On 2016-12-28 05:03, qdmetro wrote:
Hello,
I have an issue with acl and outgoing ip address.
I have a squid connected behind a firewall. On the firewall, only the
Ip of
the squid (192.168.1.1) is allowed to go on Internet.
Usually, when a user authenticate itself on the proxy, all the requests
use
the outgoing IP of the squid (192.168.1.1) so the can access to the
website.
I want to allow some websites to be reachable without authentication
(especially for the activation of windows licences). I've tried this :
/acl Microsoft dstdomain .microsoft.com
http_access allow Microsoft/
With this configuration, the requests don't use the outgoing Ip of the
proxy
anymore, so they come to my firewall with the source IP of the client
(which
is not allowed to go on the Internet).
I've tried this to force the outgoing IP for this acl :
/tcp_outgoing_address 192.168.1.1 Microsoft/
but the request still don't use the IP of the proxy.
Maybe this kind of configuration isn't possible, or I miss something...
Any idea to help me ?
Something other than Squid is causing that. Connections outgoing Squid
have their IPs selected by the OS. Usually there is one main/primary IP
on the machine and that gets selected. But things like routing rules or
NAT can alter that.
Setting tcp_outgoing_address Squid tells the OS it should select that IP
unless there is a specific admin config forcing something else (like a
NAT on outgoing traffic).
I've added some comments about changes to improve your config below, but
nothing that will fix the address issue.
On 2016-12-28 21:22, qdmetro wrote:
Here the squid.conf :
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s
GSS_C_NO_NAME HTTP/hostname.domain.com
auth_param negotiate children 200
auth_param negotiate keep_alive on
auth_param basic program /usr/lib/squid3/squid_ldap_auth -b
"ou=users,dc=ref,dc=local" -u uid ref.domain.com
url_rewrite_program /usr/bin/squidGuard -c
/etc/squidguard/squidGuard.conf
url_rewrite_children 80
acl SSL_ports port 443 4443
acl SSL_ports port 563 4431
acl SSL_ports port 873
acl SSL_ports port 7071
acl SSL_ports port 33333 33334
acl SSL_ports port 83
acl Safe_ports port 21
acl Safe_ports port 22
acl Safe_ports port 80 81
acl Safe_ports port 443
acl CONNECT method CONNECT
acl domain_auth proxy_auth REQUIRED
acl localhost src 127.0.0.1/32
acl password proxy_auth REQUIRED
Since "password" and "domain_auth" ACLs are defined identically and
neither is tied to anything fancy like deny_inf. You can pick one of
them and remove it.
visible_hostname name
snmp_port 3401
acl acl_snmp snmp_community com_name
snmp_access allow acl_snmp
acl localnet src 10.0.0.0/8
acl Microsoft dstdomain .microsoft.com
delay_pools 2
delay_class 2 2
delay_access 2 allow localnet
delay_parameters 2 12233386/12233386 12233386/12233386
forwarded_for on
follow_x_forwarded_for allow localnet
That tells Squid that all clients within the localnet (LAN) are allowed
to forge XFF headers.
Proper use of this directive is to "allow" only the client proxies you
are confident will not send your proxy fake values in that header.
Usually you are managing the downstream proxy yourself, or at least have
contact with its admin if not.
NP: The follow_* directive has nothing to do with your Squid producing
or updating the XFF headers. "forwarded_for on" does that.
The forwarded_for directive is set to its default. So unless there is
any reason you need follow-* to be set for some clients you should just
remove those XFF related lines and let Squid do the default action.
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
I advise placing this rule here:
http_access deny !localnet
After that you can then remove the 'localnet' ACL from the below lines.
http_access allow Microsoft
tcp_outgoing_address 192.168.1.1 Microsoft
http_access allow localnet password
http_access allow localnet domain_auth
http_access deny all
http_reply_access allow localnet
After the http_access change above, you can also remove this
http_reply_access line.
icp_access deny all
htcp_access deny all
Since you are just denying ICP and HTCP usage it would be better to
remove all icp_* and htcp_* lines from your config. The default in
current Squid versions is to no even open those ports.
http_port 3128
icp_port 3130
dns_v4_first on
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
