Re: [squid-users] Conflicts with squid in transparent to Apache proxy and OpenVPN

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 13 Sep 2011 21:09:54 +1200

On 13/09/11 20:15, David Touzeau wrote:
> Dear bests
>
> I have this network configuration
>
> OpenVPN client -> Squid Proxy in transparent mode -> Internet -> APACHE
> Proxy 80 -> OpenVPN 127.0.0.1:1194
>
> When the OpenVPN client try to send a CONNECT 127.0.0.1:1194 to the
> Apache Proxy the Squid Proxy in the LAN (in Transparent mode) trap the
> command and kill the connection.
>
> Which kind of acl i can set in order to force squid allowing this
> connection ?

You can add a relatively complex workaround (reverse-proxy for CONNECT
to dstdomain 127.0.0.1 to that Apache as the peer) which will work for
this one particular Squid. Or you can fix the Apache setup so it works
across all transparent proxies.

CONNECT - is a request for the receiving proxy (*any* proxy) to open a
TCP connection to the specified IP:port. Squid is obeying that command.

127.0.0.1 is an IP address referring to the machine on which the
application using it is operating (aka client machine sees it as itself,
Squid sees it as itself, apache sees it as itself, routers and firewalls
between see it as themselves...). It is not safe to be sent over the
Internet. Due to exactly this type of problem. Deep packet inspectors
will cause other problems as well.

There is a giant security vulnerability of allowing requests to
127.0.0.1 through the Apache front gateway. I hope you have at least
placed strict access controls to ensure that traffic accepted by Apache
is not going to other localhost ports.

The secondary problem which is making this visible is that Apache is
operating a proxy on the native/non-proxy HTTP port 80. You will
therefore have this exact same problem whenever the VPN link crosses
anybody elses intercepting proxy. So a Squid workaround is not
realistically going to be a full fix.

To properly fix this the Apache end needs to be setup as a proper
reverse-proxy. The setup concept is the same as what we do in Squid, but
different config syntax. ie Clients use a public domain name which
points them to the Apache at some port. Only Apache itself needs to know
its relaying to 127.0.0.1. Sharing the 1194 port on the public domain is
useful for simplicity and ease of administration.

<snip>
>
> Squid.conf
>
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.1/32

NP: to_localhost should be defined as "127.0.0.1/8 0.0.0.0/32" (maybe
::1 as well) to catch all the potential attacks it is meant to.
<snip>
>
> # --------- RULES DEFINITIONS
> url_rewrite_access deny localhost
> url_rewrite_access deny whitelisted_mac_computers
> url_rewrite_access allow all
> http_access allow whitelisted_mac_computers
> http_access allow AIM_methods AIM_ports AIM_nets
> http_access allow AIM_methods AIM_ports AIM_hosts
> http_access allow IRC_methods IRC_ports IRC_hosts
> http_access allow IRC_methods IRC_ports IRC_domains
> http_access allow YIM_methods YIM_ports YIM_hosts
> http_access allow YIM_methods YIM_ports YIM_domains
> http_access allow GTALK_ports GTALK_hosts GTALK_methods
>
> http_access allow GTALK_methods GTALK_ports GTALK_domains
> http_access allow MSN_ports MSN_domains MSN_methods
>

NP: all of those special application ports are included in Safe_ports
1024-65535 range. You could bump "deny !Safe_ports" up the top for a bit
faster processing on unsafe port attacks.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow manager localhost
> http_access allow purge localhost
> http_access deny purge
> http_access deny blockedsites
> http_access allow office_network
> http_access deny to_localhost

Deny to_localhost is only useful when its up above some allow rules.
Usually up near the very top with Safe_ports and CONNECT is recommended.
In this case it is probably best at the very top with Safe_ports.

It's purpose is to short-circuit and quickly reject broken requests such
as these CONNECT 127.0.0.1:1194 ones you are dealing with. So they do
not lag or consume too much CPU resources doing more complex ACL tests.

> http_access deny all
> # --------- ICAP Services.(1 service(s))
>
<snip>
> refresh_pattern . 0 100% 43200 reload-into-ims override-lastmod
> refresh_pattern . 0 20% 4320
> refresh_pattern -i (/cg-bin/|\?) 0 0% 0

This cgi rule should be up one higher, above the "." rule.

The "." rule itself captures every possible URL. So there is no point in
having anything after the first "." pattern. They will never be used.

HTH

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.11
Received on Tue Sep 13 2011 - 09:10:14 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 13 2011 - 12:00:02 MDT