Search squid archive

Attempting to use follow_x_forwarded_for in ACL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Greetings all,

 

squid.conf references the ability to use the x-forwarded-for header in ACLs by using the follow_x_forwarded_for in ACL, referenced here: http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/ and here http://www.squid-cache.org/Doc/config/acl_uses_indirect_client/

 

There appear to be three pre-reqs, which I’ve met:

 

squid.conf: acl_uses_indirect_client on

squid built with --enable-follow-x-forwarded-for (confirmed)

and the appropriate ACL entries (see below)

 

In my scenario, I have a pair of squid hosts (squid ver 3.5.6) sitting behind a pair of haproxy/keepalived hosts which provide balancing and redundancy/availability.  Haproxy is configured to add an x-forwarded-for header (if one doesn’t already exist) and I can see the x-forwarded-for header in the request if I run packet capture on the squid hosts.

 

For this scenario, I have a box sitting on the 192.168.4.0/24 network, which has access to three IPs on 192.168.2.0/24 network (2.30, 2.31, and 2.32 which are haproxy1, haproxy2, and keepalived vIP respectively).  Hosts wanting internet access must using the haproxy-vip as a proxy IP, which is then forwarded to the real squid backends.  To sum up:

 

haproxy1 – 192.168.2.30

haproxy2 – 192.168.2.31

haproxy-vip – 192.168.2.32

squid1 – 192.168.2.128

squid2 – 192.168.2.129

zone1 – 192.168.3.0/24 with hosts having a proxy configured as 192.168.2.32:3128

client1 – 192.168.4.31 with a proxy configured as 192.168.2.32:3128

 

Squid will see the real-ip of the client connection as the haproxy-vip endpoint and not the real-client IP.  If I understand the documentation correctly, I should be able to perform something like the following in an ACL:

 

# create acl source references

acl zone1 src 192.168.3.0/24

acl client1 src 192.168.4.31/32

 

# acl to test x-forwarded-for matching header

acl testing_proxy_dst dstdomain .google.com

follow_x_forwarded_for allow zone1 testing_proxy_dst

follow_x_forwarded_for allow client1 testing_proxy_dst

 

When I attempt to perform a wget (testing) to www.google.com from my client1, I’m getting a permission denied:

 

# wget www.google.com

--2019-06-06 08:20:30--  http://www.google.com/

Connecting to 192.168.2.32:3128... connected.

Proxy request sent, awaiting response... 403 Forbidden

2019-06-06 08:20:30 ERROR 403: Forbidden.

 

If I change the proxy (and corresponding relevant http_access acl ) so that the client goes direct to the squid host, the client is allowed.

 

Any help would be greatly appreciated.


Joey

 

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux