Re: deny_info and squid's own IP address?

[Amish <anon.amish@xxxxxxxxx>]

On Tuesday 01 May 2018 02:41 PM, Amos Jeffries wrote:
> On 01/05/18 19:44, Amish wrote:
> > Hello,
> >
> > First of thanks a lot for taking your time out for replying to my query.
> >
> > My replies are inline.
> >
> > On Tuesday 01 May 2018 09:10 AM, Amos Jeffries wrote:
> > > On 01/05/18 00:54, Amish wrote:
> > > > Hello
> > > >
> > > > I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
> > > > and department B (192.168.2.1/24)
> > > >
> > > > I have few banned sites. Say Facebook.
> > > >
> > > > I have HTTP server (running on same server as squid) which shows custom
> > > > pages with custom logo based on IP address.
> > > >
> > > > When request comes for a banned site I would like client to be
> > > > redirected based on squid's own IP.
> > > Firstly, is there any particular reason you are requiring it to be a
> > > redirect?
> > >   from what you have said it appears you can achieve the same outcome
> > > without the extra web server by using a custom error page.
> > No I cant use custom error page as Javascript will leak the IP range of
> > department A to department B.
> > (I had simplified my example, its actually two companies and not two
> > departments infact I have 4-5 companies/subnets)
> >
> > > Thirdly, on the issue of %h - the Squid hostname is *required* to
> > > resolve in DNS explicitly so clients can access things like these URLs.
> > > If your network and DNS is configured correctly each client subnet
> > > should resolve that hostname to the relevant IP which you are trying to
> > > "pass" to the web server in your redirect URL. So they will naturally
> > > (and only) connect to the web server (or Squid itself) using the right
> > > IP anyway - the web server should be able to detect what it needs from
> > > its own inbound TCP/IP connection instead of using raw-IPs in the traffic.
> > Some company uses OpenDNS, other Cloudflare, other Google etc.
> >
> > So DNS will not resolve the hostname to same as %MYADDR.
> I suspect something is going screwy there. How are these clients getting
> to the proxy if they resolve its name to a different IP than they
> connect to?

They connect by putting IP address in Proxy setting.

> > > There are three options available to work around broken DNS:
> > >
> > >
> > > Option 1) to do exactly (and only) what you asked for.
> > >
> > > Currently this can be done with an external helper:
> > >
> > >   external_acl_type getIp concurrency=100 %MYADDR /path/to/script
> > >   deny_info 302:http://%et/banned.html getIp
> > >
> > > where the script just echos back to Squid the IP it was given like so:
> > >      [channel-id] OK message="<input-IP>"\n
> > Based on documentation of FORMAT for deny_info, I think you mean %o and
> > not %et
> Ah, yes. Sorry. Getting my legacy formats mixed up.
>
> > Also will this "message" be available if I change by http_access line to:
> > deny_info 302:http://%o/banned.html blockedsites
> > http_access deny blockedsites getIp
> >
> > will "message" of getIp be available to deny_info of blockedsites?
> The message will persist as an annotation in the transaction, but only
> from the point the external ACL is tested. So the deny_info has to be
> attached to the external ACL or something following it.
>
> Also, deny_info only works if it is attached to the *last* ACL named on
> a line.
>
> So:
>
>   deny_info 302:http://%o/banned.html getIp
>   http_access deny blockedsites getIp
>
> or,
>
>   deny_info 302:http://%o/banned.html blockedsites
>   http_access deny getIp blockedsites
>
> or,
>   deny_info 302:http://%o/banned.html blockedsites
>   http_access deny getIp !all
>   ...
>   http_access deny blockedsites
>
>
> should work, but other orderings do not.

Tried this and it works as I expect it to.
> > _*Feature request:*_
> > Can we have the following switch-case in file errorpage.cc?
> >
> > Source:
> > https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857
> >
> > Currently case 'I' (capital i) for building_deny_info_url returns string
> > "[unknown]"
> >
> > Can it be modified to return "interface" address? i.e. same as MYADDR
> >
> > I believe it would be just few (may be one) line change in code.
> >
> > I can create a PR if required but can you or someone guide me on how to
> > fetch MYADDR?
> A PR is welcome, but re-using a %macro which already has a different
> definition will add problems in the long-term plan of conversion to
> logformat %macro codes. So picking a letter that has not yet been used
> for anything would be best.
>
> The Squid IP:port on client requests should be available to that code as
> request->masterXaction->tcpClient->local , the request and tcpClient
> pointers may be nil since not all transactions have a client or the
> error may be about the lack of an HTTP request on the TCP connection.

I chose I (capital i) as it is not used for deny_info (and not 
documented either) and also properly reflects that it means interface 
address.

Document source: http://www.squid-cache.org/Doc/config/deny_info/

%i (small i) is used for client IP address
%I (capital i) may be used for interface (own) IP address

Let me know if its ok and I would attempt to create a PR.

Thank you again.

Amish

> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users