Re: [squid-users] Don't understand the usage of acl_uses_indirect_client

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 04 Apr 2013 18:04:54 +1300

On 4/04/2013 1:16 p.m., jesses408 wrote:
> I have an environment setup like this-
>
> Client - HAProxy - SquidProxy - WebServer
>
> Client is using HAProxy as the forward proxy server, and trying to access a
> website on WebServer. Since SquidProxy is seeing the client IP address of
> HAProxy (and not Client), I've configured HAProxy to insert the
> X-Forwarded-For header where the value of X-Forwarded-For = Client's IP
> address.
>
> In squid.conf, I have an ACL that allows Client's IP address, and also have
> acl_uses_indirect_client enabled (which is the default). However when Client
> tries to get the website on WebServer, squid denies it with access denied.
>
> I enabled debugging and I see no reference to Client's IP, only HAProxy's
> IP. From reading the documentation, the expectation is that if Squid sees
> X-Forwarded-For, it should replace the client IP with the IP seen in
> X-Forwarded-For, but the debug log says this is not the case.
>
> Am I misreading the purpose of acl_uses_indirect_client or is this a bug in
> squid that it doesn't correctly handle X-Forwarded-For in ACL?

Your understanding of acl_uses_indirect_client appears to be correct.
But your understanding of indirect client is innacurate.

Problem: The client software is fully able to send anything it likes in
the XFF header it delivered to HAProxy, so we can't just believe the
header. Nor is it wise to delete/remove/erase it in HAproxy because the
existing content might be real if your client is using another proxy
too. You won't be wanting to use that information in your Squid ACLs,
but something else further down the chain (like web server security
measures) may find it useful.

Squid provides the follow_x_forwarded_for access control list to tell
Squid how far back down the chain of XFF entries it is safe to believe.
Any entry which that access list says ALLOW for will be ignored, and the
first which gets a DENY will be used as the indirect client IP.

What you are missing is follow_x_forwarded_for rules telling Squid it
can trust the X-Forwarded-For header delivered by your HAProxy.

Like this:
   acl haproxy src <HAPROXY IP>
   follow_x_forwarded_for allow haproxy
   follow_x_forwarded_for deny all

This tells Squid the HAProxy service can be trusted and to ignore its IP
address when following the XFF header chain to find the client IP.
Without that it will determine that the HAProxy is the first non-trusted
sender and treat it as the indirect client.

IMPORTANT: only put the HAProxy machine IP(s) in that follow_*
directive. Do not list your client IPs there, unless you are certain
they are using a trustworthy proxy.

NP: when you have a chain of proxies like this it is friendlier to other
admin to use the new Squid "forwarded_for transparent" setting in your
backend proxies. So they only see your backend gateway and the original
client IP address which arrived in your frontend. Then they only need to
know about and trust your backend(s) to trust your entire system.

Amos
Received on Thu Apr 04 2013 - 05:05:08 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 04 2013 - 12:00:04 MDT