On 13/09/11 20:15, David Touzeau wrote:
Dear bests
I have this network configuration
OpenVPN client -> Squid Proxy in transparent mode -> Internet -> APACHE
Proxy 80 -> OpenVPN 127.0.0.1:1194
When the OpenVPN client try to send a CONNECT 127.0.0.1:1194 to the
Apache Proxy the Squid Proxy in the LAN (in Transparent mode) trap the
command and kill the connection.
Which kind of acl i can set in order to force squid allowing this
connection ?
You can add a relatively complex workaround (reverse-proxy for CONNECT
to dstdomain 127.0.0.1 to that Apache as the peer) which will work for
this one particular Squid. Or you can fix the Apache setup so it works
across all transparent proxies.
CONNECT - is a request for the receiving proxy (*any* proxy) to open a
TCP connection to the specified IP:port. Squid is obeying that command.
127.0.0.1 is an IP address referring to the machine on which the
application using it is operating (aka client machine sees it as itself,
Squid sees it as itself, apache sees it as itself, routers and firewalls
between see it as themselves...). It is not safe to be sent over the
Internet. Due to exactly this type of problem. Deep packet inspectors
will cause other problems as well.
There is a giant security vulnerability of allowing requests to
127.0.0.1 through the Apache front gateway. I hope you have at least
placed strict access controls to ensure that traffic accepted by Apache
is not going to other localhost ports.
The secondary problem which is making this visible is that Apache is
operating a proxy on the native/non-proxy HTTP port 80. You will
therefore have this exact same problem whenever the VPN link crosses
anybody elses intercepting proxy. So a Squid workaround is not
realistically going to be a full fix.
To properly fix this the Apache end needs to be setup as a proper
reverse-proxy. The setup concept is the same as what we do in Squid, but
different config syntax. ie Clients use a public domain name which
points them to the Apache at some port. Only Apache itself needs to know
its relaying to 127.0.0.1. Sharing the 1194 port on the public domain is
useful for simplicity and ease of administration.
<snip>
Squid.conf
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.1/32
NP: to_localhost should be defined as "127.0.0.1/8 0.0.0.0/32" (maybe
::1 as well) to catch all the potential attacks it is meant to.
<snip>
# --------- RULES DEFINITIONS
url_rewrite_access deny localhost
url_rewrite_access deny whitelisted_mac_computers
url_rewrite_access allow all
http_access allow whitelisted_mac_computers
http_access allow AIM_methods AIM_ports AIM_nets
http_access allow AIM_methods AIM_ports AIM_hosts
http_access allow IRC_methods IRC_ports IRC_hosts
http_access allow IRC_methods IRC_ports IRC_domains
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains
http_access allow GTALK_ports GTALK_hosts GTALK_methods
http_access allow GTALK_methods GTALK_ports GTALK_domains
http_access allow MSN_ports MSN_domains MSN_methods
NP: all of those special application ports are included in Safe_ports
1024-65535 range. You could bump "deny !Safe_ports" up the top for a bit
faster processing on unsafe port attacks.
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow manager localhost
http_access allow purge localhost
http_access deny purge
http_access deny blockedsites
http_access allow office_network
http_access deny to_localhost
Deny to_localhost is only useful when its up above some allow rules.
Usually up near the very top with Safe_ports and CONNECT is recommended.
In this case it is probably best at the very top with Safe_ports.
It's purpose is to short-circuit and quickly reject broken requests such
as these CONNECT 127.0.0.1:1194 ones you are dealing with. So they do
not lag or consume too much CPU resources doing more complex ACL tests.
http_access deny all
# --------- ICAP Services.(1 service(s))
<snip>
refresh_pattern . 0 100% 43200 reload-into-ims override-lastmod
refresh_pattern . 0 20% 4320
refresh_pattern -i (/cg-bin/|\?) 0 0% 0
This cgi rule should be up one higher, above the "." rule.
The "." rule itself captures every possible URL. So there is no point in
having anything after the first "." pattern. They will never be used.
HTH
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.15
Beta testers wanted for 3.2.0.11