IP in acl

Orion Poplawski orion at nwra.com
Fri Jul 10 02:10:55 UTC 2020 

On 7/9/20 6:50 PM, Amos Jeffries wrote:
> On 10/07/20 9:54 am, Orion Poplawski wrote:
>> Hello -
>>
>>    We're using a setup like this:
>>
>> client -> e2guardian -> squid -> internet
>>
>> e2guardian is providing filtering and SSL inspection.  Currently we only
>> allow access to e2guardian from our internal network.  Currently we
>> enforce access to squid come from localhost, except for some specific
>> sites which do not work with SSL inspection.
>>
>> Then we allow:
>>
>> client -> squid -> internet
>>
>> this is based on the (non-forwarded) client IP.
>>
>> We would like to open up access to e2g from the internet but require
>> authentication in that case.
> 
> Okay.
> 
>>    This would require the use of forwarded
>> IPs so the squid could distinguish between them (e2g does not do auth
>> directly - it lets squid handle that).  But then this breaks our config
>> above because we no longer can distinguish between connections from e2g
>> and direct ones.
> 
> 
> How do you come to that conclusion?

I don't know how to distinguish between connections that go through e2g 
and connections that do not.  Currently anything with a client IP of 
localhost has gone through e2g.  Anything with a different client IP has 
not.  If I use the X-Forwarded-As IP to distinguish between internal and 
external (for auth purposes) I no longer know how to distinguish between 
forwarded connections and non-forwarded connections.  Is there a 
forwarded flag that can be used as an acl?  I couldn't see anything in 
the acl docs.

> What is your Squid version?

3.5.20 (EL7), though I may be able to update 4.4 (EL8).

> What is your current squid.conf contents?

This part of our ansible template.  Essentially we have a list of hosts 
in "Allowed_SSL_Hosts" and "Allowed_HTTP_Hosts: that we allow any client 
to connect directly through squid to (via HTTPS/HTTP respectively).

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443
acl SSL_Ports port 563          # smtps
acl SSL_Ports port 5228         # mtalk.google.com
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl CONNECT method CONNECT

acl Allowed_SSL_Hosts ssl::server_name {{ ansible_nodename }}

# We can't MITM these, but allow them through the proxy
{% for domain in allowed_ssl_hosts %}
acl Allowed_SSL_Hosts ssl::server_name {{ domain }}
{% endfor %}
# Some hosts present problems for e2guardian for unknown reasons
{% for domain in allowed_http_hosts %}
acl Allowed_HTTP_Hosts dstdomain {{ domain }}
{% endfor %}

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# macOS Catalina is using CONNECT to gs.apple.com:80
http_access allow localnet Allowed_HTTP_Hosts

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

# All traffic should be coming via e2guardian on localhost
http_access allow localhost

# Allow certain sites to be connected to directly
http_access allow CONNECT localnet Allowed_SSL_Hosts

# Allow some users/applications to connect from outside
auth_param digest realm "NWRA Proxy"
auth_param digest program /usr/lib64/squid/digest_file_auth 
/etc/squid/passwd
# freshclam only supports basic auth - 
https://bugzilla.clamav.net/show_bug.cgi?id=12468
auth_param basic realm "NWRA Proxy"
auth_param basic program /usr/lib64/squid/basic_ncsa_auth 
/etc/squid/htpasswd
acl authenticated_users proxy_auth REQUIRED
http_access allow CONNECT authenticated_users Allowed_SSL_Hosts
# freshclam 0.101.5 uses HTTP
http_access allow authenticated_users Allowed_HTTP_Hosts

# And finally deny all other access to this proxy
http_access deny all

Thank you,

   Orion

-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200709/08db21ca/attachment.bin>

More information about the squid-users mailing list