[squid-users] deny_info and squid's own IP address?

Tue May 1 09:11:33 UTC 2018

On 01/05/18 19:44, Amish wrote:
> Hello,
> 
> First of thanks a lot for taking your time out for replying to my query.
> 
> My replies are inline.
> 
> On Tuesday 01 May 2018 09:10 AM, Amos Jeffries wrote:
>> On 01/05/18 00:54, Amish wrote:
>>> Hello
>>>
>>> I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
>>> and department B (192.168.2.1/24)
>>>
>>> I have few banned sites. Say Facebook.
>>>
>>> I have HTTP server (running on same server as squid) which shows custom
>>> pages with custom logo based on IP address.
>>>
>>> When request comes for a banned site I would like client to be
>>> redirected based on squid's own IP.
>> Firstly, is there any particular reason you are requiring it to be a
>> redirect?
>>  from what you have said it appears you can achieve the same outcome
>> without the extra web server by using a custom error page.
> 
> No I cant use custom error page as Javascript will leak the IP range of
> department A to department B.
> (I had simplified my example, its actually two companies and not two
> departments infact I have 4-5 companies/subnets)
> 
>> Thirdly, on the issue of %h - the Squid hostname is *required* to
>> resolve in DNS explicitly so clients can access things like these URLs.
>> If your network and DNS is configured correctly each client subnet
>> should resolve that hostname to the relevant IP which you are trying to
>> "pass" to the web server in your redirect URL. So they will naturally
>> (and only) connect to the web server (or Squid itself) using the right
>> IP anyway - the web server should be able to detect what it needs from
>> its own inbound TCP/IP connection instead of using raw-IPs in the traffic.
>>
> Some company uses OpenDNS, other Cloudflare, other Google etc.
> 
> So DNS will not resolve the hostname to same as %MYADDR.

I suspect something is going screwy there. How are these clients getting
to the proxy if they resolve its name to a different IP than they
connect to?

> 
>> There are three options available to work around broken DNS:
>>
>>
>> Option 1) to do exactly (and only) what you asked for.
>>
>> Currently this can be done with an external helper:
>>
>>  external_acl_type getIp concurrency=100 %MYADDR /path/to/script
>>  deny_info 302:http://%et/banned.html getIp
>>
>> where the script just echos back to Squid the IP it was given like so:
>>     [channel-id] OK message="<input-IP>"\n
>>
> 
> Based on documentation of FORMAT for deny_info, I think you mean %o and
> not %et

Ah, yes. Sorry. Getting my legacy formats mixed up.

> 
> Also will this "message" be available if I change by http_access line to:
> deny_info 302:http://%o/banned.html blockedsites
> http_access deny blockedsites getIp
> 
> will "message" of getIp be available to deny_info of blockedsites?

The message will persist as an annotation in the transaction, but only
from the point the external ACL is tested. So the deny_info has to be
attached to the external ACL or something following it.

Also, deny_info only works if it is attached to the *last* ACL named on
a line.

So:

 deny_info 302:http://%o/banned.html getIp
 http_access deny blockedsites getIp

or,

 deny_info 302:http://%o/banned.html blockedsites
 http_access deny getIp blockedsites

or,
 deny_info 302:http://%o/banned.html blockedsites
 http_access deny getIp !all
 ...
 http_access deny blockedsites

should work, but other orderings do not.

> 
> I will give this a try*, **however please see the end of the e-mail for
> a feature request.*
> 
>> Option 2) to use the client IP and have your web server respond based on
>> those subnets instead of Squid IP.
>>
>>  acl clients1 src 192.168.1.0/24
>>  deny_info 302:http://%h/banned.html?%i clients1
>>  http_access deny blockedsites clients1
>>
>>  acl clients2 src 192.168.2.0/24
>>  deny_info 302:http://%h/banned.html?%i clients2
>>  http_access deny blockedsites clients2
>>
>>
>> ** If you really *have* to use Squid-IP, this can work with localip ACL
>> type instead of src. But then you have to bake each Squid-IP variation
>> into the deny_info URL instead of using %i.
>>
> 
> I will have to do this for each company. But I would like to keep
> squid.conf simple and minimal.
> 
>>
>> Option 3) to use a custom error page instead of a redirect.
>>
>> Place your banned.html page into /etc/squid/banned.html and either a)
>> write it with javascripts that pull in the right images/branding based
>> on client IPs.
>>
>>   deny_info 403:/etc/squid/banned.html blockedsites
>>
>> ** Like (2) above this can use Squid-IP (via localip ACL type) if you
>> really have to. But with the same limitation of using different files
>> for branding instead of javascript for dynamic sub-resource/image fetching.
> 
> As stated earlier, this would leak IP range information.
> 
> 
> _*Feature request:*_
> Can we have the following switch-case in file errorpage.cc?
> 
> Source:
> https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857
> 
> Currently case 'I' (capital i) for building_deny_info_url returns string
> "[unknown]"
> 
> Can it be modified to return "interface" address? i.e. same as MYADDR
> 
> I believe it would be just few (may be one) line change in code.
> 
> I can create a PR if required but can you or someone guide me on how to
> fetch MYADDR?

A PR is welcome, but re-using a %macro which already has a different
definition will add problems in the long-term plan of conversion to
logformat %macro codes. So picking a letter that has not yet been used
for anything would be best.

The Squid IP:port on client requests should be available to that code as
request->masterXaction->tcpClient->local , the request and tcpClient
pointers may be nil since not all transactions have a client or the
error may be about the lack of an HTTP request on the TCP connection.

Amos