Search squid archive

Re: Squid IPv4:port to IPv6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 19/08/17 18:15, Walter H. wrote:
On 19.08.2017 04:03, davidjesse091 wrote:
I'm trying to connect to Squid with one IPv4 IP and based on the port I'm connecting with, I want Squid to use a different IPv6 IP for the connection.

NP: you are making two wrong assumptions here.

1) that Squid only uses outbound IPv6.

Ideally it would, but not all servers are IPv6-enabled, nor the connection to any that are guaranteed to be working. As a proxy part of Squids job is to detect failures and seamlessly workaround them "at line-speed".


2) that the inbound connection has any relationship to the outbound one.

HTTP is stateless and multiplexed. That means any client request can go out any outbound connection, or none, or *multiple* servers. Likewise for server responses being delivered to any client, or none, or multiple clients.

HTTP and Squid permit what you are doing, but neither implies anything about whether it is a good idea or not. Be aware that by forcing specific traffic flows you are artificially inhibiting what Squid can do and potentially causing breakage in normal HTTP behaviour.



Below is my config file

|acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost #http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

# Allow all machines to all sites http_access allow all

Really *anybody* on the entire Internet is allowed to use this anonymizing proxy to perform any abuse they want to? Including bypassing hardware-level protection on your 'lo' NIC hardware to attack the proxy machine from the inside?
 uh.

There are definitely far better ways to configure client access. But we need to know what your intended use of the proxy really is make good suggestions.



#Privacy Things via off forwarded_for off follow_x_forwarded_for deny all

Question is "privacy for whom?" - these settings are hiding the proxy. Increasing the *proxy* privacy. While leaving the client details exposed to servers.

If you are seeking to increase client and end-user privacy, you want to be telling the server that there is a proxy in the way so it cannot trust any of the 'user' values it sees to be user-unique.



## designate acl based on inbound connection name acl user1 myportname 3128 acl user2 myportname 3129 acl user3 myportname 3130 acl user4 myportname 3131 acl user5 myportname 3132 ## define outgoing IPv6 per user tcp_outgoing_address 2000:3c03:e000:25f::1:0 user1 tcp_outgoing_address 2000:3c03:e000:25f::1:1 user2 tcp_outgoing_address 2000:3c03:e000:25f::1:2 user3 tcp_outgoing_address 2000:3c03:e000:25f::1:3 user4 tcp_outgoing_address 2000:3c03:e000:25f::1:4 user5|


Here you are mixing up the concepts of authentication, IP address, and port numbers in a way which is horribly confusing.

The entity which connects to a port is a *client* not a user.


A) Why don't you let Squid just perform HTTP the way it is supposed to work?
HTTP is stateless with proxying as a designed part of the protocol. The more people go out of their way to hide proxies existence from server scripts the more the server-side script developers write broken code assuming proxies don't exist. Reality is that almost all web traffic goes through at least a handful of proxies. Bad scripts need to be eradicated and the only way that is going to happen is if it is made very clear to the naive authors how broken they are.

B) If you really have to break the stateless behaviour of HTTP why not use the clients IP (or Squid receiving IP) instead of the Squid receiving port?




The issue I'm facing is that I can only use the proxy with port 3128, and it does proxy it to "2000:3c03:e000:25f::1:0" as it should. But if I use port 3129 then I can not connect to the proxy.
because you only have
http_port 3128
you also need
http_port 3129
http_port 3130
http_port 3131
http_port 3132
and in case there is a firewall, these ports must be open, too ...

by the way this setting only makes sense, when there is a restriction, that only a specific IP can use port 3128,
a specific IP can use port 3129, ....
need not be IPv4 can also be IPv6 ...

Walter


As Walter said that is your current problem. But when you get over that you will hit the ones I've mentioned above - though they may not be easily noticed.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux