Yann Girardin
2018-09-25 10:39:19 UTC
Hello !
We have encountered what we think is a strange behavior of Squid when in interception. We know that it's not a bug but made on purpose, but we question ourself on the why of this choice.
We have a firewall that we have configured to redirect all TCP packets with the destination port set to 80 to the squid box. This redirection is made by changing the destination IP to the address of the Squid box and destination port to 8080. On the box, we set up Squid to listen to port 9090 in interception mode. Moreover, we use some DNAT rules to redirect the traffic from port 8080 to port 9090. Yes, we know that we shouldn't do that, but "we" includes some third parties.
This does not work because Squid takes the destination IP address and try to connect to it. In our case, it tries to connect to itself port 8080 to join the destination HTTP host, where nothing is listening, rejecting the connection and aborting the transaction. There is no process listening on port 8080 on the Squid box.
In detail :
- the box receives the TCP packets and translates traffic from port 8080 to port 9090 in either directions (it works well).
- Squid receives an HTTP request
- Squid does a DNS request on the domain included in the HTTP request (the destination HTTP host)
- Squid tries to connect to the destination IP address of the first packet, in our case the address of the box, instead of the IP got from the DNS request (this is the unexpected behavior)
- The kernel rejects the connection (as expected)
- Squid answers back a connection failure.
My questions are :
- why Squid uses the destination IP instead of the IP of the requested domain included in the HTTP request ?
- why Squid performs a DNS request if it doesn't plan to use its result ?
- Is there a way to configure Squid to use the IP of the domain included in the request instead of the original IP address (in interception mode) ?
- Is there a way to enable a Squid port to react as in interception mode, but without looking for the original IP address ?
- Does translating addresses and ports are inherently a bad practice to avoid when doing interception, or is it just a limitation of Squid ?
Thanks for all your answers :-)
We have encountered what we think is a strange behavior of Squid when in interception. We know that it's not a bug but made on purpose, but we question ourself on the why of this choice.
We have a firewall that we have configured to redirect all TCP packets with the destination port set to 80 to the squid box. This redirection is made by changing the destination IP to the address of the Squid box and destination port to 8080. On the box, we set up Squid to listen to port 9090 in interception mode. Moreover, we use some DNAT rules to redirect the traffic from port 8080 to port 9090. Yes, we know that we shouldn't do that, but "we" includes some third parties.
This does not work because Squid takes the destination IP address and try to connect to it. In our case, it tries to connect to itself port 8080 to join the destination HTTP host, where nothing is listening, rejecting the connection and aborting the transaction. There is no process listening on port 8080 on the Squid box.
In detail :
- the box receives the TCP packets and translates traffic from port 8080 to port 9090 in either directions (it works well).
- Squid receives an HTTP request
- Squid does a DNS request on the domain included in the HTTP request (the destination HTTP host)
- Squid tries to connect to the destination IP address of the first packet, in our case the address of the box, instead of the IP got from the DNS request (this is the unexpected behavior)
- The kernel rejects the connection (as expected)
- Squid answers back a connection failure.
My questions are :
- why Squid uses the destination IP instead of the IP of the requested domain included in the HTTP request ?
- why Squid performs a DNS request if it doesn't plan to use its result ?
- Is there a way to configure Squid to use the IP of the domain included in the request instead of the original IP address (in interception mode) ?
- Is there a way to enable a Squid port to react as in interception mode, but without looking for the original IP address ?
- Does translating addresses and ports are inherently a bad practice to avoid when doing interception, or is it just a limitation of Squid ?
Thanks for all your answers :-)