[squid-users] Prevent squid user to go out through server's IP

Amos Jeffries squid3 at treenet.co.nz
Thu Sep 29 13:37:53 UTC 2022 

On 27/09/22 17:27, Marcelo wrote:
> Hi,
> 
> Even after Squid fulfill ACLs and Cache Peer rules, the client 
> connection keeps going out through squid server’s IP.
> 
> How can I prevent it to happen?
> 
> For instance, some rule ends with a IPv6 address on 
> tcp_outgoing_address, but when a proxy client connects, he can see this 
> IPv6 address plus the squid server IPv4 address in a ipleak.net and 
> other kinds of proxy detect website.
> 

You cannot trust external websites like these to show Squid behaviour. 
They employ a number of tricks to uncover IP details regardless of what 
Squid is doing.


> How can I create a rule to say in squid.conf that is forbidden to going 
> out through server’s IP?
> 


What you need to look at is:

  a) what HTTP message headers the client is sending to Squid, and

    - specifically whether any hostname or IPs are being mentioned.

  b) what Squid is sending to the server based on those, and

    - specifically whether any hostname or IPs are being mentioned.

  c) what IP address is used on the TCP layer for Squid's server message.

    - specifically whether your tcp_outgoing_address are being used by 
Squid.

Check the above for connections to an IPv6-only server and to an 
IPv4-only server, and also to a dual-stack server.


Be aware that tcp_outgoing_address with an IPv6 can only be used on 
connections to IPv6 servers. It cannot be used for IPv4 connections.


Be aware that HTTP Via header allows the client and Squid to both inform 
origin servers about network topology using hostnames. These can be used 
by the origin to identify Squid's public IP(s) even if those IPs are not 
used for the traffic.
  Disable with "via off" in squid.conf


Be aware that HTTP Forwarded (and X-Forwarded-For, X-Forwarded-By, 
Client-IP, X-Client-IP, X-Origin-IP + maybe others) headers allow the 
client and Squid to both inform origin servers about network topology 
using IP addresses. These can be used to identify client and/or Squid 
internal IPs used for the actually traffic regardless of the publicly 
available name info.
  Disable X-Forwarded-For and Forwarded with "forwarded_for delete" in 
squid.conf
  Disable others with request_header_access directives as-needed.


HTH
Amos

More information about the squid-users mailing list