[squid-users] TCP Outgoing Address ACL Problem

Amos Jeffries squid3 at treenet.co.nz
Sat Nov 12 03:25:08 UTC 2016


On 12/11/2016 5:51 a.m., jarrett+squid-users wrote:
> Can anyone point out what I'm doing wrong in my config?
> 
> Squid config:
> <snip URL>
> 
> acl ipv4-1 myportname 3128 src 10.99.0.0/24
> acl ipv4-2 myportname 3129 src 10.99.0.0/24
> acl ipv4-3 myportname 3130 src 10.99.0.0/24
> acl ipv4-4 myportname 3131 src 10.99.0.0/24
> acl ipv4-5 myportname 3132 src 10.99.0.0/24
> acl ipv4-6 myportname 3133 src 10.99.0.0/24
> acl ipv4-7 myportname 3134 src 10.99.0.0/24
> acl ipv4-8 myportname 3135 src 10.99.0.0/24
> acl ipv4-9 myportname 3136 src 10.99.0.0/24
> acl ipv4-10 myportname 3137 src 10.99.0.0/24

As Garri said these ACLs contain garbage.

There is no http_port line with a name "src" or name "10.99.0.0/24". So
those values are meaningless / useless. They may also be confusing you
about what the ACL matches.

The 31xx values (first) value entry in each ACL will match


> forwarded_for delete

Not great. "forwarded_for transparent" is better.

But this is pointless anyway since your request_header_access
 "All deny all" line below will delete the X-Forwarded-For and Forwarded
headers anyway.


> http_access allow ipv4-1
> http_access allow ipv4-2
> http_access allow ipv4-3
> http_access allow ipv4-4
> http_access allow ipv4-5
> http_access allow ipv4-6
> http_access allow ipv4-7
> http_access allow ipv4-8
> http_access allow ipv4-9
> http_access allow ipv4-10

Due to the mistake mentioned already in the ipv4-* definitions the above
access controls are equivalent to a single line:
 http_access allow all

So none of the below http_access lines do anything. You have an open proxy.

> http_access allow localhost manager
> http_access allow localhost
> http_access allow localnet
> http_access deny all

IMPORTANT:
 The *below* lines are the basic minimal security rules a proxy needs.
 Your custom rules which are curently configured *above* should be
placed ...


> http_access deny CONNECT !SSL_ports
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny to_localhost

 ... down here.

> http_port 10.99.0.1:3128 name=3128
> http_port 10.99.0.1:3129 name=3129
> http_port 10.99.0.1:3130 name=3130
> http_port 10.99.0.1:3131 name=3131
> http_port 10.99.0.1:3132 name=3132
> http_port 10.99.0.1:3133 name=3133
> http_port 10.99.0.1:3134 name=3134
> http_port 10.99.0.1:3135 name=3135
> http_port 10.99.0.1:3136 name=3136
> http_port 10.99.0.1:3137 name=3137
> refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
> refresh_pattern .		0	20%	4320
> request_header_access Accept allow all
> request_header_access Accept-Charset allow all
> request_header_access Accept-Encoding allow all
> request_header_access Accept-Language allow all
> request_header_access All deny all

NP: "All" is not a header name. It is a special *_header_access value
meaning do this action for *all* headers which do not have their own
named entry here in your config file.

I suggest it is a good idea to put that line last in the config sequence
of request_header_access with a comment to say thats the default action
applied to *all* headers not listed above. Just so its clear what and
why Squid is doing when strange things happen in your traffic...

... such as logging in with WWW-Authorization and
WWW-Authentication-Info credentials.


> request_header_access Allow allow all
> request_header_access Authorization allow all
> request_header_access Cache-Control allow all
> request_header_access Connection allow all
> request_header_access Content-Encoding allow all
> request_header_access Content-Language allow all
> request_header_access Content-Length allow all
> request_header_access Content-Type allow all
> request_header_access Cookie deny all
> request_header_access Date allow all
> request_header_access Expires allow all
> request_header_access Host allow all
> request_header_access If-Modified-Since allow all

You should also allow these headers:

 If-Unmodified-Since
 If-None-Match
 If-Match
 If


> request_header_access Last-Modified allow all
> request_header_access Location allow all
> request_header_access Mime-Version allow all
> request_header_access Retry-After allow all
> request_header_access Title allow all
> request_header_access Pragma allow all
> request_header_access Proxy-Authorization allow all
> request_header_access Proxy-Authenticate allow all
> request_header_access Proxy-Connection allow all

"Proxy-Connection" is an invalid and obsolete header. Squid deletes it
already. You can remove the above line.

> request_header_access User-Agent deny all
> request_header_access WWW-Authenticate allow all 


> tcp_outgoing_address 45.2.xxx.155 ipv4-1
> tcp_outgoing_address 45.2.xxx.156 ipv4-2
> tcp_outgoing_address 45.2.xxx.157 ipv4-3
> tcp_outgoing_address 45.2.xxx.158 ipv4-4
> tcp_outgoing_address 45.2.xxx.159 ipv4-5
> tcp_outgoing_address 45.2.xxx.160 ipv4-6
> tcp_outgoing_address 45.2.xxx.161 ipv4-7
> tcp_outgoing_address 45.2.xxx.162 ipv4-8
> tcp_outgoing_address 45.2.xxx.163 ipv4-9
> tcp_outgoing_address 45.2.xxx.164 ipv4-10
>
> I'm trying to use ACLs to direct incoming traffic on assigned ports to
> assigned outgoing addresses.  But, squid uses the first IP address
> assigned to the interface not listed in the config instead.
> 
> IP/Ethernet Interface Assignment:
> https://bpaste.net/show/5cf068a4ce9a
> 

What info do you see that makes you think that?
Both the squid.conf and the outerface assignments you mention look correct.

Perhapse you have NAT changing the outgoing IP on traffic leaving either
the machine or the network?
 If so you need to make sure the 45.* IPs requested by Squid are allowed
to bypass that NAT.

Or perhapse you are using a Squid older than 3.4?
 the tcp_outgoing_address selection in older versions had some bugs that
could result in what you describe for *some* traffic (though not allways).

Amos



More information about the squid-users mailing list