[squid-users] Prevent squid user to go out through

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 30 07:31:26 UTC 2022


On 30/09/22 07:38, Marcelo wrote:
> ANSWERS BELOW.
> 
> On 27/09/22 17:27, Marcelo wrote:
>> Hi,
>>
>> Even after Squid fulfill ACLs and Cache Peer rules, the client
>> connection keeps going out through squid server?s IP.
>>
>> How can I prevent it to happen?
>>
>> For instance, some rule ends with a IPv6 address on
>> tcp_outgoing_address, but when a proxy client connects, he can see this
>> IPv6 address plus the squid server IPv4 address in a ipleak.net and
>> other kinds of proxy detect website.
>>
> 
> You cannot trust external websites like these to show Squid behaviour.
> They employ a number of tricks to uncover IP details regardless of what
> Squid is doing.
> 
> ==> MARCELO'S ANWWER:
> I know it, but I use the same APIs to identify proxies that the social
> network I have to mimic.
> So the data I get is what I need.
> 

What I mean is that they can do things like use javascript to have the 
client Browser report its knowledge of the network and/or scan for 
information. So the source of the leak may be something outside of 
Squid's ability to prevent.

Squid can only control details in the HTTP message headers and tell the 
OS what TCP details it would *like* to use. The OS can decide otherwise, 
for example with outgoing NAT.


>> How can I create a rule to say in squid.conf that is forbidden to going
>> out through server?s IP?
>>
> 
> 
> What you need to look at is:
> 
>    a) what HTTP message headers the client is sending to Squid, and
> 
>      - specifically whether any hostname or IPs are being mentioned.
> 
>    b) what Squid is sending to the server based on those, and
> 
>      - specifically whether any hostname or IPs are being mentioned.
> 
>    c) what IP address is used on the TCP layer for Squid's server message.
> 
> ==> MARCELO'S ANWWER:
> Sure, that I already did, and the result is ok.
> 
>      - specifically whether your tcp_outgoing_address are being used by
> Squid.
> 

... the only way your two statements (above) and (below) can be true at 
the same time is when a NAT system is changing the correct IP (from 
tcp_outgoing_address) to the wrong one (what you call "'leaked' IPv4 
server IP").

> 
> The real problem is that Squid are "leaking" the IPv4 server IP. It is going
> out via server IP.
> It's as if squid server's IP was in a TCP_OUTGOING_ADDRESS, but it does not.
> 

... OR, you have ACLs limiting use of that tcp_outgoing_address to some 
traffic. Leaving Squids default machine IP to be used on the rest.

... OR, you have traffic interception that requires Squid to use 
identical dst-IP used by the client on its request connection (eg for 
TLS decryption).

Eliminating those possibilities is why I had you check TCP layer was 
acting as you want.

... OR, you have a NAT somewhere screwing things ups.


> 
> That is why my original question is how to suppress the IPv4 server's IP in
> Squid.conf?

You are apparently doing everything that can be done in squid.conf. Time 
to look outside Squid at what the routing system is doing. NAT's on the 
IPv4 traffic being the prime suspect for causing this behaviour.


> Is there any kind of ACL (I have tested MYIP, SRS and DST ones) that I could
> use to deny the connections to goes out via server's IP?
> 
> Something like:
> ACL server_IP "typeN" 192.168.12.1
> HTTP_ACCESS deny server_IP
> 

If you cannot find what is doing the odd behaviour only for IPv4 (it is 
not normal AFAICT). Then you can setup a rule like that in the Squid 
machines firewall.

Squid does not have any control that can do what you ask.


HTH
Amos


More information about the squid-users mailing list