Search squid archive

Re: Prevent squid user to go out through server's IP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 27/09/22 17:27, Marcelo wrote:

Hi,
Even after Squid fulfill ACLs and Cache Peer rules, the client connection keeps going out through squid server’s IP. 

How can I prevent it to happen?
For instance, some rule ends with a IPv6 address on tcp_outgoing_address, but when a proxy client connects, he can see this IPv6 address plus the squid server IPv4 address in a ipleak.net and other kinds of proxy detect website.
You cannot trust external websites like these to show Squid behaviour. They employ a number of tricks to uncover IP details regardless of what Squid is doing.
How can I create a rule to say in squid.conf that is forbidden to going out through server’s IP? 




What you need to look at is:

 a) what HTTP message headers the client is sending to Squid, and

   - specifically whether any hostname or IPs are being mentioned.

 b) what Squid is sending to the server based on those, and

   - specifically whether any hostname or IPs are being mentioned.

 c) what IP address is used on the TCP layer for Squid's server message.
- specifically whether your tcp_outgoing_address are being used by Squid.
Check the above for connections to an IPv6-only server and to an IPv4-only server, and also to a dual-stack server.
Be aware that tcp_outgoing_address with an IPv6 can only be used on connections to IPv6 servers. It cannot be used for IPv4 connections.
Be aware that HTTP Via header allows the client and Squid to both inform origin servers about network topology using hostnames. These can be used by the origin to identify Squid's public IP(s) even if those IPs are not used for the traffic. 
 Disable with "via off" in squid.conf
Be aware that HTTP Forwarded (and X-Forwarded-For, X-Forwarded-By, Client-IP, X-Client-IP, X-Origin-IP + maybe others) headers allow the client and Squid to both inform origin servers about network topology using IP addresses. These can be used to identify client and/or Squid internal IPs used for the actually traffic regardless of the publicly available name info. Disable X-Forwarded-For and Forwarded with "forwarded_for delete" in squid.conf 
 Disable others with request_header_access directives as-needed.


HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux