traffic syntax being delivered by the client proxy.
<p>Squid can be configured by adding an <em>http_port</em>
- with the <em>proxy-surrogate</em> mode flag. The <em>proxy_forwarded_access</em>
+ with the <em>require-proxy-header</em> mode flag. The <em>proxy_protocol_access</em>
must also be configured with <em>src</em> ACLs to whitelist proxies which are
trusted to send correct client details.
<p>Forward-proxy traffic from a client proxy:
<verbatim>
- http_port 3128 proxy-surrogate
- proxy_forwarded_access allow localhost
+ http_port 3128 require-proxy-header
+ proxy_protocol_access allow localhost
</verbatim>
<p>Intercepted traffic from a client proxy or tunnel:
<verbatim>
- http_port 3128 intercept proxy-surrogate
- proxy_forwarded_access allow localhost
+ http_port 3128 intercept require-proxy-header
+ proxy_protocol_access allow localhost
</verbatim>
<p><em>Known Issue:</em>
- Use of <em>proxy-surrogate</em> on <em>https_port</em> is not supported.
+ Use of <em>require-proxy-header</em> on <em>https_port</em> is not supported.
<sect>Changes to squid.conf since Squid-3.4
<p>Ported from Squid-2 with no configuration or visible behaviour changes.
Collapsing of requests is performed across SMP workers.
- <tag>proxy_forwarded_access</tag>
- <p>Renamed from <em>follow_x_forwarded_for</em> and extended to control more
- ways for locating the indirect (original) client IP details.
+ <tag>proxy_protocol_access</tag>
+ <p>New directive to control which clients are permitted to open PROXY
+ protocol connections on a port flagged with <em>require-proxy-header</em>.
<tag>send_hit</tag>
<p>New configuration directive to enable/disable sending cached content
<tag>http_port</tag>
<p><em>protocol=</em> option altered to accept protocol version details.
Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1
- <p><em>New option <em>proxy-surrogate</em> to mark ports receiving PROXY
+ <p><em>New option <em>require-proxy-header</em> to mark ports receiving PROXY
protocol version 1 or 2 traffic.
<tag>https_port</tag>
<tag>dns_children</tag>
<p>DNS external helper interface has been removed.
-
- <tag>follow_x_forwarded_for</tag>
- <p>Renamed <em>proxy_forwarded_access</em> and extended.
-
</descrip>
acl_access *followXFF;
#endif /* FOLLOW_X_FORWARDED_FOR */
+ /// acceptible PROXY protocol clients
+ acl_access *proxyProtocol;
+
/// spoof_client_ip squid.conf acl.
/// nil unless configured
acl_access* spoof_client_ip;
debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (TPROXY enabled)");
if (s->flags.proxySurrogate) {
- debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (proxy-surrogate enabled)");
+ debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (require-proxy-header enabled)");
}
if (!Ip::Interceptor.ProbeForTproxy(s->s)) {
self_destruct();
}
- } else if (strcmp(token, "proxy-surrogate") == 0) {
+ } else if (strcmp(token, "require-proxy-header") == 0) {
s->flags.proxySurrogate = true;
- debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (proxy-surrogate enabled)");
+ debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (require-proxy-header enabled)");
} else if (strncmp(token, "defaultsite=", 12) == 0) {
if (!s->flags.accelSurrogate) {
}
#endif
if (s->transport.protocol == AnyP::PROTO_HTTPS) {
- debugs(3,DBG_CRITICAL, "FATAL: https_port: proxy-surrogate option is not supported on HTTPS ports.");
+ debugs(3,DBG_CRITICAL, "FATAL: https_port: require-proxy-header option is not supported on HTTPS ports.");
self_destruct();
}
}
storeAppendPrintf(e, " tproxy");
else if (s->flags.proxySurrogate)
- storeAppendPrintf(e, " proxy-surrogate");
+ storeAppendPrintf(e, " require-proxy-header");
else if (s->flags.accelSurrogate) {
storeAppendPrintf(e, " accel");
NOCOMMENT_END
DOC_END
-NAME: proxy_forwarded_access follow_x_forwarded_for
+NAME: proxy_protocol_access
TYPE: acl_access
+LOC: Config.accessList.proxyProtocol
+DEFAULT: none
+DEFAULT_DOC: all TCP connections will be denied
+DOC_START
+ Determine which client proxies can be trusted to provide correct
+ information regarding real client IP address using PROXY protocol.
+
+ Requests may pass through a chain of several other proxies
+ before reaching us. The original source details may by sent in:
+ * HTTP message Forwarded header, or
+ * HTTP message X-Forwarded-For header, or
+ * PROXY protocol connection header.
+
+ This directive is solely for validating new PROXY protocol
+ connections received from a port flagged with require-proxy-header.
+ It is checked only once after TCP connection setup.
+
+ A deny match results in TCP connection closure.
+
+ An allow match is required for Squid to permit the corresponding
+ TCP connection, before Squid even looks for HTTP request headers.
+ If there is an allow match, Squid starts using PROXY header information
+ to determine the source address of the connection for all future ACL
+ checks, logging, etc.
+
+ SECURITY CONSIDERATIONS:
+
+ Any host for which we accept client IP details can place
+ incorrect information in the relevant header, and Squid
+ will use the incorrect information as if it were the
+ source address of the request. This may enable remote
+ hosts to bypass any access control restrictions that are
+ based on the client's source addresses.
+
+ This clause only supports fast acl types.
+ See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
+DOC_END
+
+NAME: follow_x_forwarded_for
+TYPE: acl_access
+IFDEF: FOLLOW_X_FORWARDED_FOR
LOC: Config.accessList.followXFF
DEFAULT_IF_NONE: deny all
DEFAULT_DOC: indirect client IP will not be accepted.
* HTTP message X-Forwarded-For header, or
* PROXY protocol connection header.
+ PROXY protocol connections are controlled by the proxy_protocol_access
+ directive which is checked before this.
+
If a request reaches us from a source that is allowed by this
directive, then we trust the information it provides regarding
the IP of the client it received from (if any).
For the purpose of ACLs used in this directive the src ACL type always
matches the address we are testing and srcdomain matches its rDNS.
- For proxy-surrogate ports an allow match is required for Squid to
- permit the corresponding TCP connection, before Squid even looks for
- HTTP request headers. If there is an allow match, Squid starts using
- PROXY header information to determine the source address of the
- connection for all future ACL checks. A deny match results in TCP
- connection closure. Evaluation described in this paragraph does not
- happen on non proxy-surrogate ports.
-
On each HTTP request Squid checks for X-Forwarded-For header fields.
If found the header values are iterated in reverse order and an allow
match is required for Squid to continue on to the next value.
probing the connection, interval how often to probe, and
timeout the time before giving up.
- proxy-surrogate
+ require-proxy-header
Require PROXY protocol version 1 or 2 connections.
- The proxy_forwarded_access is required to whitelist
+ The proxy_protocol_access is required to whitelist
downstream proxies which can be trusted.
If you run Squid on a dual-homed machine with an internal
}
/**
- * Perform forwarded_access ACL tests on the client which
+ * Perform proxy_protocol_access ACL tests on the client which
* connected to PROXY protocol port to see if we trust the
* sender enough to accept their PROXY header claim.
*/
bool
ConnStateData::proxyProtocolValidateClient()
{
- ACLFilledChecklist ch(Config.accessList.followXFF, NULL, clientConnection->rfc931);
+ if (!Config.accessList.proxyProtocol)
+ return proxyProtocolError("PROXY client not permitted by default ACL");
+
+ ACLFilledChecklist ch(Config.accessList.proxyProtocol, NULL, clientConnection->rfc931);
ch.src_addr = clientConnection->remote;
ch.my_addr = clientConnection->local;
ch.conn(this);