<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Greetings all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">squid.conf references the ability to use the x-forwarded-for header in ACLs by using the follow_x_forwarded_for in ACL, referenced here:
<a href="http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/">http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/</a> and here
<a href="http://www.squid-cache.org/Doc/config/acl_uses_indirect_client/">http://www.squid-cache.org/Doc/config/acl_uses_indirect_client/</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There appear to be three pre-reqs, which I’ve met:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">squid.conf: acl_uses_indirect_client on<o:p></o:p></p>
<p class="MsoNormal">squid built with <span style="font-size:9.0pt;font-family:"Trebuchet MS",sans-serif;color:#1E1E1E;background:white">
--enable-follow-x-forwarded-for (confirmed) <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Trebuchet MS",sans-serif;color:#1E1E1E;background:white">and the appropriate ACL entries (see below)</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In my scenario, I have a pair of squid hosts (squid ver 3.5.6) sitting behind a pair of haproxy/keepalived hosts which provide balancing and redundancy/availability. Haproxy is configured to add an x-forwarded-for header (if one doesn’t
already exist) and I can see the x-forwarded-for header in the request if I run packet capture on the squid hosts.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For this scenario, I have a box sitting on the 192.168.4.0/24 network, which has access to three IPs on 192.168.2.0/24 network (2.30, 2.31, and 2.32 which are haproxy1, haproxy2, and keepalived vIP respectively). Hosts wanting internet
access must using the haproxy-vip as a proxy IP, which is then forwarded to the real squid backends. To sum up:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">haproxy1 – 192.168.2.30<o:p></o:p></p>
<p class="MsoNormal">haproxy2 – 192.168.2.31<o:p></o:p></p>
<p class="MsoNormal">haproxy-vip – 192.168.2.32<o:p></o:p></p>
<p class="MsoNormal">squid1 – 192.168.2.128<o:p></o:p></p>
<p class="MsoNormal">squid2 – 192.168.2.129<o:p></o:p></p>
<p class="MsoNormal">zone1 – 192.168.3.0/24 with hosts having a proxy configured as 192.168.2.32:3128<o:p></o:p></p>
<p class="MsoNormal">client1 – 192.168.4.31 with a proxy configured as 192.168.2.32:3128<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Squid will see the real-ip of the client connection as the haproxy-vip endpoint and not the real-client IP. If I understand the documentation correctly, I should be able to perform something like the following in an ACL:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># create acl source references<o:p></o:p></p>
<p class="MsoNormal">acl zone1 src 192.168.3.0/24<o:p></o:p></p>
<p class="MsoNormal">acl client1 src 192.168.4.31/32<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># acl to test x-forwarded-for matching header<o:p></o:p></p>
<p class="MsoNormal">acl testing_proxy_dst dstdomain .google.com<o:p></o:p></p>
<p class="MsoNormal">follow_x_forwarded_for allow zone1 testing_proxy_dst<o:p></o:p></p>
<p class="MsoNormal">follow_x_forwarded_for allow client1 testing_proxy_dst<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">When I attempt to perform a wget (testing) to <a href="http://www.google.com">
www.google.com</a> from my client1, I’m getting a permission denied:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># wget www.google.com<o:p></o:p></p>
<p class="MsoNormal">--2019-06-06 08:20:30-- http://www.google.com/<o:p></o:p></p>
<p class="MsoNormal">Connecting to 192.168.2.32:3128... connected.<o:p></o:p></p>
<p class="MsoNormal">Proxy request sent, awaiting response... 403 Forbidden<o:p></o:p></p>
<p class="MsoNormal">2019-06-06 08:20:30 ERROR 403: Forbidden.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If I change the proxy (and corresponding relevant http_access acl ) so that the client goes direct to the squid host, the client is allowed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any help would be greatly appreciated.<o:p></o:p></p>
<p class="MsoNormal"><br>
Joey<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>