Search squid archive

Re: Prevent squid user to go out through

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 30/09/22 07:38, Marcelo wrote:
ANSWERS BELOW.

On 27/09/22 17:27, Marcelo wrote:
Hi,

Even after Squid fulfill ACLs and Cache Peer rules, the client
connection keeps going out through squid server?s IP.

How can I prevent it to happen?

For instance, some rule ends with a IPv6 address on
tcp_outgoing_address, but when a proxy client connects, he can see this
IPv6 address plus the squid server IPv4 address in a ipleak.net and
other kinds of proxy detect website.


You cannot trust external websites like these to show Squid behaviour.
They employ a number of tricks to uncover IP details regardless of what
Squid is doing.

==> MARCELO'S ANWWER:
I know it, but I use the same APIs to identify proxies that the social
network I have to mimic.
So the data I get is what I need.


What I mean is that they can do things like use javascript to have the client Browser report its knowledge of the network and/or scan for information. So the source of the leak may be something outside of Squid's ability to prevent.

Squid can only control details in the HTTP message headers and tell the OS what TCP details it would *like* to use. The OS can decide otherwise, for example with outgoing NAT.


How can I create a rule to say in squid.conf that is forbidden to going
out through server?s IP?



What you need to look at is:

   a) what HTTP message headers the client is sending to Squid, and

     - specifically whether any hostname or IPs are being mentioned.

   b) what Squid is sending to the server based on those, and

     - specifically whether any hostname or IPs are being mentioned.

   c) what IP address is used on the TCP layer for Squid's server message.

==> MARCELO'S ANWWER:
Sure, that I already did, and the result is ok.

     - specifically whether your tcp_outgoing_address are being used by
Squid.


... the only way your two statements (above) and (below) can be true at the same time is when a NAT system is changing the correct IP (from tcp_outgoing_address) to the wrong one (what you call "'leaked' IPv4 server IP").


The real problem is that Squid are "leaking" the IPv4 server IP. It is going
out via server IP.
It's as if squid server's IP was in a TCP_OUTGOING_ADDRESS, but it does not.


... OR, you have ACLs limiting use of that tcp_outgoing_address to some traffic. Leaving Squids default machine IP to be used on the rest.

... OR, you have traffic interception that requires Squid to use identical dst-IP used by the client on its request connection (eg for TLS decryption).

Eliminating those possibilities is why I had you check TCP layer was acting as you want.

... OR, you have a NAT somewhere screwing things ups.



That is why my original question is how to suppress the IPv4 server's IP in
Squid.conf?

You are apparently doing everything that can be done in squid.conf. Time to look outside Squid at what the routing system is doing. NAT's on the IPv4 traffic being the prime suspect for causing this behaviour.


Is there any kind of ACL (I have tested MYIP, SRS and DST ones) that I could
use to deny the connections to goes out via server's IP?

Something like:
ACL server_IP "typeN" 192.168.12.1
HTTP_ACCESS deny server_IP


If you cannot find what is doing the odd behaviour only for IPv4 (it is not normal AFAICT). Then you can setup a rule like that in the Squid machines firewall.

Squid does not have any control that can do what you ask.


HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux