/* modes first */
if (strcmp(token, "accel") == 0) {
- if (s->flags.isIntercepted() || s->flags.proxySurrogate) {
+ if (s->flags.isIntercepted()) {
debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: Accelerator mode requires its own port. It cannot be shared with other modes.");
self_destruct();
}
s->flags.accelSurrogate = true;
s->vhost = true;
} else if (strcmp(token, "transparent") == 0 || strcmp(token, "intercept") == 0) {
- if (s->flags.accelSurrogate || s->flags.tproxyIntercept || s->flags.proxySurrogate) {
+ if (s->flags.accelSurrogate || s->flags.tproxyIntercept) {
debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: Intercept mode requires its own interception port. It cannot be shared with other modes.");
self_destruct();
}
debugs(3, DBG_IMPORTANT, "Starting Authentication on port " << s->s);
debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (interception enabled)");
} else if (strcmp(token, "tproxy") == 0) {
- if (s->flags.natIntercept || s->flags.accelSurrogate || s->flags.proxySurrogate) {
+ if (s->flags.natIntercept || s->flags.accelSurrogate) {
debugs(3,DBG_CRITICAL, "FATAL: http(s)_port: TPROXY option requires its own interception port. It cannot be shared with other modes.");
self_destruct();
}
/* Log information regarding the port modes under transparency. */
debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (TPROXY enabled)");
+ if (s->flags.proxySurrogate) {
+ debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (proxy-surrogate enabled)");
+ }
+
if (!Ip::Interceptor.ProbeForTproxy(s->s)) {
debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: TPROXY support in the system does not work.");
self_destruct();
}
} else if (strcmp(token, "proxy-surrogate") == 0) {
- if (s->flags.natIntercept || s->flags.accelSurrogate || s->flags.tproxyIntercept) {
- debugs(3,DBG_CRITICAL, "FATAL: http(s)_port: proxy-surrogate option requires its own port. It cannot be shared with other modes.");
- self_destruct();
- }
s->flags.proxySurrogate = true;
+ debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (proxy-surrogate enabled)");
} else if (strncmp(token, "defaultsite=", 12) == 0) {
if (!s->flags.accelSurrogate) {
parse_port_option(s, token);
}
-#if USE_OPENSSL
if (s->transport.protocol == AnyP::PROTO_HTTPS) {
+#if USE_OPENSSL
/* ssl-bump on https_port configuration requires either tproxy or intercept, and vice versa */
const bool hijacked = s->flags.isIntercepted();
if (s->flags.tunnelSslBumping && !hijacked) {
debugs(3, DBG_CRITICAL, "FATAL: tproxy/intercept on https_port requires ssl-bump which is missing.");
self_destruct();
}
- }
#endif
+ if (s->transport.protocol == AnyP::PROTO_HTTPS) {
+ debugs(3,DBG_CRITICAL, "FATAL: https_port: proxy-surrogate option cannot be used on HTTPS ports.");
+ self_destruct();
+ }
+ }
if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && s->s.isAnyAddr()) {
// clone the port options from *s to *(s->next)
accel Accelerator / reverse proxy mode
- proxy-surrogate
- Support for PROXY protocol version 1 or 2 connections.
- The proxy_forwarded_access is required to whitelist
- downstream proxies which can be trusted.
-
ssl-bump For each CONNECT request allowed by ssl_bump ACLs,
establish secure connection with the client and with
the server, decrypt HTTPS messages as they pass through
probing the connection, interval how often to probe, and
timeout the time before giving up.
+ proxy-surrogate
+ Require PROXY protocol version 1 or 2 connections.
+ The proxy_forwarded_access is required to whitelist
+ downstream proxies which can be trusted.
+
If you run Squid on a dual-homed machine with an internal
and an external interface we recommend you to specify the
internal address:port in http_port. This way Squid will only be
* - accelerator mode (reverse proxy)
* - internal URL
* - mixed combos of the above with internal URL
+ * - remote interception with PROXY protocol
+ * - remote reverse-proxy with PROXY protocol
*/
if (csd->transparent()) {
/* intercept or transparent mode, properly working with no failures */
debugs(33, 5, "PROXY/1.0 protocol on connection " << clientConnection);
clientConnection->local = originalDest;
clientConnection->remote = originalClient;
+ clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
debugs(33, 5, "PROXY/1.0 upgrade: " << clientConnection);
// repeat fetch ensuring the new client FQDN can be logged
clientConnection->local.port(ntohs(ipu->ipv4_addr.dst_port));
clientConnection->remote = ipu->ipv4_addr.src_addr;
clientConnection->remote.port(ntohs(ipu->ipv4_addr.src_port));
+ clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
break;
case 0x2: // IPv6
clientConnection->local = ipu->ipv6_addr.dst_addr;
clientConnection->local.port(ntohs(ipu->ipv6_addr.dst_port));
clientConnection->remote = ipu->ipv6_addr.src_addr;
clientConnection->remote.port(ntohs(ipu->ipv6_addr.src_port));
+ clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
break;
default: // do nothing
break;