From: Amos Jeffries Date: Tue, 5 Aug 2014 14:39:35 +0000 (-0700) Subject: Updated configuration options X-Git-Tag: SQUID_3_5_0_1~75^2~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d3d92daafd6ebda0b0969b0f715af49e6b399d92;p=thirdparty%2Fsquid.git Updated configuration options * Replace proxy-surrogate fag with require-proxy-header * Revert follow_x_forwarded_for linkage with PROXY protocol. Add proxy_protocol_access directive for PROXY ACLs instead. * set fast default for proxy_protocol_access when none configured. --- diff --git a/doc/release-notes/release-3.5.sgml b/doc/release-notes/release-3.5.sgml index 0f70a92160..e60000cf09 100644 --- a/doc/release-notes/release-3.5.sgml +++ b/doc/release-notes/release-3.5.sgml @@ -180,24 +180,24 @@ Most user-facing changes are reflected in squid.conf (see below). traffic syntax being delivered by the client proxy.

Squid can be configured by adding an http_port - with the proxy-surrogate mode flag. The proxy_forwarded_access + with the require-proxy-header mode flag. The proxy_protocol_access must also be configured with src ACLs to whitelist proxies which are trusted to send correct client details.

Forward-proxy traffic from a client proxy: - http_port 3128 proxy-surrogate - proxy_forwarded_access allow localhost + http_port 3128 require-proxy-header + proxy_protocol_access allow localhost

Intercepted traffic from a client proxy or tunnel: - http_port 3128 intercept proxy-surrogate - proxy_forwarded_access allow localhost + http_port 3128 intercept require-proxy-header + proxy_protocol_access allow localhost

Known Issue: - Use of proxy-surrogate on https_port is not supported. + Use of require-proxy-header on https_port is not supported. Changes to squid.conf since Squid-3.4 @@ -231,9 +231,9 @@ This section gives a thorough account of those changes in three categories:

Ported from Squid-2 with no configuration or visible behaviour changes. Collapsing of requests is performed across SMP workers. - proxy_forwarded_access -

Renamed from follow_x_forwarded_for and extended to control more - ways for locating the indirect (original) client IP details. + proxy_protocol_access +

New directive to control which clients are permitted to open PROXY + protocol connections on a port flagged with require-proxy-header. send_hit

New configuration directive to enable/disable sending cached content @@ -317,7 +317,7 @@ This section gives a thorough account of those changes in three categories: http_port

protocol= option altered to accept protocol version details. Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1 -

New option proxy-surrogate to mark ports receiving PROXY +

New option require-proxy-header to mark ports receiving PROXY protocol version 1 or 2 traffic. https_port @@ -353,10 +353,6 @@ This section gives a thorough account of those changes in three categories: dns_children

DNS external helper interface has been removed. - - follow_x_forwarded_for -

Renamed proxy_forwarded_access and extended. - diff --git a/src/SquidConfig.h b/src/SquidConfig.h index 8cae4ee27e..0b787ee96a 100644 --- a/src/SquidConfig.h +++ b/src/SquidConfig.h @@ -389,6 +389,9 @@ public: acl_access *followXFF; #endif /* FOLLOW_X_FORWARDED_FOR */ + /// acceptible PROXY protocol clients + acl_access *proxyProtocol; + /// spoof_client_ip squid.conf acl. /// nil unless configured acl_access* spoof_client_ip; diff --git a/src/cache_cf.cc b/src/cache_cf.cc index e04d0256d0..7af208c5b7 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -3599,7 +3599,7 @@ parse_port_option(AnyP::PortCfgPointer &s, char *token) debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (TPROXY enabled)"); if (s->flags.proxySurrogate) { - debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (proxy-surrogate enabled)"); + debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (require-proxy-header enabled)"); } if (!Ip::Interceptor.ProbeForTproxy(s->s)) { @@ -3607,9 +3607,9 @@ parse_port_option(AnyP::PortCfgPointer &s, char *token) self_destruct(); } - } else if (strcmp(token, "proxy-surrogate") == 0) { + } else if (strcmp(token, "require-proxy-header") == 0) { s->flags.proxySurrogate = true; - debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (proxy-surrogate enabled)"); + debugs(3, DBG_IMPORTANT, "Disabling TPROXY Spoofing on port " << s->s << " (require-proxy-header enabled)"); } else if (strncmp(token, "defaultsite=", 12) == 0) { if (!s->flags.accelSurrogate) { @@ -3822,7 +3822,7 @@ parsePortCfg(AnyP::PortCfgPointer *head, const char *optionName) } #endif if (s->transport.protocol == AnyP::PROTO_HTTPS) { - debugs(3,DBG_CRITICAL, "FATAL: https_port: proxy-surrogate option is not supported on HTTPS ports."); + debugs(3,DBG_CRITICAL, "FATAL: https_port: require-proxy-header option is not supported on HTTPS ports."); self_destruct(); } } @@ -3857,7 +3857,7 @@ dump_generic_port(StoreEntry * e, const char *n, const AnyP::PortCfgPointer &s) storeAppendPrintf(e, " tproxy"); else if (s->flags.proxySurrogate) - storeAppendPrintf(e, " proxy-surrogate"); + storeAppendPrintf(e, " require-proxy-header"); else if (s->flags.accelSurrogate) { storeAppendPrintf(e, " accel"); diff --git a/src/cf.data.pre b/src/cf.data.pre index 037e8666ef..677d780548 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1094,8 +1094,49 @@ acl CONNECT method CONNECT NOCOMMENT_END DOC_END -NAME: proxy_forwarded_access follow_x_forwarded_for +NAME: proxy_protocol_access TYPE: acl_access +LOC: Config.accessList.proxyProtocol +DEFAULT: none +DEFAULT_DOC: all TCP connections will be denied +DOC_START + Determine which client proxies can be trusted to provide correct + information regarding real client IP address using PROXY protocol. + + Requests may pass through a chain of several other proxies + before reaching us. The original source details may by sent in: + * HTTP message Forwarded header, or + * HTTP message X-Forwarded-For header, or + * PROXY protocol connection header. + + This directive is solely for validating new PROXY protocol + connections received from a port flagged with require-proxy-header. + It is checked only once after TCP connection setup. + + A deny match results in TCP connection closure. + + An allow match is required for Squid to permit the corresponding + TCP connection, before Squid even looks for HTTP request headers. + If there is an allow match, Squid starts using PROXY header information + to determine the source address of the connection for all future ACL + checks, logging, etc. + + SECURITY CONSIDERATIONS: + + Any host for which we accept client IP details can place + incorrect information in the relevant header, and Squid + will use the incorrect information as if it were the + source address of the request. This may enable remote + hosts to bypass any access control restrictions that are + based on the client's source addresses. + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +DOC_END + +NAME: follow_x_forwarded_for +TYPE: acl_access +IFDEF: FOLLOW_X_FORWARDED_FOR LOC: Config.accessList.followXFF DEFAULT_IF_NONE: deny all DEFAULT_DOC: indirect client IP will not be accepted. @@ -1109,6 +1150,9 @@ DOC_START * HTTP message X-Forwarded-For header, or * PROXY protocol connection header. + PROXY protocol connections are controlled by the proxy_protocol_access + directive which is checked before this. + If a request reaches us from a source that is allowed by this directive, then we trust the information it provides regarding the IP of the client it received from (if any). @@ -1116,14 +1160,6 @@ DOC_START For the purpose of ACLs used in this directive the src ACL type always matches the address we are testing and srcdomain matches its rDNS. - For proxy-surrogate ports an allow match is required for Squid to - permit the corresponding TCP connection, before Squid even looks for - HTTP request headers. If there is an allow match, Squid starts using - PROXY header information to determine the source address of the - connection for all future ACL checks. A deny match results in TCP - connection closure. Evaluation described in this paragraph does not - happen on non proxy-surrogate ports. - On each HTTP request Squid checks for X-Forwarded-For header fields. If found the header values are iterated in reverse order and an allow match is required for Squid to continue on to the next value. @@ -1733,9 +1769,9 @@ DOC_START probing the connection, interval how often to probe, and timeout the time before giving up. - proxy-surrogate + require-proxy-header Require PROXY protocol version 1 or 2 connections. - The proxy_forwarded_access is required to whitelist + The proxy_protocol_access is required to whitelist downstream proxies which can be trusted. If you run Squid on a dual-homed machine with an internal diff --git a/src/client_side.cc b/src/client_side.cc index aa854d6875..75312e4377 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2905,14 +2905,17 @@ ConnStateData::concurrentRequestQueueFilled() const } /** - * Perform forwarded_access ACL tests on the client which + * Perform proxy_protocol_access ACL tests on the client which * connected to PROXY protocol port to see if we trust the * sender enough to accept their PROXY header claim. */ bool ConnStateData::proxyProtocolValidateClient() { - ACLFilledChecklist ch(Config.accessList.followXFF, NULL, clientConnection->rfc931); + if (!Config.accessList.proxyProtocol) + return proxyProtocolError("PROXY client not permitted by default ACL"); + + ACLFilledChecklist ch(Config.accessList.proxyProtocol, NULL, clientConnection->rfc931); ch.src_addr = clientConnection->remote; ch.my_addr = clientConnection->local; ch.conn(this);