[squid-users] Prevent squid user to go out through

Marcelo marcelorodrigo at graminsta.com.br
Thu Sep 29 18:38:24 UTC 2022 

ANSWERS BELOW.

On 27/09/22 17:27, Marcelo wrote:
> Hi,
> 
> Even after Squid fulfill ACLs and Cache Peer rules, the client 
> connection keeps going out through squid server?s IP.
> 
> How can I prevent it to happen?
> 
> For instance, some rule ends with a IPv6 address on 
> tcp_outgoing_address, but when a proxy client connects, he can see this 
> IPv6 address plus the squid server IPv4 address in a ipleak.net and 
> other kinds of proxy detect website.
> 

You cannot trust external websites like these to show Squid behaviour. 
They employ a number of tricks to uncover IP details regardless of what 
Squid is doing.

==> MARCELO'S ANWWER:
I know it, but I use the same APIs to identify proxies that the social
network I have to mimic.
So the data I get is what I need.

> How can I create a rule to say in squid.conf that is forbidden to going 
> out through server?s IP?
> 


What you need to look at is:

  a) what HTTP message headers the client is sending to Squid, and

    - specifically whether any hostname or IPs are being mentioned.

  b) what Squid is sending to the server based on those, and

    - specifically whether any hostname or IPs are being mentioned.

  c) what IP address is used on the TCP layer for Squid's server message.

==> MARCELO'S ANWWER:
Sure, that I already did, and the result is ok.

    - specifically whether your tcp_outgoing_address are being used by 
Squid.

Check the above for connections to an IPv6-only server and to an 
IPv4-only server, and also to a dual-stack server.


Be aware that tcp_outgoing_address with an IPv6 can only be used on 
connections to IPv6 servers. It cannot be used for IPv4 connections.


Be aware that HTTP Via header allows the client and Squid to both inform 
origin servers about network topology using hostnames. These can be used 
by the origin to identify Squid's public IP(s) even if those IPs are not 
used for the traffic.
  Disable with "via off" in squid.conf


Be aware that HTTP Forwarded (and X-Forwarded-For, X-Forwarded-By, 
Client-IP, X-Client-IP, X-Origin-IP + maybe others) headers allow the 
client and Squid to both inform origin servers about network topology 
using IP addresses. These can be used to identify client and/or Squid 
internal IPs used for the actually traffic regardless of the publicly 
available name info.
  Disable X-Forwarded-For and Forwarded with "forwarded_for delete" in 
squid.conf
  Disable others with request_header_access directives as-needed.

==> MARCELO'S ANWWER:
I already do all of this and I have tested it for some years. Its working
fine and this is not the issue.

The real problem is that Squid are "leaking" the IPv4 server IP. It is going
out via server IP.
It's as if squid server's IP was in a TCP_OUTGOING_ADDRESS, but it does not.

If for instance I put a TCP_OUTGOING_ADDRESS with some invalid IPv4 address
in the beginning of the squid.conf, the problem is solved because all my
outgoing addresses are IPv6.
But I can't do it because it would kill the CACHE PEER rules that uses IPv4
between Squid servers.

That is why my original question is how to suppress the IPv4 server's IP in
Squid.conf?
Is there any kind of ACL (I have tested MYIP, SRS and DST ones) that I could
use to deny the connections to goes out via server's IP?

Something like:
ACL server_IP "typeN" 192.168.12.1
HTTP_ACCESS deny server_IP

Thanks a lot for all the help.

More information about the squid-users mailing list