Parent proxy chaining

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Parent proxy chaining

Phillip McCollum
Hi folks,

First off, I'll make the requisite disclaimer that I'm a squid newbie. I've been banging my head against this problem for nearly a week--trial and error, google searches, FAQ reviews, etc. Like Obi-Wan Kenobi, you guys are my last resort! :)

I have a deployment in AWS in where a VPC has a transparent proxy deployed, which forwards 80/443 requests to a parent proxy in another VPC, which I then need to forward to another parent proxy (SaaS provider).

Essentially:
[[Client PC]] --> [[Squid Proxy (10.52.0.20)]] --> [[Parent Squid Proxy (10.52.0.168)]] --> [[Parent SaaS Proxy]]

This is being done to centralize proxy functions and limit the number of public IPs that the parent SaaS needs to whitelist.

I'm getting "Access Denied" messages and a review of Squid Parent proxy access.log shows the following common errors:

HTTP:
2018/11/27 16:22:54 kid1| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Cookie: B=8nra62ldvb83a&b=3&s=ik
Via: 1.1 squid (squid/3.5.27)
X-Forwarded-For: 10.184.0.26
Cache-Control: max-age=259200
Connection: keep-alive

HTTPS:
2018/11/27 16:21:51 kid1| SECURITY ALERT: Host header forgery detected on local=10.52.0.168:8443 remote=10.52.0.20:45520 FD 15 flags=33 (intercepted port does not match 443)
2018/11/27 16:21:51 kid1| SECURITY ALERT: on URL: 13.82.28.61:443

Here are the various squid.conf files and iptables configurations:

[[Transparent Proxy]]:
visible_hostname squid
http_port 3129 intercept
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl HTTP_PORT port 80
acl HTTPS_PORT port 443
http_access allow all
ssl_bump splice
dns_v4_first on
#cache_peer proxy.threatpulse.net parent 8080 0 name=symantec_http no-query proxy-only default
cache_peer 10.52.0.168 parent 8443 0 name=symantec_http no-query proxy-only default
cache_peer_access symantec_http allow HTTP_PORT
cache_peer_access symantec_http allow HTTPS_PORT
never_direct allow all

Chain PREROUTING (policy ACCEPT 32 packets, 1704 bytes)
 pkts bytes target     prot opt in     out     source               destination
   30  1560 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3129
   89  4628 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 redir ports 3130

Chain INPUT (policy ACCEPT 131 packets, 6852 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 660 packets, 58073 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 680 packets, 59113 bytes)
 pkts bytes target     prot opt in     out     source               destination

[[Squid Parent Proxy]]:
visible_hostname squid
http_port 3129 intercept
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
http_port 3031 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl HTTP_PORT port 80
acl HTTPS_PORT port 443
acl FORWARD_PORT port 8443
http_access allow all
ssl_bump splice
cache_peer proxy.threatpulse.net parent 8080 0 name=symantec_http no-query proxy-only default
cache_peer_access symantec_http allow HTTP_PORT
cache_peer_access symantec_http allow HTTPS_PORT
cache_peer_access symantec_http allow FORWARD_PORT
never_direct allow all

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3129
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 redir ports 3130
   35  2100 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 redir ports 3031

Chain INPUT (policy ACCEPT 35 packets, 2100 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2 packets, 121 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 2 packets, 121 bytes)
 pkts bytes target     prot opt in     out     source               destination

---

Any thoughts or suggestions are greatly appreciated. Thanks for your time!

-Phillip

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Parent proxy chaining

Matus UHLAR - fantomas
On 27.11.18 08:33, Phillip McCollum wrote:

>I have a deployment in AWS in where a VPC has a transparent proxy deployed,
>which forwards 80/443 requests to a parent proxy in another VPC, which I
>then need to forward to another parent proxy (SaaS provider).
>
>Essentially:
>[[Client PC]] --> [[Squid Proxy (10.52.0.20)]] --> [[Parent Squid Proxy
>(10.52.0.168)]] --> [[Parent SaaS Proxy]]
>
>This is being done to centralize proxy functions and limit the number of
>public IPs that the parent SaaS needs to whitelist.
>
>I'm getting "Access Denied" messages and a review of Squid Parent proxy
>access.log shows the following common errors:
>
>HTTP:
>2018/11/27 16:22:54 kid1| WARNING: Forwarding loop detected for:
>GET / HTTP/1.1
>Accept: text/html, application/xhtml+xml, image/jxr, */*
>Accept-Language: en-US
>User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
>Gecko
>Accept-Encoding: gzip, deflate
>Cookie: B=8nra62ldvb83a&b=3&s=ik
>Via: 1.1 squid (squid/3.5.27)

what are names of your proxies?
you must set different visible_name or at least unique_name so proxy knows
it's not contacting itself.

>Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source
> destination
>    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0
>0.0.0.0/0            tcp dpt:80 redir ports 3129
>    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0
>0.0.0.0/0            tcp dpt:443 redir ports 3130
>   35  2100 REDIRECT   tcp  --  *      *       0.0.0.0/0
>0.0.0.0/0            tcp dpt:8443 redir ports 3031

the intercepting (often called transparent) proxy must have direct access to
world or parent proxy. Redirecting it back will create a loop.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Parent proxy chaining

Alex Rousskov
In reply to this post by Phillip McCollum
On 11/27/18 9:33 AM, Phillip McCollum wrote:

> 2018/11/27 16:22:54 kid1| WARNING: Forwarding loop detected for:
> Via: 1.1 squid (squid/3.5.27)

> [[Transparent Proxy]]:
> visible_hostname squid

> [[Squid Parent Proxy]]:
> visible_hostname squid

> Any thoughts or suggestions are greatly appreciated.

Squid uses Via headers to detect loops. Squid sends unique_hostname in
its Via header. unique_hostname defaults to visible_hostname. On each
Squid in your hierarchy, either use unique visible_hostname values or
use unique unique_hostname values, as appropriate in your environment.

Both directives are documented. For an expanded still-being-polished but
soon-to-become-official visible_hostname documentation, see
https://github.com/squid-cache/squid/pull/302/

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Parent proxy chaining

Phillip McCollum
In reply to this post by Phillip McCollum
Thank you both, Matus and Alex! Changing the name got my HTTP access working perfectly. I was stuck on HTTPS soon after, but as soon as I removed "intercept" from the Squid Parent proxy "http_port" line, I got that working.

You guys rock. Thanks again for that little nudge I needed to figure this out.

-Phillip
 
Message: 2
Date: Tue, 27 Nov 2018 17:44:54 +0100
From: Matus UHLAR - fantomas <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] Parent proxy chaining
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=us-ascii; format=flowed

On 27.11.18 08:33, Phillip McCollum wrote:
>I have a deployment in AWS in where a VPC has a transparent proxy deployed,
>which forwards 80/443 requests to a parent proxy in another VPC, which I
>then need to forward to another parent proxy (SaaS provider).
>
>Essentially:
>[[Client PC]] --> [[Squid Proxy (10.52.0.20)]] --> [[Parent Squid Proxy
>(10.52.0.168)]] --> [[Parent SaaS Proxy]]
>
>This is being done to centralize proxy functions and limit the number of
>public IPs that the parent SaaS needs to whitelist.
>
>I'm getting "Access Denied" messages and a review of Squid Parent proxy
>access.log shows the following common errors:
>
>HTTP:
>2018/11/27 16:22:54 kid1| WARNING: Forwarding loop detected for:
>GET / HTTP/1.1
>Accept: text/html, application/xhtml+xml, image/jxr, */*
>Accept-Language: en-US
>User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like
>Gecko
>Accept-Encoding: gzip, deflate
>Cookie: B=8nra62ldvb83a&b=3&s=ik
>Via: 1.1 squid (squid/3.5.27)

what are names of your proxies?
you must set different visible_name or at least unique_name so proxy knows
it's not contacting itself.

>Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source
> destination
>    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0
>0.0.0.0/0            tcp dpt:80 redir ports 3129
>    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0
>0.0.0.0/0            tcp dpt:443 redir ports 3130
>   35  2100 REDIRECT   tcp  --  *      *       0.0.0.0/0
>0.0.0.0/0            tcp dpt:8443 redir ports 3031

the intercepting (often called transparent) proxy must have direct access to
world or parent proxy. Redirecting it back will create a loop.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users