Greetings all, squid.conf references the ability to use the x-forwarded-for header in ACLs by using the follow_x_forwarded_for in ACL, referenced here: http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/ and here http://www.squid-cache.org/Doc/config/acl_uses_indirect_client/
There appear to be three pre-reqs, which I've met: squid.conf: acl_uses_indirect_client on squid built with --enable-follow-x-forwarded-for (confirmed) and the appropriate ACL entries (see below) In my scenario, I have a pair of squid hosts (squid ver 3.5.6) sitting behind a pair of haproxy/keepalived hosts which provide balancing and redundancy/availability. Haproxy is configured to add an x-forwarded-for header (if one doesn't already exist) and I can see the x-forwarded-for header in the request if I run packet capture on the squid hosts. For this scenario, I have a box sitting on the 192.168.4.0/24 network, which has access to three IPs on 192.168.2.0/24 network (2.30, 2.31, and 2.32 which are haproxy1, haproxy2, and keepalived vIP respectively). Hosts wanting internet access must using the haproxy-vip as a proxy IP, which is then forwarded to the real squid backends. To sum up: haproxy1 - 192.168.2.30 haproxy2 - 192.168.2.31 haproxy-vip - 192.168.2.32 squid1 - 192.168.2.128 squid2 - 192.168.2.129 zone1 - 192.168.3.0/24 with hosts having a proxy configured as 192.168.2.32:3128 client1 - 192.168.4.31 with a proxy configured as 192.168.2.32:3128 Squid will see the real-ip of the client connection as the haproxy-vip endpoint and not the real-client IP. If I understand the documentation correctly, I should be able to perform something like the following in an ACL: # create acl source references acl zone1 src 192.168.3.0/24 acl client1 src 192.168.4.31/32 # acl to test x-forwarded-for matching header acl testing_proxy_dst dstdomain .google.com follow_x_forwarded_for allow zone1 testing_proxy_dst follow_x_forwarded_for allow client1 testing_proxy_dst When I attempt to perform a wget (testing) to www.google.com<http://www.google.com> from my client1, I'm getting a permission denied: # wget www.google.com --2019-06-06 08:20:30-- http://www.google.com/ Connecting to 192.168.2.32:3128... connected. Proxy request sent, awaiting response... 403 Forbidden 2019-06-06 08:20:30 ERROR 403: Forbidden. If I change the proxy (and corresponding relevant http_access acl ) so that the client goes direct to the squid host, the client is allowed. Any help would be greatly appreciated. Joey
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
