I've setup a simple squid proxy to connect PCs from internal network to the internet with a 3G modem.
I can only find settings for showing internal client ip or not showing ip at all.
How can I configure squid to show the external ip of the 3G modem?
The squid.conf is no more that:
acl test src 192.168.1.3
tcp_outgoing_address 10.43.19.239 test
http_access allow all
http_port 3128
Try or adjust with this:
# anonymizer options
request_header_access From deny all
request_header_access Server deny all
request_header_access Link deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
Related
I'm sometimes on a very restrictive network which only allows HTTP/HTTPS on Port 80/443 i have an openvpn server setup and ready and some services behind Nginx Proxy Manager. I now wand to setup an Squid HTTP Proxy for openvpn behind Nginx. I can't use sslh because HTTP is only allowed on Port 80 and HTTPS on 443. If i make a default config for Nginx:
set $forward_scheme http;
set $server "http_proxy";
set $port 3128;
listen 80;
listen [::]:80;
server_name squid.domain.tld;
access_log /data/logs/proxy-host-41_access.log proxy;
error_log /data/logs/proxy-host-41_error.log warn;
location / {
include conf.d/include/proxy.conf;
}
include /data/nginx/custom/server_proxy[.]conf;
}
For Squid i have:
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_port 3128 accel allow-direct
http_access allow all
The Proxy funktions as standalone
made from From Nginx to Squid
If i try openvpn offical andriod client i get HTTP code 400 and no LOG
I can't think of anything anymore whay it won't funktion.
It would have worked if i had compiled nginx with HTTP-CONNECT protocol support.
I am trying to setup squid in order to route outgoing traffic randomly through different proxies. These are proxies I purchased from a provider, not part of my network. I need to specify a specific port for each IP address in order to connect but can't figure out the correct way to do this. I am on CentOS 8.
I've tried adding them in these ways:
tcp_outgoing_address 1.0.0.01:<port>
tcp_outgoing_address 1.0.0.01/<port>
tcp_outgoing_address 1.0.0.01 <port>
tcp_outgoing_address 1.0.0.01 ::<port>
Obviously, none of which work and actually prevent squid from starting. I can't seem to find any resources similar to my question online.
The only way I can get squid to start is by omitting the port entirely, like so:
tcp_outgoing_address 1.0.0.01
However, when I do this, and attempt to access any URL I receive the following squid error in the browser:
The following error was encountered while trying to retrieve the URL: http://xxxx.com/
Connection to XXX.XXX.XXX.XXX failed.
The system returned: [No Error]
Likely this is because I am not actually specifying the port that squid needs to connect to each proxy. To clarify, each proxy has a different open port i.e 1.0.0.01:8080, 1.0.0.02:5000 ...
ACL Random bit:
acl random1 random 1/10
acl random2 random 1/9
acl random3 random 1/8
acl random4 random 1/7
acl random5 random 1/6
acl random6 random 1/5
acl random7 random 1/4
acl random8 random 1/3
acl random9 random 1/2
tcp_outgoing_address xxx.xxx.xxx.xxx random1
tcp_outgoing_address xx.xx.xx.xxx random2
tcp_outgoing_address xx.xx.xx.xx random3
tcp_outgoing_address xx.xx.xx.xx random4
tcp_outgoing_address xx.xx.xx.xx random5
tcp_outgoing_address xx.xx.xx.xx random6
tcp_outgoing_address xx.xx.xx.xx random7
tcp_outgoing_address xx.xx.xx.xx random8
tcp_outgoing_address xx.xx.xx.xx random9
tcp_outgoing_address xx.xx.xx.xx
My config file is as follows:
# Recommended minimum configuration:
#
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src xx.xx.xx.xxx # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl client src xx.xx.xx.xxx # Home IP
http_access allow client
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
acl random1 random 1/10
acl random2 random 1/9
acl random3 random 1/8
acl random4 random 1/7
acl random5 random 1/6
acl random6 random 1/5
acl random7 random 1/4
acl random8 random 1/3
acl random9 random 1/2
tcp_outgoing_address xxx.xxx.xxx.xxx random1
tcp_outgoing_address xx.xx.xx.xxx random2
tcp_outgoing_address xx.xx.xx.xx random3
tcp_outgoing_address xx.xx.xx.xx random4
tcp_outgoing_address xx.xx.xx.xx random5
tcp_outgoing_address xx.xx.xx.xx random6
tcp_outgoing_address xx.xx.xx.xx random7
tcp_outgoing_address xx.xx.xx.xx random8
tcp_outgoing_address xx.xx.xx.xx random9
tcp_outgoing_address xx.xx.xx.xx
via off
forwarded_for off
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Essentially, my question is how do I specify the port each proxy needs to connect through, or perhaps is this somehow not necessary? If it is not, is there a reason anyone could identify why I am not able to connect to any websites with the port ommited?
You can make it like this
http_port 10000
acl port10000 localport 10000
tcp_outgoing_address xx.xx.xx.xx port10000
I am using the SQUID proxy for my outbound connection.My whitelist rule and deny rule doesn't work the moment i added the authentication layer.When i am trying to hit the URL with the URL which is not defined in my configuration file the proxy is returning 200.Is something with the rule priority list. It filters only at the authentication if it is correct it directly by pass all filters.
# Proxy Authentication
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
# Local network access to proxy
# Safe ports that can be used
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3128
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Destination domains that can be accessed
acl whitelist dstdomain .bing.com
acl whitelist dstdomain .google.com
http_access allow whitelist
# Destination domains that cannot be accessed
http_access deny all
the issue is described in the "Common Mistakes" section of the wiki:
https://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes
specifically:
All elements of an acl entry are OR'ed together.
All elements of an access entry are AND'ed together (e.g. http_access and icp_access)
so when you write two different lines for http_access, e.g.:
http_access allow authenticated
http_access allow whitelist
they are interpreted as "OR" and therefore either one will "hit".
if you want to force the proxy to only allow authenticated users to use whitelist acl, they have to be on the same line.
so in your case:
http_access allow authenticated whitelist
and that means - (only) allow authenticated AND whitelist.
followed by a http_access deny all this should block all other traffic as well.
I want to full block the youtube.com website from accessing via squid. After blocking the youtube I want to allow few 100 URLs of youtube to be accessed via squid. That only educational videos will be allowed. My squid installation is working fine. But I got stuck at the url_regex part. I can't allow few URLs of youtube. Either youtube is blocked or youtube is fully opened. Here is my sqid configuration file.
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl allowed_videos dstdomain "/etc/squid/allowed_videos"
acl blocked_sites dstdomain "/etc/squid/blocked_sites"
http_access allow allowed_videos
http_access deny blocked_sites !allowed_videos
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 512 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Content of the allowed videos file is give below
.youtube.com/watch\?v=6tO_isJQfCY
Content of the blocked websites file is given below
.youtube.com
Please help so I can partially allow youtube videos for accessing via squid
You could not use Squid Proxy as a Firewall for content filtering.
SquidGuard is Good too who wants to filters lots of URLS and Sites with a DB files.
url_regex is not good to you because Youtube channels are contain with unknown characters
So you should use a some app or make developing code with Python to Check the entire Content of Sites to make it allow or deny for your clients.
But in this case I suggest you manually allow the URL ( like as White list ).
This is sample code that you want :
First save the URLS in the file : "/etc/squid/mywhitelist.txt"
Then you should allow just this file for your clients like this code :
acl youtube_access src "/etc/squid/mywhitelist.txt"
http_access allow youtube_access
http_access deny all
Can traefik be configured to accept connections only from a particular subnet / ip address?
For example, in nginx I can define:
location / {
# block one workstation
deny 192.168.1.1;
# allow anyone in 192.168.1.0/24
allow 192.168.1.0/24;
# drop rest of the world
deny all;
}
I searched all traefik documentation but couldn't find anything about this.
Can this be done in traefik?
Just to update, I posted this question on the traefik slack (https://traefik.slack.com/messages/support/) and this is the reply I got from Emile (traefik maintainer): "this is not possible in traefik for now sorry".