I have the following Squid config on my server
http_access deny CONNECT !SSL_ports
If I connect to facebook use my server as proxy
curl -L 'https://facebook.com' -x 'myserver'
The request is denied, error message is TCP_DENIED/403,
but if I change the setting to
http_access allow CONNECT SSL_ports
It works.
As the Squid document said,
http_access deny CONNECT !SSL_ports
allows connect only through the SSL_ports. Why this setting denies my request?
The, ACL CONNECT will identify all the requests with the HTTP method CONNECT.
Now, let's see Squid's default configuration for using the CONNECT method:
acl SSL_ports port 443
http_access deny CONNECT !SSL_ports
By default, Squid will allow the CONNECT HTTP method only for SSL port 443, which is the
standard port for HTTPS communication. Again, we should go with the default configuration
and add more ports to the SSL_ports ACL as the need arises.
Related
I have a HAProxy configured that works as expected when sending requests directly to the proxy host and port that the proxy is listening on. The proxy is running in TCP mode.
frontend tcp-in-mssql
bind :5650
mode tcp
use_backend mssql
backend mssql
mode tcp
server mssql01.mydomain.com mssql01.mydomain.com:5650 check
When I try to send requests to the proxy by using the SOCKS_PROXY or ALL_PROXY env vars, the proxy isn't used and the connection is made directly.
example:
SOCKS_PROXY=socks://localhost:5650 my_command --target=mssql01.mydomain.com:5650
ALL_PROXY=socks://localhost:5650 my_command --target=mssql01.mydomain.com:5650
The proxy is bypassed and a TCP connection is made directly to the target host. Though if do something like my_command --target=localhost:5650 the TCP connection goes through the proxy and is made successfully to the backend target server.
How can I route traffic to the proxy?
Socks is a specific protocol to be spoken by client and proxy (https://en.wikipedia.org/wiki/SOCKS). Socks allows the client to specify which server to connect to on which port. To do so, the client establishes a connection to the socks proxy, the socks proxy then establishes a connection to the server and forwards the traffic from client to server and vice versa.
Example:
client -> socks proxy (port: 1080) -> server1 (port: clients choice)
-> server2 (port: clients choice)
-> serverN (port: clients choice)
-> server (clients choice)
Your HAProxy configuration configures the haproxy to serve as a reverse proxy for tcp connections on port 5650. Tcp traffic received on port 5650 will then be forwarded to one of the destination servers configured in backend section.
Example:
client -> reverse proxy (port 5650) -> backend (server and port
as defined in haproxy config)
So you already have a working solution for proxying the connection to the mssql backend. Just configure the mssql client to connect to the hapoxy on port 5650.
If you need a socks proxy to suit your use case, you have to replace the haproxy with a dedicated, socks capable proxy solution
To be honest, I'm not sure if this is easy to do (or possible for that matter) as I've combed over the squid docs and didn't find what I needed.
I am using a squid4 proxy with basic ncsa authentication. Here's what I would like to accomplish, I have two users on my proxy with ncsa authentication. I would like for one user to be able to access anything on the proxy (standard http_access allow), and the other user to be limited to a whitelist of one url that they can access.
Here is the authentication portion of my squid.conf:
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
acl squid_users proxy_auth REQUIRED
http_access deny !squid_users
http_access allow squid_users
http_access deny all
Is there a way to http_access allow/deny for only one user with authentication, or am I missing something?
I don't really know what to do for this one factor so any help would be appreciated, thanks!
you can't expect to have squid treat the users differently if you don't separate them in your config.
take a look at the "a more complex example" at: https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass
specifically, after defining the auth_param section, you should use something like:
acl UsersGroupA proxy_auth "/etc/squid/groupa.txt"
acl SitesGroupA dstdomain "/etc/squid/sites.a.txt"
acl UsersGroupB proxy_auth "/etc/squid/groupb.txt"
acl authenticated_users proxy_auth REQUIRED
# rules allowing authenticated users
http_access allow SitesGroupA UsersGroupA # this will force both whitelisted urls AND users of group "A" (the limited group)
http_access allow UsersGroupB # this will only force users of group B (the unlimited group)
# catch-all rule
http_access deny all
and additionally, if you need to specify ports, you should do that on the same line:
acl port_80 port 80
acl port_443 port 443
http_access allow http port_80 SitesGroupA UsersGroupA
http_access allow CONNECT port_443 SitesGroupA UsersGroupA
How can make multiple outgoing ip address on squid proxy single server?
I have configured multiple IP as below in squid.conf file, but when I try to send request using by Proxy, it’s sending from primary IP of the server. I want to send request by virtual IP.
http_port 182.xx.xx.5:3131
http_port 182.xx.xx.6:3132
acl proxy1 src 182.xx.xx.5
acl proxy2 src 182.xx.xx.6
http_access allow proxy1
http_access allow proxy2
tcp_outgoing_address 182.xx.xx.5 proxy1
tcp_outgoing_address 182.xx.xx.5 proxy2
Please suggest me where I am wrong?
I have taken 2 Elastic IP’s in AWS EC2 and configured that to point to the instance, where i installed squid proxy. Now I need to install multiple proxy servers on same instance with different out going IPs.
Is it possible to configure haproxy as a real http proxy which can forward requests to other proxies?
What I want to do: I have a list of working proxies. I want to configure haproxy to proxy via these proxies.
I thought about such case:
frontend proxy
bind *:80
default_backend proxyBackend
option http_proxy
backend proxyBackend
option http_proxy
server server1 35.199.76.79:80
server server2 198.1.122.29:80
balance roundrobin
Example:
curl --proxy localhost:80 http://check-host.net/ip
I thought that request will go throw proxy server1 or server2. But it fails.
Is it possible? Or who can recommend good solutions?
I found a solution:
global
daemon
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
listen stats
bind *:9999
stats enable
stats hide-version
stats uri /stats
frontend proxy
bind *:80
default_backend proxyBackend
option http_proxy
option http-use-proxy-header
backend proxyBackend
server serverName1 35.199.76.79:80
server serverName2 198.1.122.29:80
server serverName3 129.213.76.9:3128
balance roundrobin
For such configuration we have proxy list rotation using haproxy. So great.
I'm using tinyproxy to reverse proxy. I have three subdomains pointed to the same server, and we need them to point to specific ports internally. That is, port 80 from any particular subdomain, mapped to a particular port. See the config example below.
The config looks like this:
Port 80
#Allow 127.0.0.1
#ReverseOnly yes
upstream 127.0.0.1:8115 "website.example.com"
upstream 127.0.0.1:3000 "api.example.com"
upstream 127.0.0.1:9000 "socket.example.com"
When I pull up any subdomain, all I get is:
Access denied
The administrator of this proxy has not configured it to service requests from your host.
Generated by tinyproxy version 1.8.3.
I cannot find adequate documentation anywhere. I'm thinking of contacting the maintainers. Please help.
I hope you already got the answer, but if you have not, here is the setting to allow client connecting to your proxy:
#
# Allow: Customization of authorization controls. If there are any
# access control keywords then the default action is to DENY. Otherwise,
# the default action is ALLOW.
#
# The order of the controls are important. All incoming connections are
# tested against the controls based on order.
#
Allow 127.0.0.1
#Allow 192.168.0.0/16
#Allow 172.16.0.0/12
#Allow 10.0.0.0/8
Allow 0.0.0.0/0
In my example here, I allow 0.0.0.0/0 because I'm configuring a reverse proxy from the Internet to my other VPS.
Also, your configuration above is for forward proxy, not reverse proxy.
To enable reverse proxy function, you need at least the following:
ConnectPort 80
ConnectPort 443
ReversePath "/" "http://<your server IP>:8080/"
ReverseOnly Yes
ReverseMagic Yes