Search squid archive

Re : [squid-users] Running squid in both accel and forward mode on the same port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank your very much for this answer, Amos. 

I've tried the suggested settings but it did not solve my problem. 

The purpose of the config I'm looking for is not to have a reverse proxy allow 
CONNECT. It is rather to have the proxy server behave like a reverse proxy on 
GET and POST requests and as a forward proxy, forwarding to localhost or to 
localnet on CONNECT requests, while receiving these various requests on the same 
port. 


This works with Apache. Hence I thought I could find a way to have it work with 
Squid. Here is the simplified code I use in Apache: 

<VirtualHost ip-my-virtual-host:port-my-virtual-host>
BLABLABLA
<IfModule mod_proxy.c>
ProxyRequests On
<IfModule mod_proxy_connect.c>
AllowConnect 22
</IfModule>
<ProxyMatch mysshserver.domain.name:22>
Allow from authorized-ips
Deny from all
Order Deny,Allow
<ProxyMatch>
</IfModule>
ProxyPass / http://www.mysite.com

</VirtualHost>

I thought it might work with Squid if, instead of following the highlighted 
comment #1 in the example reverse config and placing my reverse proxy 
http_access directives, I placed the following block lower in the http_access 
block, hoping that my forward requests would hit a http_access rule before being 
accelerated. 
 
> ################################
> acl our_sites dstdomain www.mysite.com
> http_access allow our_sites
> cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
> cache_peer_access myAccel allow our_sites
> ################################

This did not work either. 

I guess I will not able to obtain the config I'm looking for without:

(i) amending this line:

http_port X.X.X.X:80 accel defaultsite=www.mysite.com

with an allow-direct option; and

(ii) using:

(a) allow_direct rule; and
(b) a cache directive to avoid replies to be cached (which should address some 
of your concerns). 

Thanks. 

C



----- Message d'origine ----
De : Amos Jeffries <squid3@xxxxxxxxxxxxx>
À : squid-users@xxxxxxxxxxxxxxx
Envoyé le : Mer 18 mai 2011, 4h 25min 26s
Objet : Re:  Running squid in both accel and forward mode on  the 
same port

On Wed, 18 May 2011 01:24:39 +0200, Cedric Lor wrote:
> Hi
> 
> I'm running squid Version 2.7.STABLE9 on a FreeBSD.
> 
> I have only one external IP. I'm trying to set up squid so that it
> would be running on a single port in accel mode and in foward proxy
> mode.

This is *highly* unsafe. It opens your network to poisoning attacks as outlined 
in CVE-2009-0801

Use two http_port's. One for forward and one for reverse traffic.

> 
> The idea is to be able to access other services via the Connect
> method on the server, for instances ssh, in order to carry out
> maintenance work on the server as necessary while serving, on a
> backend server on the loopback. I use proxytunnel on a client machine
> to send Connect method and establish a tunnel through Squid to the
> local interface.
> 
> When I configure Squid in pure forward proxy, Squid connects to port
> 22 works seemlessly.
> 
> However, when I configure Squid to combine reverse and forward, my
> client gets the following answer upon connection with Squid: HTTP
> return code: 400 Bad Request

CONNECT is illegal method in reverse-proxy traffic. The URL provided is 
incomplete and cannot be used by a reverse-proxy to reconstruct an HTTP request. 
This is particularly bad when the protocol inside CONNECT is not HTTP anyway.

> 
> I've done this in the past with an Apache server (ProxyRequest On
> together with a ProxyPass command) so I'm pretty sure Squid should let
> me do it. But I could not find any configuration exemple, whether on
> Squid's site or on the internet.

mod_proxy operates like a Squid URL re-writer. All the same behaviour and 
problems.
<snip>

> - Squid:
> ---------------------------------------------------------
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.1/32

Change:
  acl to_localhost dst 127.0.0.1/32 0.0.0.0/0

> acl to_all dst all
> 
> acl SSL_ports port 80 22
> 
> acl Safe_ports port 80          # http
> acl Safe_ports port 22          # ssh
> 
> acl CONNECT method CONNECT
> ---------------------------------------------------------
> http_access allow manager localhost
> http_access deny manager
> 
> http_access deny !Safe_ports
> 
> http_access deny CONNECT !SSL_ports
> 
> http_access allow to_localhost Safe_ports

to_localhost is customized to prevent malicious DNS entries allowing attacks to 
bypass security.
The intended use is:
http_access deny to_localhost

Since you seem not to want that. Remove it completely.

> 
> http_access allow localhost

Change that:
  http-access allow localhost CONNECT

> 
> ################################

NOTE: highlighted comment #1 in the documentation is...
  * This configuration MUST appear at the top of squid.conf above any other 
forward-proxy configuration ...

Do that.

> acl our_sites dstdomain www.mysite.com
> http_access allow our_sites
> cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
> cache_peer_access myAccel allow our_sites
> ################################
> 
> http_access deny all !to_localhost

Change:
http_access deny all

> ---------------------------------------------------------
> icp_access allow localnet
> icp_access deny all
> 
> ---------------------------------------------------------
> http_port X.X.X.X:80 accel defaultsite=www.mysite.com

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux