[squid-users] Explicitly use direct client IP in acl
Orion Poplawski
orion at nwra.com
Fri Jul 10 02:10:55 UTC 2020
On 7/9/20 6:50 PM, Amos Jeffries wrote:
> On 10/07/20 9:54 am, Orion Poplawski wrote:
>> Hello -
>>
>> We're using a setup like this:
>>
>> client -> e2guardian -> squid -> internet
>>
>> e2guardian is providing filtering and SSL inspection. Currently we only
>> allow access to e2guardian from our internal network. Currently we
>> enforce access to squid come from localhost, except for some specific
>> sites which do not work with SSL inspection.
>>
>> Then we allow:
>>
>> client -> squid -> internet
>>
>> this is based on the (non-forwarded) client IP.
>>
>> We would like to open up access to e2g from the internet but require
>> authentication in that case.
>
> Okay.
>
>> This would require the use of forwarded
>> IPs so the squid could distinguish between them (e2g does not do auth
>> directly - it lets squid handle that). But then this breaks our config
>> above because we no longer can distinguish between connections from e2g
>> and direct ones.
>
>
> How do you come to that conclusion?
I don't know how to distinguish between connections that go through e2g
and connections that do not. Currently anything with a client IP of
localhost has gone through e2g. Anything with a different client IP has
not. If I use the X-Forwarded-As IP to distinguish between internal and
external (for auth purposes) I no longer know how to distinguish between
forwarded connections and non-forwarded connections. Is there a
forwarded flag that can be used as an acl? I couldn't see anything in
the acl docs.
> What is your Squid version?
3.5.20 (EL7), though I may be able to update 4.4 (EL8).
> What is your current squid.conf contents?
This part of our ansible template. Essentially we have a list of hosts
in "Allowed_SSL_Hosts" and "Allowed_HTTP_Hosts: that we allow any client
to connect directly through squid to (via HTTPS/HTTP respectively).
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl SSL_Ports port 563 # smtps
acl SSL_Ports port 5228 # mtalk.google.com
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
acl Allowed_SSL_Hosts ssl::server_name {{ ansible_nodename }}
# We can't MITM these, but allow them through the proxy
{% for domain in allowed_ssl_hosts %}
acl Allowed_SSL_Hosts ssl::server_name {{ domain }}
{% endfor %}
# Some hosts present problems for e2guardian for unknown reasons
{% for domain in allowed_http_hosts %}
acl Allowed_HTTP_Hosts dstdomain {{ domain }}
{% endfor %}
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# macOS Catalina is using CONNECT to gs.apple.com:80
http_access allow localnet Allowed_HTTP_Hosts
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
# All traffic should be coming via e2guardian on localhost
http_access allow localhost
# Allow certain sites to be connected to directly
http_access allow CONNECT localnet Allowed_SSL_Hosts
# Allow some users/applications to connect from outside
auth_param digest realm "NWRA Proxy"
auth_param digest program /usr/lib64/squid/digest_file_auth
/etc/squid/passwd
# freshclam only supports basic auth -
https://bugzilla.clamav.net/show_bug.cgi?id=12468
auth_param basic realm "NWRA Proxy"
auth_param basic program /usr/lib64/squid/basic_ncsa_auth
/etc/squid/htpasswd
acl authenticated_users proxy_auth REQUIRED
http_access allow CONNECT authenticated_users Allowed_SSL_Hosts
# freshclam 0.101.5 uses HTTP
http_access allow authenticated_users Allowed_HTTP_Hosts
# And finally deny all other access to this proxy
http_access deny all
Thank you,
Orion
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200709/08db21ca/attachment.bin>
More information about the squid-users
mailing list