[squid-users] Attempting to use follow_x_forwarded_for in ACL
Joey Officer
JOfficer at istreamfs.com
Thu Jun 6 14:38:43 UTC 2019
Greetings all,
squid.conf references the ability to use the x-forwarded-for header in ACLs by using the follow_x_forwarded_for in ACL, referenced here: http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/ and here http://www.squid-cache.org/Doc/config/acl_uses_indirect_client/
There appear to be three pre-reqs, which I've met:
squid.conf: acl_uses_indirect_client on
squid built with --enable-follow-x-forwarded-for (confirmed)
and the appropriate ACL entries (see below)
In my scenario, I have a pair of squid hosts (squid ver 3.5.6) sitting behind a pair of haproxy/keepalived hosts which provide balancing and redundancy/availability. Haproxy is configured to add an x-forwarded-for header (if one doesn't already exist) and I can see the x-forwarded-for header in the request if I run packet capture on the squid hosts.
For this scenario, I have a box sitting on the 192.168.4.0/24 network, which has access to three IPs on 192.168.2.0/24 network (2.30, 2.31, and 2.32 which are haproxy1, haproxy2, and keepalived vIP respectively). Hosts wanting internet access must using the haproxy-vip as a proxy IP, which is then forwarded to the real squid backends. To sum up:
haproxy1 - 192.168.2.30
haproxy2 - 192.168.2.31
haproxy-vip - 192.168.2.32
squid1 - 192.168.2.128
squid2 - 192.168.2.129
zone1 - 192.168.3.0/24 with hosts having a proxy configured as 192.168.2.32:3128
client1 - 192.168.4.31 with a proxy configured as 192.168.2.32:3128
Squid will see the real-ip of the client connection as the haproxy-vip endpoint and not the real-client IP. If I understand the documentation correctly, I should be able to perform something like the following in an ACL:
# create acl source references
acl zone1 src 192.168.3.0/24
acl client1 src 192.168.4.31/32
# acl to test x-forwarded-for matching header
acl testing_proxy_dst dstdomain .google.com
follow_x_forwarded_for allow zone1 testing_proxy_dst
follow_x_forwarded_for allow client1 testing_proxy_dst
When I attempt to perform a wget (testing) to www.google.com<http://www.google.com> from my client1, I'm getting a permission denied:
# wget www.google.com
--2019-06-06 08:20:30-- http://www.google.com/
Connecting to 192.168.2.32:3128... connected.
Proxy request sent, awaiting response... 403 Forbidden
2019-06-06 08:20:30 ERROR 403: Forbidden.
If I change the proxy (and corresponding relevant http_access acl ) so that the client goes direct to the squid host, the client is allowed.
Any help would be greatly appreciated.
Joey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190606/5ebe3646/attachment.html>
More information about the squid-users
mailing list