Squid proxy incoming and outcoming connections?

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid proxy incoming and outcoming connections?

Patrícia Sousa

I'm using the squid proxy and I'm trying to block some connections (incoming and outcoming traffic) from a certain ip address. However, for example, if I deny all the connections (http_access deny all) it only blocks the connections that I made to websites for example, but if I use another PC and try to ssh or wget the PC that owns the proxy squid, it is allowed. How can I block the traffic from and to a specific IP or DNS? It is possible to do this with Squid?

If not, what is the best way to do this?

Thank you.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Felipe Arturo Polanco
Hi, 

For this, you need to use IPtables to block at the network level.

SSH uses port 22/tcp but wget uses HTTP, it should have been blocked by squid.
Enabled debug_options in squid to see why it was allowed.



On Thu, Feb 13, 2020 at 11:10 AM Patrícia Sousa <[hidden email]> wrote:

I'm using the squid proxy and I'm trying to block some connections (incoming and outcoming traffic) from a certain ip address. However, for example, if I deny all the connections (http_access deny all) it only blocks the connections that I made to websites for example, but if I use another PC and try to ssh or wget the PC that owns the proxy squid, it is allowed. How can I block the traffic from and to a specific IP or DNS? It is possible to do this with Squid?

If not, what is the best way to do this?

Thank you.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

dweimer
In reply to this post by Patrícia Sousa

On 2020-02-13 9:10 am, Patrícia Sousa wrote:

I'm using the squid proxy and I'm trying to block some connections (incoming and outcoming traffic) from a certain ip address. However, for example, if I deny all the connections (http_access deny all) it only blocks the connections that I made to websites for example, but if I use another PC and try to ssh or wget the PC that owns the proxy squid, it is allowed. How can I block the traffic from and to a specific IP or DNS? It is possible to do this with Squid?

If not, what is the best way to do this?

Thank you.

 
You need two ACL lines:
acl BadIPSource src 1.1.1.1/32
acl BadIPDst dst 1.1.1.1/32
 
You can use srcdomain & dstdomain instead of src & dst to use domain instead of IP.
 
Rules are processed in order, if you are specifically wanting to block this domain/IP put it first. Then youur allow lines and finally the deny all line to block anything you haven't specifically allowed.
 
http_access deny BadIPSource 
http_access deny BadIPDst
[...Youur Allow Lines Here...]
http_access deny all
 
 
 
 
--
Thanks,
   Dean E. Weimer
   http://www.dweimer.net/

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Patrícia Sousa
In reply to this post by Felipe Arturo Polanco
Hi,

Thanks for the tip,

Enabling debug_options I can see that the wget from the machine computer to the Squid machine does not goes through the proxy. Any idea why?

Felipe Arturo Polanco <[hidden email]> escreveu no dia quinta, 13/02/2020 à(s) 15:32:
Hi, 

For this, you need to use IPtables to block at the network level.

SSH uses port 22/tcp but wget uses HTTP, it should have been blocked by squid.
Enabled debug_options in squid to see why it was allowed.



On Thu, Feb 13, 2020 at 11:10 AM Patrícia Sousa <[hidden email]> wrote:

I'm using the squid proxy and I'm trying to block some connections (incoming and outcoming traffic) from a certain ip address. However, for example, if I deny all the connections (http_access deny all) it only blocks the connections that I made to websites for example, but if I use another PC and try to ssh or wget the PC that owns the proxy squid, it is allowed. How can I block the traffic from and to a specific IP or DNS? It is possible to do this with Squid?

If not, what is the best way to do this?

Thank you.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Felipe Arturo Polanco
Did you configure Squid to accept both HTTP and HTTPS ports?

Please share your squid.conf file.

Thanks,

On Thu, Feb 13, 2020 at 12:18 PM Patrícia Sousa <[hidden email]> wrote:
Hi,

Thanks for the tip,

Enabling debug_options I can see that the wget from the machine computer to the Squid machine does not goes through the proxy. Any idea why?

Felipe Arturo Polanco <[hidden email]> escreveu no dia quinta, 13/02/2020 à(s) 15:32:
Hi, 

For this, you need to use IPtables to block at the network level.

SSH uses port 22/tcp but wget uses HTTP, it should have been blocked by squid.
Enabled debug_options in squid to see why it was allowed.



On Thu, Feb 13, 2020 at 11:10 AM Patrícia Sousa <[hidden email]> wrote:

I'm using the squid proxy and I'm trying to block some connections (incoming and outcoming traffic) from a certain ip address. However, for example, if I deny all the connections (http_access deny all) it only blocks the connections that I made to websites for example, but if I use another PC and try to ssh or wget the PC that owns the proxy squid, it is allowed. How can I block the traffic from and to a specific IP or DNS? It is possible to do this with Squid?

If not, what is the best way to do this?

Thank you.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Patrícia Sousa
I think so.

Here is the conf file: https://pastebin.com/DKMbwNV6

Felipe Arturo Polanco <[hidden email]> escreveu no dia quinta, 13/02/2020 à(s) 16:22:
Did you configure Squid to accept both HTTP and HTTPS ports?

Please share your squid.conf file.

Thanks,

On Thu, Feb 13, 2020 at 12:18 PM Patrícia Sousa <[hidden email]> wrote:
Hi,

Thanks for the tip,

Enabling debug_options I can see that the wget from the machine computer to the Squid machine does not goes through the proxy. Any idea why?

Felipe Arturo Polanco <[hidden email]> escreveu no dia quinta, 13/02/2020 à(s) 15:32:
Hi, 

For this, you need to use IPtables to block at the network level.

SSH uses port 22/tcp but wget uses HTTP, it should have been blocked by squid.
Enabled debug_options in squid to see why it was allowed.



On Thu, Feb 13, 2020 at 11:10 AM Patrícia Sousa <[hidden email]> wrote:

I'm using the squid proxy and I'm trying to block some connections (incoming and outcoming traffic) from a certain ip address. However, for example, if I deny all the connections (http_access deny all) it only blocks the connections that I made to websites for example, but if I use another PC and try to ssh or wget the PC that owns the proxy squid, it is allowed. How can I block the traffic from and to a specific IP or DNS? It is possible to do this with Squid?

If not, what is the best way to do this?

Thank you.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Felipe Arturo Polanco
You only have one port open for Squid
http_port 3128 
You need two ports, one for HTTP and another for HTTPS.
Also, if you are going to block HTTPS based on the domain name, you need to do sslBump to get the SNI of the destination website and then terminate the SSL connection. 

On Thu, Feb 13, 2020 at 12:26 PM Patrícia Sousa <[hidden email]> wrote:
I think so.

Here is the conf file: https://pastebin.com/DKMbwNV6

Felipe Arturo Polanco <[hidden email]> escreveu no dia quinta, 13/02/2020 à(s) 16:22:
Did you configure Squid to accept both HTTP and HTTPS ports?

Please share your squid.conf file.

Thanks,

On Thu, Feb 13, 2020 at 12:18 PM Patrícia Sousa <[hidden email]> wrote:
Hi,

Thanks for the tip,

Enabling debug_options I can see that the wget from the machine computer to the Squid machine does not goes through the proxy. Any idea why?

Felipe Arturo Polanco <[hidden email]> escreveu no dia quinta, 13/02/2020 à(s) 15:32:
Hi, 

For this, you need to use IPtables to block at the network level.

SSH uses port 22/tcp but wget uses HTTP, it should have been blocked by squid.
Enabled debug_options in squid to see why it was allowed.



On Thu, Feb 13, 2020 at 11:10 AM Patrícia Sousa <[hidden email]> wrote:

I'm using the squid proxy and I'm trying to block some connections (incoming and outcoming traffic) from a certain ip address. However, for example, if I deny all the connections (http_access deny all) it only blocks the connections that I made to websites for example, but if I use another PC and try to ssh or wget the PC that owns the proxy squid, it is allowed. How can I block the traffic from and to a specific IP or DNS? It is possible to do this with Squid?

If not, what is the best way to do this?

Thank you.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Matus UHLAR - fantomas
In reply to this post by Patrícia Sousa
On 13.02.20 16:18, Patrícia Sousa wrote:
>Enabling debug_options I can see that the wget from the machine computer to
>the Squid machine does not goes through the proxy. Any idea why?

Because you apparently haven't configured anything to use the proxy.

Squid is a proxy, not a firewall, and it does not block connections to your
machine.

Also, SQUID can only support HTTP and HTTPS connections, not SSH.

SSH and other TCP connections can be tunnelled through proxy, but the
clients need to be configured to use HTTP proxy, if they support it.



>Felipe Arturo Polanco <[hidden email]> escreveu no dia quinta,
>13/02/2020 à(s) 15:32:
>> For this, you need to use IPtables to block at the network level.
>>
>> SSH uses port 22/tcp but wget uses HTTP, it should have been blocked by
>> squid.
>> Enabled debug_options in squid to see why it was allowed.
>>
>>
>>
>> On Thu, Feb 13, 2020 at 11:10 AM Patrícia Sousa <[hidden email]>
>> wrote:
>>
>>> I'm using the squid proxy and I'm trying to block some connections
>>> (incoming and outcoming traffic) from a certain ip address. However, for
>>> example, if I deny all the connections (http_access deny all) it only
>>> blocks the connections that I made to websites for example, but if I use
>>> another PC and try to ssh or wget the PC that owns the proxy squid, it is
>>> allowed. How can I block the traffic from and to a specific IP or DNS? It
>>> is possible to do this with Squid?
>>>
>>> If not, what is the best way to do this?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Matus UHLAR - fantomas
In reply to this post by Felipe Arturo Polanco
On 13.02.20 12:29, Felipe Arturo Polanco wrote:
>You only have one port open for Squid
>http_port 3128
>You need two ports, one for HTTP and another for HTTPS.
>Also, if you are going to block HTTPS based on the domain name, you need to
>do sslBump to get the SNI of the destination website and then terminate the
>SSL connection.

No, he does not.

both HTTP and HTTPS can be proxied through the same port, the difference is
https uses CONNECT requests.

He would need different port for intercepting proxy and another for
intercepting HTTPS proxy, but the interception is not configured yet.


>On Thu, Feb 13, 2020 at 12:26 PM Patrícia Sousa <[hidden email]> wrote:
>> Here is the conf file: https://pastebin.com/DKMbwNV6

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Patrícia Sousa
In reply to this post by Matus UHLAR - fantomas
I only configured the machine that has the squid proxy to use it. If I made a wget from this machine to the another, it denies the request, as desired. Only the reverse is not taken. 

So, it's not possible to configure the http "incoming" connections to my machine to go through the proxy? 

Matus UHLAR - fantomas <[hidden email]> escreveu no dia sexta, 14/02/2020 à(s) 09:41:
On 13.02.20 16:18, Patrícia Sousa wrote:
>Enabling debug_options I can see that the wget from the machine computer to
>the Squid machine does not goes through the proxy. Any idea why?

Because you apparently haven't configured anything to use the proxy.

Squid is a proxy, not a firewall, and it does not block connections to your
machine.

Also, SQUID can only support HTTP and HTTPS connections, not SSH.

SSH and other TCP connections can be tunnelled through proxy, but the
clients need to be configured to use HTTP proxy, if they support it.



>Felipe Arturo Polanco <[hidden email]> escreveu no dia quinta,
>13/02/2020 à(s) 15:32:
>> For this, you need to use IPtables to block at the network level.
>>
>> SSH uses port 22/tcp but wget uses HTTP, it should have been blocked by
>> squid.
>> Enabled debug_options in squid to see why it was allowed.
>>
>>
>>
>> On Thu, Feb 13, 2020 at 11:10 AM Patrícia Sousa <[hidden email]>
>> wrote:
>>
>>> I'm using the squid proxy and I'm trying to block some connections
>>> (incoming and outcoming traffic) from a certain ip address. However, for
>>> example, if I deny all the connections (http_access deny all) it only
>>> blocks the connections that I made to websites for example, but if I use
>>> another PC and try to ssh or wget the PC that owns the proxy squid, it is
>>> allowed. How can I block the traffic from and to a specific IP or DNS? It
>>> is possible to do this with Squid?
>>>
>>> If not, what is the best way to do this?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Amos Jeffries
Administrator
On 14/02/20 11:05 pm, Patrícia Sousa wrote:
> I only configured the machine that has the squid proxy to use it.

How did you configure an entire machine to use an HTTP-only proxy?

I think you mean something else. Details matter, so what *exactly* did
you configure?
 And no squid.conf does not count at the level you need to be looking.
It only controls traffic already arriving at the proxy.


> If I
> made a wget from this machine to the another, it denies the request, as
> desired. Only the reverse is not taken. 
>

 "it" being Squid proxy, the machine firewall, the machine routing, the
destination machine firewall, or another firewall along the path between
them?
 Details matter.


> So, it's not possible to configure the http "incoming" connections to my
> machine to go through the proxy? 
>

It is. Your words say you already did that. But the test results says
you did not. Without details of the machine setup its all just guesswork
rather than help.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Patrícia Sousa
Update:

It works now. There was a wrong iptables rule to redirect incoming traffic to the proxy.

Amos Jeffries <[hidden email]> escreveu no dia sexta, 14/02/2020 à(s) 10:35:
On 14/02/20 11:05 pm, Patrícia Sousa wrote:
> I only configured the machine that has the squid proxy to use it.

How did you configure an entire machine to use an HTTP-only proxy?

I think you mean something else. Details matter, so what *exactly* did
you configure?
 And no squid.conf does not count at the level you need to be looking.
It only controls traffic already arriving at the proxy.


> If I
> made a wget from this machine to the another, it denies the request, as
> desired. Only the reverse is not taken. 
>

 "it" being Squid proxy, the machine firewall, the machine routing, the
destination machine firewall, or another firewall along the path between
them?
 Details matter.


> So, it's not possible to configure the http "incoming" connections to my
> machine to go through the proxy? 
>

It is. Your words say you already did that. But the test results says
you did not. Without details of the machine setup its all just guesswork
rather than help.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Matus UHLAR - fantomas
On 14.02.20 17:40, Patrícia Sousa wrote:
>It works now. There was a wrong iptables rule to redirect incoming traffic
>to the proxy.

incoming traffic? Do people from the world connect to your proxy?


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Patrícia Sousa
I mean, for example, all the traffic that comes to the port 80. Obviously, ssh, for example, I can't. 

Matus UHLAR - fantomas <[hidden email]> escreveu no dia sexta, 14/02/2020 à(s) 18:02:
On 14.02.20 17:40, Patrícia Sousa wrote:
>It works now. There was a wrong iptables rule to redirect incoming traffic
>to the proxy.

incoming traffic? Do people from the world connect to your proxy?


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy incoming and outcoming connections?

Matus UHLAR - fantomas
>> On 14.02.20 17:40, Patrícia Sousa wrote:
>> >It works now. There was a wrong iptables rule to redirect incoming traffic
>> >to the proxy.

>Matus UHLAR - fantomas <[hidden email]> escreveu no dia sexta,
>14/02/2020 à(s) 18:02:
>> incoming traffic? Do people from the world connect to your proxy?

On 16.02.20 14:27, Patrícia Sousa wrote:
>I mean, for example, all the traffic that comes to the port 80. Obviously,
>ssh, for example, I can't.

By "incoming traffic" I (and I guess most of people) understand traffic that
comes to your machine, not traffic thatgoes to port 80 somewhere in the
world.

by "outgoing traffic" I (see above) understand traffic that goes out to the
world.

If you call packets coming to your machine (router) with destiny in the
outside world an incoming traffic, then you should learn about stateful
firewalling, that will help you to configure firewalls properly and
avoid confusion and problems you have described.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users