The attached patch adds a "spoof" fast ACL to control whether TPROXY
requests have their source IP address spoofed by Squid. The ACL
defaults to allow (i.e. the current normal behaviour), but using an ACL
that results in a deny result will disable spoofing for that request.
Example config (disables spoofing for all requests):
spoof deny all
The patch also does a bit of code-cleanup:
1. The flags.spoofClientIp flag was a general "this is a TPROXY request"
flag, which was a bit confusing given the name of the flag. So the
flags.spoofClientIp flag now only indicates whether we want to spoof the
source IP or not.
2. The logic for requests handled by a "tproxy" port and those handled
by an "intercept" port is pretty much identical, so the
flags.intercepted flag is now used to generically indicate that the
request has been intercepted either by "intercept" or "tproxy".
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:[email protected]
Email: [email protected]
Phone: sip:[email protected]
Sales / enquiries contacts:
Email: [email protected]
Phone: +44-844-9791439 / sip:[email protected]
Support contacts:
Email: [email protected]
Phone: +44-844-4844916 / sip:[email protected]
Index: /thirdparty/squid/branches/3.3/source/src/cf.data.pre
===================================================================
--- /thirdparty/squid/branches/3.3/source/src/cf.data.pre (revision 148)
+++ /thirdparty/squid/branches/3.3/source/src/cf.data.pre (revision 169)
@@ -1034,4 +1034,20 @@
of follow_x_forewarded_for with a limited set of trusted
sources is required to prevent abuse of your proxy.
+DOC_END
+
+NAME: spoof
+TYPE: acl_access
+LOC: Config.accessList.spoof
+DEFAULT_IF_NONE: allow all
+DOC_START
+ Allow client address spoofing based on defined access lists
+
+ spoof allow|deny [!]aclname ...
+
+ If there are no "spoof" lines present, the default is to "allow"
+ spoofing of any suitable request.
+
+ This clause supports fast acl types.
+ See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
DOC_END
Index: /thirdparty/squid/branches/3.3/source/src/client_side.cc
===================================================================
--- /thirdparty/squid/branches/3.3/source/src/client_side.cc (revision 146)
+++ /thirdparty/squid/branches/3.3/source/src/client_side.cc (revision 169)
@@ -2671,5 +2671,9 @@
if (http->clientConnection != NULL) {
request->flags.intercepted = ((http->clientConnection->flags & COMM_INTERCEPTION) != 0);
- request->flags.spoofClientIp = ((http->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
+ if (http->clientConnection->flags & COMM_TRANSPARENT) {
+ ACLFilledChecklist *checklist = clientAclChecklistCreate(Config.accessList.spoof, http);
+ request->flags.spoofClientIp = checklist->fastCheck() == ACCESS_ALLOWED;
+ delete checklist;
+ } else request->flags.spoofClientIp = 0;
}
@@ -3580,5 +3584,10 @@
#endif
fakeRequest->my_addr = connState->clientConnection->local;
- fakeRequest->flags.spoofClientIp = ((connState->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
+ fakeRequest->myportname = connState->port->name;
+ if (connState->clientConnection->flags & COMM_TRANSPARENT) {
+ ACLFilledChecklist *checklist = new ACLFilledChecklist(Config.accessList.spoof, fakeRequest, NULL);
+ fakeRequest->flags.spoofClientIp = checklist->fastCheck() == ACCESS_ALLOWED;
+ delete checklist;
+ } else fakeRequest->flags.spoofClientIp = 0;
fakeRequest->flags.intercepted = ((connState->clientConnection->flags & COMM_INTERCEPTION) != 0);
debugs(33, 4, HERE << details << " try to generate a Dynamic SSL CTX");
Index: /thirdparty/squid/branches/3.3/source/src/SquidConfig.h
===================================================================
--- /thirdparty/squid/branches/3.3/source/src/SquidConfig.h (revision 146)
+++ /thirdparty/squid/branches/3.3/source/src/SquidConfig.h (revision 169)
@@ -399,4 +399,5 @@
acl_access* icap;
#endif
+ acl_access* spoof;
} accessList;
AclDenyInfoList *denyInfoList;
