Author: Wojciech Zatorski <zator@bg.szczecin.pl>

Author: Amos Jeffries <squid3@treenet.co.nz>
Support TPROXYv4 spoofing of X-Forwarded-For client address.

Assumes correct configuration use of the X-Forwarded-For header with
a zone of trusted sources.

SECURITY WARNING:
    This patch depends on security features not present in older Squid
    versions and is not to be ported or applied to earlier releases.

diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml
index 2d5e3906de77ccb5c8c1650226e5446426dd23a4..2712b9cde9c8075eb762fa01f48b0277ac6d5441 100644 (file)
--- a/doc/release-notes/release-3.2.sgml
+++ b/doc/release-notes/release-3.2.sgml
@@ -181,6 +181,11 @@ This section gives a thorough account of those changes in three categories:
        <tag>logfile_daemon</tag>
        <p>Ported from 2.7
 
+       <tag>tproxy_uses_indirect_client</tag>
+       <p>Controls whether the indirect client address found in the X-Forwarded-For
+       header is used for spoofing instead of the directly connected client address.
+       Requires both --enable-follow-x-forwarded-for and --enable-linux-netfilter
+
 </descrip>
 
 <sect1>Changes to existing tags<label id="modifiedtags">

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 30acb605226a99f6e9455a43f8260973200ee376..96fb15d3a6945332fd6b072b7d849f5d7c223c34 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -808,8 +808,8 @@ DOC_START
        refer to as the indirect client address.  This address may
        be treated as the client address for access control, ICAP, delay
        pools and logging, depending on the acl_uses_indirect_client,
-       icap_uses_indirect_client, delay_pool_uses_indirect_client and
-       log_uses_indirect_client options.
+       icap_uses_indirect_client, delay_pool_uses_indirect_client, 
+       log_uses_indirect_client and tproxy_uses_indirect_client options.
 
        This clause only supports fast acl types.
        See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
@@ -867,6 +867,18 @@ DOC_START
        direct client address in the access log.
 DOC_END
 
+NAME: tproxy_uses_indirect_client
+COMMENT: on|off
+TYPE: onoff
+IFDEF: FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER
+DEFAULT: on
+LOC: Config.onoff.tproxy_uses_indirect_client
+DOC_START
+       Controls whether the indirect client address
+       (see follow_x_forwarded_for) is used instead of the
+       direct client address when spoofing the outgoing client.
+DOC_END
+
 NAME: http_access
 TYPE: acl_access
 LOC: Config.accessList.http

diff --git a/src/cf_gen_defines b/src/cf_gen_defines
index fc6a9d43823c80cf57db815de64e78ed22981837..bbebf6c17e1a9b40f721b392c3a7037a914b175d 100644 (file)
--- a/src/cf_gen_defines
+++ b/src/cf_gen_defines
@@ -9,6 +9,7 @@ BEGIN {
        define["FOLLOW_X_FORWARDED_FOR"]="--enable-follow-x-forwarded-for"
        define["FOLLOW_X_FORWARDED_FOR&&DELAY_POOLS"]="--enable-follow-x-forwarded-for and --enable-delay-pools"
        define["FOLLOW_X_FORWARDED_FOR&&ICAP_CLIENT"]="--enable-follow-x-forwarded-for and --enable-icap-client"
+       define["FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER"]="--enable-follow-x-forwarded-for and --enable-linux-netfilter"
        define["HTTP_VIOLATIONS"]="--enable-http-violations"
        define["ICAP_CLIENT"]="--enable-icap-client"
        define["SQUID_SNMP"]="--enable-snmp"

diff --git a/src/forward.cc b/src/forward.cc
index 7da329627849ee240dafc44d14f69db41c6f92a3..96849bdc7df60bf692036ee3d70962edde39dfb0 100644 (file)
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -1338,8 +1338,14 @@ Ip::Address
 getOutgoingAddr(HttpRequest * request, struct peer *dst_peer)
 {
     if (request && request->flags.spoof_client_ip) {
-        if (!dst_peer || !dst_peer->options.no_tproxy)
-            return request->client_addr;
+        if (!dst_peer || !dst_peer->options.no_tproxy) {
+#if FOLLOW_X_FORWARDED_FOR && LINUX_NETFILTER
+            if (Config.onoff.tproxy_uses_indirect_client)
+                return request->indirect_client_addr;
+            else
+#endif
+               return request->client_addr;
+        }
         // else no tproxy today ...
     }
 

diff --git a/src/structs.h b/src/structs.h
index 266861bf74bd27449e158718426b7a19a2f56ff8..b8ddec90bf4ebc754bb424ad4e13ac60405e76fa 100644 (file)
--- a/src/structs.h
+++ b/src/structs.h
@@ -432,6 +432,9 @@ struct SquidConfig {
         int acl_uses_indirect_client;
         int delay_pool_uses_indirect_client;
         int log_uses_indirect_client;
+#if LINUX_NETFILTER
+        int tproxy_uses_indirect_client;
+#endif
 #endif /* FOLLOW_X_FORWARDED_FOR */
 
         int WIN32_IpAddrChangeMonitor;