deny_info and squid's own IP address?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

deny_info and squid's own IP address?

Amish
Hello

I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
and department B (192.168.2.1/24)

I have few banned sites. Say Facebook.

I have HTTP server (running on same server as squid) which shows custom
pages with custom logo based on IP address.

When request comes for a banned site I would like client to be
redirected based on squid's own IP.

Something like this:

acl blockedsites url_regex facebook
http_access deny blockedsites
deny_info http://SQUID-IP/banned.html blockedsites

I need SQUID-IP to be replaced by 192.168.1.1 or 192.168.2.1 depending
on the IP on which connection came to.

For department A it would become http://192.168.1.1/banned.html and
For department B it would become http://192.168.2.1/banned.html.

I checked deny_info documentation page:
http://www.squid-cache.org/Doc/config/deny_info/

But there is no such option. %h gives host name and not the IP.

So how do I do that? Did I miss any thing.

Thanks in advance for any help,

Amish.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info and squid's own IP address?

Amos Jeffries
Administrator
On 01/05/18 00:54, Amish wrote:

> Hello
>
> I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
> and department B (192.168.2.1/24)
>
> I have few banned sites. Say Facebook.
>
> I have HTTP server (running on same server as squid) which shows custom
> pages with custom logo based on IP address.
>
> When request comes for a banned site I would like client to be
> redirected based on squid's own IP.

Firstly, is there any particular reason you are requiring it to be a
redirect?
 from what you have said it appears you can achieve the same outcome
without the extra web server by using a custom error page.

>
> Something like this:
>
> acl blockedsites url_regex facebook
> http_access deny blockedsites
> deny_info http://SQUID-IP/banned.html blockedsites
>
> I need SQUID-IP to be replaced by 192.168.1.1 or 192.168.2.1 depending
> on the IP on which connection came to.
>

Secondly, I think you are probably looking at this from the wrong
direction. With the topology you have described each of these "Squid
IPs" is actually just the IP facing a certain client subnet. So the
client subnet is what you want to be detecting, not the specific Squid IP.


Thirdly, on the issue of %h - the Squid hostname is *required* to
resolve in DNS explicitly so clients can access things like these URLs.
If your network and DNS is configured correctly each client subnet
should resolve that hostname to the relevant IP which you are trying to
"pass" to the web server in your redirect URL. So they will naturally
(and only) connect to the web server (or Squid itself) using the right
IP anyway - the web server should be able to detect what it needs from
its own inbound TCP/IP connection instead of using raw-IPs in the traffic.


There are three options available to work around broken DNS:


Option 1) to do exactly (and only) what you asked for.

Currently this can be done with an external helper:

 external_acl_type getIp concurrency=100 %MYADDR /path/to/script
 deny_info 302:<a href="http://%et/banned.html">http://%et/banned.html getIp

where the script just echos back to Squid the IP it was given like so:
    [channel-id] OK message="<input-IP>"\n


Option 2) to use the client IP and have your web server respond based on
those subnets instead of Squid IP.

 acl clients1 src 192.168.1.0/24
 deny_info 302:<a href="http://%h/banned.html?%i">http://%h/banned.html?%i clients1
 http_access deny blockedsites clients1

 acl clients2 src 192.168.2.0/24
 deny_info 302:<a href="http://%h/banned.html?%i">http://%h/banned.html?%i clients2
 http_access deny blockedsites clients2


** If you really *have* to use Squid-IP, this can work with localip ACL
type instead of src. But then you have to bake each Squid-IP variation
into the deny_info URL instead of using %i.



Option 3) to use a custom error page instead of a redirect.

Place your banned.html page into /etc/squid/banned.html and either a)
write it with javascripts that pull in the right images/branding based
on client IPs.

  deny_info 403:/etc/squid/banned.html blockedsites

** Like (2) above this can use Squid-IP (via localip ACL type) if you
really have to. But with the same limitation of using different files
for branding instead of javascript for dynamic sub-resource/image fetching.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info and squid's own IP address?

Amos Jeffries
Administrator


On 01/05/18 15:40, Amos Jeffries wrote:

> On 01/05/18 00:54, Amish wrote:
>> Hello
>>
>> I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
>> and department B (192.168.2.1/24)
>>
>> I have few banned sites. Say Facebook.
>>
>> I have HTTP server (running on same server as squid) which shows custom
>> pages with custom logo based on IP address.
>>
>> When request comes for a banned site I would like client to be
>> redirected based on squid's own IP.
>
> Firstly, is there any particular reason you are requiring it to be a
> redirect?
>  from what you have said it appears you can achieve the same outcome
> without the extra web server by using a custom error page.
>
>>
>> Something like this:
>>
>> acl blockedsites url_regex facebook
>> http_access deny blockedsites
>> deny_info http://SQUID-IP/banned.html blockedsites
>>
>> I need SQUID-IP to be replaced by 192.168.1.1 or 192.168.2.1 depending
>> on the IP on which connection came to.
>>
>
> Secondly, I think you are probably looking at this from the wrong
> direction. With the topology you have described each of these "Squid
> IPs" is actually just the IP facing a certain client subnet. So the
> client subnet is what you want to be detecting, not the specific Squid IP.
>
>
> Thirdly, on the issue of %h - the Squid hostname is *required* to
> resolve in DNS explicitly so clients can access things like these URLs.
> If your network and DNS is configured correctly each client subnet
> should resolve that hostname to the relevant IP which you are trying to
> "pass" to the web server in your redirect URL. So they will naturally
> (and only) connect to the web server (or Squid itself) using the right
> IP anyway - the web server should be able to detect what it needs from
> its own inbound TCP/IP connection instead of using raw-IPs in the traffic.
>
>
> There are three options available to work around broken DNS:
>
>
> Option 1) to do exactly (and only) what you asked for.
>
> Currently this can be done with an external helper:
>
>  external_acl_type getIp concurrency=100 %MYADDR /path/to/script
>  deny_info 302:<a href="http://%et/banned.html">http://%et/banned.html getIp
>
> where the script just echos back to Squid the IP it was given like so:
>     [channel-id] OK message="<input-IP>"\n
>
>
> Option 2) to use the client IP and have your web server respond based on
> those subnets instead of Squid IP.
>
>  acl clients1 src 192.168.1.0/24
>  deny_info 302:<a href="http://%h/banned.html?%i">http://%h/banned.html?%i clients1
>  http_access deny blockedsites clients1
>
>  acl clients2 src 192.168.2.0/24
>  deny_info 302:<a href="http://%h/banned.html?%i">http://%h/banned.html?%i clients2
>  http_access deny blockedsites clients2
>
>
> ** If you really *have* to use Squid-IP, this can work with localip ACL
> type instead of src. But then you have to bake each Squid-IP variation
> into the deny_info URL instead of using %i.
>
>
>
> Option 3) to use a custom error page instead of a redirect.
>
> Place your banned.html page into /etc/squid/banned.html and either a)
> write it with javascripts that pull in the right images/branding based
> on client IPs.

or b) use multiple pages with different branding.

>
>   deny_info 403:/etc/squid/banned.html blockedsites
>
> ** Like (2) above this can use Squid-IP (via localip ACL type) if you
> really have to. But with the same limitation of using different files
> for branding instead of javascript for dynamic sub-resource/image fetching.
>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info and squid's own IP address?

Amish
In reply to this post by Amos Jeffries
Hello,

First of thanks a lot for taking your time out for replying to my query.

My replies are inline.

On Tuesday 01 May 2018 09:10 AM, Amos Jeffries wrote:
On 01/05/18 00:54, Amish wrote:
Hello

I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
and department B (192.168.2.1/24)

I have few banned sites. Say Facebook.

I have HTTP server (running on same server as squid) which shows custom
pages with custom logo based on IP address.

When request comes for a banned site I would like client to be
redirected based on squid's own IP.
Firstly, is there any particular reason you are requiring it to be a
redirect?
 from what you have said it appears you can achieve the same outcome
without the extra web server by using a custom error page.

No I cant use custom error page as Javascript will leak the IP range of department A to department B.
(I had simplified my example, its actually two companies and not two departments infact I have 4-5 companies/subnets)

Thirdly, on the issue of %h - the Squid hostname is *required* to
resolve in DNS explicitly so clients can access things like these URLs.
If your network and DNS is configured correctly each client subnet
should resolve that hostname to the relevant IP which you are trying to
"pass" to the web server in your redirect URL. So they will naturally
(and only) connect to the web server (or Squid itself) using the right
IP anyway - the web server should be able to detect what it needs from
its own inbound TCP/IP connection instead of using raw-IPs in the traffic.

Some company uses OpenDNS, other Cloudflare, other Google etc.

So DNS will not resolve the hostname to same as %MYADDR.

There are three options available to work around broken DNS:


Option 1) to do exactly (and only) what you asked for.

Currently this can be done with an external helper:

 external_acl_type getIp concurrency=100 %MYADDR /path/to/script
 deny_info 302:<a class="moz-txt-link-freetext" href="http://%et/banned.html">http://%et/banned.html getIp

where the script just echos back to Squid the IP it was given like so:
    [channel-id] OK message="<input-IP>"\n


Based on documentation of FORMAT for deny_info, I think you mean %o and not %et

Also will this "message" be available if I change by http_access line to:
deny_info 302:<a class="moz-txt-link-freetext" href="http://%o/banned.html">http://%o/banned.html blockedsites
http_access deny blockedsites getIp

will "message" of getIp be available to deny_info of blockedsites?

I will give this a try, however please see the end of the e-mail for a feature request.

Option 2) to use the client IP and have your web server respond based on
those subnets instead of Squid IP.

 acl clients1 src 192.168.1.0/24
 deny_info 302:<a class="moz-txt-link-freetext" href="http://%h/banned.html?%i">http://%h/banned.html?%i clients1
 http_access deny blockedsites clients1

 acl clients2 src 192.168.2.0/24
 deny_info 302:<a class="moz-txt-link-freetext" href="http://%h/banned.html?%i">http://%h/banned.html?%i clients2
 http_access deny blockedsites clients2


** If you really *have* to use Squid-IP, this can work with localip ACL
type instead of src. But then you have to bake each Squid-IP variation
into the deny_info URL instead of using %i.


I will have to do this for each company. But I would like to keep squid.conf simple and minimal.


Option 3) to use a custom error page instead of a redirect.

Place your banned.html page into /etc/squid/banned.html and either a)
write it with javascripts that pull in the right images/branding based
on client IPs.

  deny_info 403:/etc/squid/banned.html blockedsites

** Like (2) above this can use Squid-IP (via localip ACL type) if you
really have to. But with the same limitation of using different files
for branding instead of javascript for dynamic sub-resource/image fetching.

As stated earlier, this would leak IP range information.


Feature request:
Can we have the following switch-case in file errorpage.cc?

Source: https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857

Currently case 'I' (capital i) for building_deny_info_url returns string "[unknown]"

Can it be modified to return "interface" address? i.e. same as MYADDR

I believe it would be just few (may be one) line change in code.

I can create a PR if required but can you or someone guide me on how to fetch MYADDR?

After this feature - all I would need to do is:

deny_info <a class="moz-txt-link-freetext" href="http://%I/banned.html">http://%I/banned.html blockedsites

Thank you again for your help.

Amish



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info and squid's own IP address?

Amos Jeffries
Administrator
On 01/05/18 19:44, Amish wrote:

> Hello,
>
> First of thanks a lot for taking your time out for replying to my query.
>
> My replies are inline.
>
> On Tuesday 01 May 2018 09:10 AM, Amos Jeffries wrote:
>> On 01/05/18 00:54, Amish wrote:
>>> Hello
>>>
>>> I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
>>> and department B (192.168.2.1/24)
>>>
>>> I have few banned sites. Say Facebook.
>>>
>>> I have HTTP server (running on same server as squid) which shows custom
>>> pages with custom logo based on IP address.
>>>
>>> When request comes for a banned site I would like client to be
>>> redirected based on squid's own IP.
>> Firstly, is there any particular reason you are requiring it to be a
>> redirect?
>>  from what you have said it appears you can achieve the same outcome
>> without the extra web server by using a custom error page.
>
> No I cant use custom error page as Javascript will leak the IP range of
> department A to department B.
> (I had simplified my example, its actually two companies and not two
> departments infact I have 4-5 companies/subnets)
>
>> Thirdly, on the issue of %h - the Squid hostname is *required* to
>> resolve in DNS explicitly so clients can access things like these URLs.
>> If your network and DNS is configured correctly each client subnet
>> should resolve that hostname to the relevant IP which you are trying to
>> "pass" to the web server in your redirect URL. So they will naturally
>> (and only) connect to the web server (or Squid itself) using the right
>> IP anyway - the web server should be able to detect what it needs from
>> its own inbound TCP/IP connection instead of using raw-IPs in the traffic.
>>
> Some company uses OpenDNS, other Cloudflare, other Google etc.
>
> So DNS will not resolve the hostname to same as %MYADDR.

I suspect something is going screwy there. How are these clients getting
to the proxy if they resolve its name to a different IP than they
connect to?


>
>> There are three options available to work around broken DNS:
>>
>>
>> Option 1) to do exactly (and only) what you asked for.
>>
>> Currently this can be done with an external helper:
>>
>>  external_acl_type getIp concurrency=100 %MYADDR /path/to/script
>>  deny_info 302:<a href="http://%et/banned.html">http://%et/banned.html getIp
>>
>> where the script just echos back to Squid the IP it was given like so:
>>     [channel-id] OK message="<input-IP>"\n
>>
>
> Based on documentation of FORMAT for deny_info, I think you mean %o and
> not %et

Ah, yes. Sorry. Getting my legacy formats mixed up.

>
> Also will this "message" be available if I change by http_access line to:
> deny_info 302:<a href="http://%o/banned.html">http://%o/banned.html blockedsites
> http_access deny blockedsites getIp
>
> will "message" of getIp be available to deny_info of blockedsites?

The message will persist as an annotation in the transaction, but only
from the point the external ACL is tested. So the deny_info has to be
attached to the external ACL or something following it.

Also, deny_info only works if it is attached to the *last* ACL named on
a line.

So:

 deny_info 302:<a href="http://%o/banned.html">http://%o/banned.html getIp
 http_access deny blockedsites getIp

or,

 deny_info 302:<a href="http://%o/banned.html">http://%o/banned.html blockedsites
 http_access deny getIp blockedsites

or,
 deny_info 302:<a href="http://%o/banned.html">http://%o/banned.html blockedsites
 http_access deny getIp !all
 ...
 http_access deny blockedsites


should work, but other orderings do not.


>
> I will give this a try*, **however please see the end of the e-mail for
> a feature request.*
>
>> Option 2) to use the client IP and have your web server respond based on
>> those subnets instead of Squid IP.
>>
>>  acl clients1 src 192.168.1.0/24
>>  deny_info 302:<a href="http://%h/banned.html?%i">http://%h/banned.html?%i clients1
>>  http_access deny blockedsites clients1
>>
>>  acl clients2 src 192.168.2.0/24
>>  deny_info 302:<a href="http://%h/banned.html?%i">http://%h/banned.html?%i clients2
>>  http_access deny blockedsites clients2
>>
>>
>> ** If you really *have* to use Squid-IP, this can work with localip ACL
>> type instead of src. But then you have to bake each Squid-IP variation
>> into the deny_info URL instead of using %i.
>>
>
> I will have to do this for each company. But I would like to keep
> squid.conf simple and minimal.
>
>>
>> Option 3) to use a custom error page instead of a redirect.
>>
>> Place your banned.html page into /etc/squid/banned.html and either a)
>> write it with javascripts that pull in the right images/branding based
>> on client IPs.
>>
>>   deny_info 403:/etc/squid/banned.html blockedsites
>>
>> ** Like (2) above this can use Squid-IP (via localip ACL type) if you
>> really have to. But with the same limitation of using different files
>> for branding instead of javascript for dynamic sub-resource/image fetching.
>
> As stated earlier, this would leak IP range information.
>
>
> _*Feature request:*_
> Can we have the following switch-case in file errorpage.cc?
>
> Source:
> https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857
>
> Currently case 'I' (capital i) for building_deny_info_url returns string
> "[unknown]"
>
> Can it be modified to return "interface" address? i.e. same as MYADDR
>
> I believe it would be just few (may be one) line change in code.
>
> I can create a PR if required but can you or someone guide me on how to
> fetch MYADDR?

A PR is welcome, but re-using a %macro which already has a different
definition will add problems in the long-term plan of conversion to
logformat %macro codes. So picking a letter that has not yet been used
for anything would be best.

The Squid IP:port on client requests should be available to that code as
request->masterXaction->tcpClient->local , the request and tcpClient
pointers may be nil since not all transactions have a client or the
error may be about the lack of an HTTP request on the TCP connection.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info and squid's own IP address?

Amish
On Tuesday 01 May 2018 02:41 PM, Amos Jeffries wrote:

> On 01/05/18 19:44, Amish wrote:
>> Hello,
>>
>> First of thanks a lot for taking your time out for replying to my query.
>>
>> My replies are inline.
>>
>> On Tuesday 01 May 2018 09:10 AM, Amos Jeffries wrote:
>>> On 01/05/18 00:54, Amish wrote:
>>>> Hello
>>>>
>>>> I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
>>>> and department B (192.168.2.1/24)
>>>>
>>>> I have few banned sites. Say Facebook.
>>>>
>>>> I have HTTP server (running on same server as squid) which shows custom
>>>> pages with custom logo based on IP address.
>>>>
>>>> When request comes for a banned site I would like client to be
>>>> redirected based on squid's own IP.
>>> Firstly, is there any particular reason you are requiring it to be a
>>> redirect?
>>>   from what you have said it appears you can achieve the same outcome
>>> without the extra web server by using a custom error page.
>> No I cant use custom error page as Javascript will leak the IP range of
>> department A to department B.
>> (I had simplified my example, its actually two companies and not two
>> departments infact I have 4-5 companies/subnets)
>>
>>> Thirdly, on the issue of %h - the Squid hostname is *required* to
>>> resolve in DNS explicitly so clients can access things like these URLs.
>>> If your network and DNS is configured correctly each client subnet
>>> should resolve that hostname to the relevant IP which you are trying to
>>> "pass" to the web server in your redirect URL. So they will naturally
>>> (and only) connect to the web server (or Squid itself) using the right
>>> IP anyway - the web server should be able to detect what it needs from
>>> its own inbound TCP/IP connection instead of using raw-IPs in the traffic.
>>>
>> Some company uses OpenDNS, other Cloudflare, other Google etc.
>>
>> So DNS will not resolve the hostname to same as %MYADDR.
> I suspect something is going screwy there. How are these clients getting
> to the proxy if they resolve its name to a different IP than they
> connect to?

They connect by putting IP address in Proxy setting.

>
>>> There are three options available to work around broken DNS:
>>>
>>>
>>> Option 1) to do exactly (and only) what you asked for.
>>>
>>> Currently this can be done with an external helper:
>>>
>>>   external_acl_type getIp concurrency=100 %MYADDR /path/to/script
>>>   deny_info 302:<a href="http://%et/banned.html">http://%et/banned.html getIp
>>>
>>> where the script just echos back to Squid the IP it was given like so:
>>>      [channel-id] OK message="<input-IP>"\n
>>>
>> Based on documentation of FORMAT for deny_info, I think you mean %o and
>> not %et
> Ah, yes. Sorry. Getting my legacy formats mixed up.
>
>> Also will this "message" be available if I change by http_access line to:
>> deny_info 302:<a href="http://%o/banned.html">http://%o/banned.html blockedsites
>> http_access deny blockedsites getIp
>>
>> will "message" of getIp be available to deny_info of blockedsites?
> The message will persist as an annotation in the transaction, but only
> from the point the external ACL is tested. So the deny_info has to be
> attached to the external ACL or something following it.
>
> Also, deny_info only works if it is attached to the *last* ACL named on
> a line.
>
> So:
>
>   deny_info 302:<a href="http://%o/banned.html">http://%o/banned.html getIp
>   http_access deny blockedsites getIp
>
> or,
>
>   deny_info 302:<a href="http://%o/banned.html">http://%o/banned.html blockedsites
>   http_access deny getIp blockedsites
>
> or,
>   deny_info 302:<a href="http://%o/banned.html">http://%o/banned.html blockedsites
>   http_access deny getIp !all
>   ...
>   http_access deny blockedsites
>
>
> should work, but other orderings do not.
>

Tried this and it works as I expect it to.

>> _*Feature request:*_
>> Can we have the following switch-case in file errorpage.cc?
>>
>> Source:
>> https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857
>>
>> Currently case 'I' (capital i) for building_deny_info_url returns string
>> "[unknown]"
>>
>> Can it be modified to return "interface" address? i.e. same as MYADDR
>>
>> I believe it would be just few (may be one) line change in code.
>>
>> I can create a PR if required but can you or someone guide me on how to
>> fetch MYADDR?
> A PR is welcome, but re-using a %macro which already has a different
> definition will add problems in the long-term plan of conversion to
> logformat %macro codes. So picking a letter that has not yet been used
> for anything would be best.
>
> The Squid IP:port on client requests should be available to that code as
> request->masterXaction->tcpClient->local , the request and tcpClient
> pointers may be nil since not all transactions have a client or the
> error may be about the lack of an HTTP request on the TCP connection.

I chose I (capital i) as it is not used for deny_info (and not
documented either) and also properly reflects that it means interface
address.

Document source: http://www.squid-cache.org/Doc/config/deny_info/

%i (small i) is used for client IP address
%I (capital i) may be used for interface (own) IP address

Let me know if its ok and I would attempt to create a PR.

Thank you again.

Amish

> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info and squid's own IP address?

Amos Jeffries
Administrator
On 01/05/18 23:10, Amish wrote:

> On Tuesday 01 May 2018 02:41 PM, Amos Jeffries wrote:
>> On 01/05/18 19:44, Amish wrote:
>>> Hello,
>>>
>>> First of thanks a lot for taking your time out for replying to my query.
>>>
>>> My replies are inline.
>>>
>>> On Tuesday 01 May 2018 09:10 AM, Amos Jeffries wrote:
>>>> On 01/05/18 00:54, Amish wrote:
>>>>> Hello
>>>>>
>>>>> I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
>>>>> and department B (192.168.2.1/24)
>>>>>
>>>>> I have few banned sites. Say Facebook.
>>>>>
>>>>> I have HTTP server (running on same server as squid) which shows
>>>>> custom
>>>>> pages with custom logo based on IP address.
>>>>>
>>>>> When request comes for a banned site I would like client to be
>>>>> redirected based on squid's own IP.
>>>> Firstly, is there any particular reason you are requiring it to be a
>>>> redirect?
>>>>   from what you have said it appears you can achieve the same outcome
>>>> without the extra web server by using a custom error page.
>>> No I cant use custom error page as Javascript will leak the IP range of
>>> department A to department B.
>>> (I had simplified my example, its actually two companies and not two
>>> departments infact I have 4-5 companies/subnets)
>>>
>>>> Thirdly, on the issue of %h - the Squid hostname is *required* to
>>>> resolve in DNS explicitly so clients can access things like these URLs.
>>>> If your network and DNS is configured correctly each client subnet
>>>> should resolve that hostname to the relevant IP which you are trying to
>>>> "pass" to the web server in your redirect URL. So they will naturally
>>>> (and only) connect to the web server (or Squid itself) using the right
>>>> IP anyway - the web server should be able to detect what it needs from
>>>> its own inbound TCP/IP connection instead of using raw-IPs in the
>>>> traffic.
>>>>
>>> Some company uses OpenDNS, other Cloudflare, other Google etc.
>>>
>>> So DNS will not resolve the hostname to same as %MYADDR.
>> I suspect something is going screwy there. How are these clients getting
>> to the proxy if they resolve its name to a different IP than they
>> connect to?
>
> They connect by putting IP address in Proxy setting.

Then all their traffic goes through the proxy, which does the DNS
portion on their behalf - including the fetch for the redirection URL.

That means you can have the proxy do whatever you want with it on the
second fetch.
For example;

 http_port 3128

 acl toSquid dstdomain squid-domain.example.com
 acl banUrl urlpath_regex ^/banned.html$
 deny_info 302:<a href="http://%h/banned.html">http://%h/banned.html blockedsites
 http_access deny blockedsites

... the simplest way is just to pass a Forwarded header for the server
to use:

 request_header_add Forwarded "for=%>a;by=%la" toSquid banUrl

 OR, you can setup explicit hostname replacement with cache_peer
forcedomain= for each client "interface":

 acl clients1 localip 192.168.1.1
 cache_peer localhost 80 0 name=server1 originserver \
  forcedomain=192.168.1.1
 cache_peer_access server1 allow clients1 toSquid banUrl

 acl clients2 localip 192.168.2.1
 cache_peer localhost 80 0 name=server2 originserver \
  forcedomain=192.168.2.1
 cache_peer_access server2 allow clients2 toSquid banUrl



>>> _*Feature request:*_
>>> Can we have the following switch-case in file errorpage.cc?
>>>
>>> Source:
>>> https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857
>>>
>>> Currently case 'I' (capital i) for building_deny_info_url returns string
>>> "[unknown]"
>>>
>>> Can it be modified to return "interface" address? i.e. same as MYADDR
>>>
>>> I believe it would be just few (may be one) line change in code.
>>>
>>> I can create a PR if required but can you or someone guide me on how to
>>> fetch MYADDR?
>> A PR is welcome, but re-using a %macro which already has a different
>> definition will add problems in the long-term plan of conversion to
>> logformat %macro codes. So picking a letter that has not yet been used
>> for anything would be best.
>>
>> The Squid IP:port on client requests should be available to that code as
>> request->masterXaction->tcpClient->local , the request and tcpClient
>> pointers may be nil since not all transactions have a client or the
>> error may be about the lack of an HTTP request on the TCP connection.
>
> I chose I (capital i) as it is not used for deny_info (and not
> documented either) and also properly reflects that it means interface
> address.

The issue is that deny_info is a subset of ERR_* %macros and "%I"
already means server-IP to the Convert() function. So when the Convert()
function is replaced with the generic logformat macros we will have to
add extra code complexity to determine the use instead of adding it as
an alias for the logformat "%<a" (your data is actually %la in logformat
terms).

Since we already know that conversion is going to happen it is a bad
idea to knowingly make it harder to do. Which means picking a completely
unused letter - "AbCGjJkKnNOqQrvVXyYZ" are available, or numbers.


>
> Document source: http://www.squid-cache.org/Doc/config/deny_info/
>
> %i (small i) is used for client IP address
> %I (capital i) may be used for interface (own) IP address

Squid has no knowledge of "interfaces" all it has is a TCP connection,
so that definition is not consistent with what Squid has available. L
for 'local address/IP' would be better but is also already taken by
another definition.

There is not really any meaningful mapping for these one-letter codes
and has not been for years. Which is part of why the logformat
conversion is planned.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info and squid's own IP address?

Amish


On Tuesday 01 May 2018 07:47 PM, Amos Jeffries wrote:

> On 01/05/18 23:10, Amish wrote:
>> On Tuesday 01 May 2018 02:41 PM, Amos Jeffries wrote:
>>> On 01/05/18 19:44, Amish wrote:
>>>> Hello,
>>>>
>>>> First of thanks a lot for taking your time out for replying to my query.
>>>>
>>>> My replies are inline.
>>>>
>>>> On Tuesday 01 May 2018 09:10 AM, Amos Jeffries wrote:
>>>>> On 01/05/18 00:54, Amish wrote:
>>>>>> Hello
>>>>>>
>>>>>> I have 2 LAN interface on squid box, say department A (192.168.1.1/24)
>>>>>> and department B (192.168.2.1/24)
>>>>>>
>>>>>> I have few banned sites. Say Facebook.
>>>>>>
>>>>>> I have HTTP server (running on same server as squid) which shows
>>>>>> custom
>>>>>> pages with custom logo based on IP address.
>>>>>>
>>>>>> When request comes for a banned site I would like client to be
>>>>>> redirected based on squid's own IP.
>>>>> Firstly, is there any particular reason you are requiring it to be a
>>>>> redirect?
>>>>>    from what you have said it appears you can achieve the same outcome
>>>>> without the extra web server by using a custom error page.
>>>> No I cant use custom error page as Javascript will leak the IP range of
>>>> department A to department B.
>>>> (I had simplified my example, its actually two companies and not two
>>>> departments infact I have 4-5 companies/subnets)
>>>>
>>>>> Thirdly, on the issue of %h - the Squid hostname is *required* to
>>>>> resolve in DNS explicitly so clients can access things like these URLs.
>>>>> If your network and DNS is configured correctly each client subnet
>>>>> should resolve that hostname to the relevant IP which you are trying to
>>>>> "pass" to the web server in your redirect URL. So they will naturally
>>>>> (and only) connect to the web server (or Squid itself) using the right
>>>>> IP anyway - the web server should be able to detect what it needs from
>>>>> its own inbound TCP/IP connection instead of using raw-IPs in the
>>>>> traffic.
>>>>>
>>>> Some company uses OpenDNS, other Cloudflare, other Google etc.
>>>>
>>>> So DNS will not resolve the hostname to same as %MYADDR.
>>> I suspect something is going screwy there. How are these clients getting
>>> to the proxy if they resolve its name to a different IP than they
>>> connect to?
>> They connect by putting IP address in Proxy setting.
> Then all their traffic goes through the proxy, which does the DNS
> portion on their behalf - including the fetch for the redirection URL.
>
> That means you can have the proxy do whatever you want with it on the
> second fetch.
> For example;
>
>   http_port 3128
>
>   acl toSquid dstdomain squid-domain.example.com
>   acl banUrl urlpath_regex ^/banned.html$
>   deny_info 302:<a href="http://%h/banned.html">http://%h/banned.html blockedsites
>   http_access deny blockedsites
>
> ... the simplest way is just to pass a Forwarded header for the server
> to use:
>
>   request_header_add Forwarded "for=%>a;by=%la" toSquid banUrl
>
>   OR, you can setup explicit hostname replacement with cache_peer
> forcedomain= for each client "interface":
>
>   acl clients1 localip 192.168.1.1
>   cache_peer localhost 80 0 name=server1 originserver \
>    forcedomain=192.168.1.1
>   cache_peer_access server1 allow clients1 toSquid banUrl
>
>   acl clients2 localip 192.168.2.1
>   cache_peer localhost 80 0 name=server2 originserver \
>    forcedomain=192.168.2.1
>   cache_peer_access server2 allow clients2 toSquid banUrl
>
That all makes it complicated and I prefer simpler solution. (which I
now know)

Some clients are intercepted too. (so they may not have proxy configured
in browser)

>>>> _*Feature request:*_
>>>> Can we have the following switch-case in file errorpage.cc?
>>>>
>>>> Source:
>>>> https://github.com/squid-cache/squid/blob/master/src/errorpage.cc#L857
>>>>
>>>> Currently case 'I' (capital i) for building_deny_info_url returns string
>>>> "[unknown]"
>>>>
>>>> Can it be modified to return "interface" address? i.e. same as MYADDR
>>>>
>>>> I believe it would be just few (may be one) line change in code.
>>>>
>>>> I can create a PR if required but can you or someone guide me on how to
>>>> fetch MYADDR?
>>> A PR is welcome, but re-using a %macro which already has a different
>>> definition will add problems in the long-term plan of conversion to
>>> logformat %macro codes. So picking a letter that has not yet been used
>>> for anything would be best.
>>>
>>> The Squid IP:port on client requests should be available to that code as
>>> request->masterXaction->tcpClient->local , the request and tcpClient
>>> pointers may be nil since not all transactions have a client or the
>>> error may be about the lack of an HTTP request on the TCP connection.
>> I chose I (capital i) as it is not used for deny_info (and not
>> documented either) and also properly reflects that it means interface
>> address.
Does request->masterXaction->tcpClient->local hold Squid IP incase of
intercepted traffic too?

> The issue is that deny_info is a subset of ERR_* %macros and "%I"
> already means server-IP to the Convert() function. So when the Convert()
> function is replaced with the generic logformat macros we will have to
> add extra code complexity to determine the use instead of adding it as
> an alias for the logformat "%<a" (your data is actually %la in logformat
> terms).
>
> Since we already know that conversion is going to happen it is a bad
> idea to knowingly make it harder to do. Which means picking a completely
> unused letter - "AbCGjJkKnNOqQrvVXyYZ" are available, or numbers.
>
>
>> Document source: http://www.squid-cache.org/Doc/config/deny_info/
>>
>> %i (small i) is used for client IP address
>> %I (capital i) may be used for interface (own) IP address
> Squid has no knowledge of "interfaces" all it has is a TCP connection,
> so that definition is not consistent with what Squid has available. L
> for 'local address/IP' would be better but is also already taken by
> another definition.
>
> There is not really any meaningful mapping for these one-letter codes
> and has not been for years. Which is part of why the logformat
> conversion is planned.
Yes by interface I meant - the IP on which packet landed on / redirected
to. (which is most cases is also interface IP)
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

Thanks,

Amish.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info and squid's own IP address?

Amos Jeffries
Administrator
On 02/05/18 16:20, Amish wrote:
>
> Does request->masterXaction->tcpClient->local hold Squid IP incase of
> intercepted traffic too?

The listening address (if any) will be in
request->masterXaction->squidPort->listenConn->local instead. It has no
relation to the client TCP connection and may be :: or 0.0.0.0.
 In this chain case request, squidPort, and listenConn may be nil.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info and squid's own IP address?

Amish
On Wednesday 02 May 2018 10:05 AM, Amos Jeffries wrote:
On 02/05/18 16:20, Amish wrote:
Does request->masterXaction->tcpClient->local hold Squid IP incase of
intercepted traffic too?
The listening address (if any) will be in
request->masterXaction->squidPort->listenConn->local instead. It has no
relation to the client TCP connection and may be :: or 0.0.0.0.
 In this chain case request, squidPort, and listenConn may be nil.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

I am getting confused actually.

Squid 3.5
http://www.squid-cache.org/Versions/v3/3.5/cfgman/external_acl_type.html

Above says %MYADDR = Squid interface address

Squid 4 (external_acl_type uses logformat FORMATs)
And http://www.squid-cache.org/Doc/config/logformat/

This says %la = Local listening IP address the client connection was connected to

So description of %MYADDR and %la is different, but from source code (src/format/Token.cc) both appear to be same thing i.e. LFT_LOCAL_LISTENING_IP

But the code in Format.cc looks complicated then simple one line:

        case LFT_LOCAL_LISTENING_IP: {
            // avoid logging a dash if we have reliable info
            const bool interceptedAtKnownPort = al->request ?
                                                (al->request->flags.interceptTproxy ||
                                                 al->request->flags.intercepted) && al->cache.port != NULL :
                                                false;
            if (interceptedAtKnownPort) {
                const bool portAddressConfigured = !al->cache.port->s.isAnyAddr();
                if (portAddressConfigured)
                    out = al->cache.port->s.toStr(tmp, sizeof(tmp));
            } else if (al->tcpClient != NULL)
                out = al->tcpClient->local.toStr(tmp, sizeof(tmp));
        }

So which is right way? Above code which considers interception too?

OR one of the lines below?

request->masterXaction->tcpClient->local
request->masterXaction->squidPort->listenConn->local

i.e. something like (in errorpage.cc)
case 'A':
    if (request && request->masterXaction->squidPort && request->masterXaction->squidPort->listenConn)
        mb.appendf("%s", request->masterXaction->squidPort->listenConn->local.toStr(ntoabuf,MAX_IPSTRLEN));
    else
        mb.appendf("%s", getMyHostname());


Note: Here %A would be same as %h if required information is not available.

Amish.

PS: Off for few days vacation - so may not be able to reply

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info and squid's own IP address?

Amos Jeffries
Administrator
On 03/05/18 03:01, Amish wrote:

> On Wednesday 02 May 2018 10:05 AM, Amos Jeffries wrote:
>> On 02/05/18 16:20, Amish wrote:
>>> Does request->masterXaction->tcpClient->local hold Squid IP incase of
>>> intercepted traffic too?
>> The listening address (if any) will be in
>> request->masterXaction->squidPort->listenConn->local instead. It has no
>> relation to the client TCP connection and may be :: or 0.0.0.0.
>>  In this chain case request, squidPort, and listenConn may be nil.
>>
>> Amos
>
> I am getting confused actually.
>
> Squid 3.5
> http://www.squid-cache.org/Versions/v3/3.5/cfgman/external_acl_type.html
>
> Above says %MYADDR = Squid interface address
>
> Squid 4 (external_acl_type uses logformat FORMATs)
> And http://www.squid-cache.org/Doc/config/logformat/
>
> This says %la = Local listening IP address the client connection was
> connected to
>
> So description of %MYADDR and %la is different, but from source code
> (src/format/Token.cc) both appear to be same thing i.e.
> LFT_LOCAL_LISTENING_IP
>

Yes.

> But the code in Format.cc looks complicated then simple one line:
>
>         case LFT_LOCAL_LISTENING_IP: {
>             // avoid logging a dash if we have reliable info
>             const bool interceptedAtKnownPort = al->request ?
>                                                
> (al->request->flags.interceptTproxy ||
>                                                 
> al->request->flags.intercepted) && al->cache.port != NULL :
>                                                 false;
>             if (interceptedAtKnownPort) {
>                 const bool portAddressConfigured =
> !al->cache.port->s.isAnyAddr();
>                 if (portAddressConfigured)
>                     out = al->cache.port->s.toStr(tmp, sizeof(tmp));
>             } else if (al->tcpClient != NULL)
>                 out = al->tcpClient->local.toStr(tmp, sizeof(tmp));
>         }
>
> So which is right way? Above code which considers interception too?

The above is the right logic to work with both types of traffic. Except
that code is working from an 'ALE' object "al". The error page code you
are working with does not currently have access to that.

NP: The TCP connection data is more reliable (never being :: or
0.0.0.0). But when interception is happening the TCP details are only
about client and server, not Squid - so the port config has to be used.

The Convert() equivalent of "al->request" is just "request".

The Convert() equivalent of "al->tcpClient" is
"request->masterXaction->tcpClient".

The Convert() equivalent of "al->cache.port" is
"request->masterXaction->squidPort".

>
> OR one of the lines below?
>
> request->masterXaction->tcpClient->local
> request->masterXaction->squidPort->listenConn->local
>

These are the variables where you find the data. You still have to use
the logic from (or similar to) "case LFT_LOCAL_LISTENING_IP" to produce
the right value from them for both intercepted and non-intercepted traffic.


> i.e. something like (in errorpage.cc)
> case 'A':
>     if (request && request->masterXaction->squidPort &&
> request->masterXaction->squidPort->listenConn)
>         mb.appendf("%s",
> request->masterXaction->squidPort->listenConn->local.toStr(ntoabuf,MAX_IPSTRLEN));
>     else
>         mb.appendf("%s", getMyHostname());
>
>
> Note: Here %A would be same as %h if required information is not available.
>
> Amish.
>
> PS: Off for few days vacation - so may not be able to reply
>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info and squid's own IP address?

Amish


On Wednesday 02 May 2018 09:11 PM, Amos Jeffries wrote:

> On 03/05/18 03:01, Amish wrote:
>> But the code in Format.cc looks complicated then simple one line:
>>
>>          case LFT_LOCAL_LISTENING_IP: {
>>              // avoid logging a dash if we have reliable info
>>              const bool interceptedAtKnownPort = al->request ?
>>                                                
>> (al->request->flags.interceptTproxy ||
>>                                                  
>> al->request->flags.intercepted) && al->cache.port != NULL :
>>                                                  false;
>>              if (interceptedAtKnownPort) {
>>                  const bool portAddressConfigured =
>> !al->cache.port->s.isAnyAddr();
>>                  if (portAddressConfigured)
>>                      out = al->cache.port->s.toStr(tmp, sizeof(tmp));
>>              } else if (al->tcpClient != NULL)
>>                  out = al->tcpClient->local.toStr(tmp, sizeof(tmp));
>>          }
>>
>> So which is right way? Above code which considers interception too?
> The above is the right logic to work with both types of traffic. Except
> that code is working from an 'ALE' object "al". The error page code you
> are working with does not currently have access to that.
>
> NP: The TCP connection data is more reliable (never being :: or
> 0.0.0.0). But when interception is happening the TCP details are only
> about client and server, not Squid - so the port config has to be used.
>
> The Convert() equivalent of "al->request" is just "request".
>
> The Convert() equivalent of "al->tcpClient" is
> "request->masterXaction->tcpClient".
>
> The Convert() equivalent of "al->cache.port" is
> "request->masterXaction->squidPort".
>
>> OR one of the lines below?
>>
>> request->masterXaction->tcpClient->local
>> request->masterXaction->squidPort->listenConn->local
>>
> These are the variables where you find the data. You still have to use
> the logic from (or similar to) "case LFT_LOCAL_LISTENING_IP" to produce
> the right value from them for both intercepted and non-intercepted traffic.
>

Created PR:
https://github.com/squid-cache/squid/pull/198

May be any further discussion can now continue there.

Thank you

Amish

>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users