Project

General

Profile

Actions
Copy link

Bug #10440

closed

Squid proxy ignoring allowed_subnets after package upgrade 0.4.44_9 ==> 0.4.44_19

Added by Tobias Meyer about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Renato Botelho
Category:
Squid
Target version:
-
Start date:
04/07/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.4.4-p3
Affected Plus Version:
Affected Architecture:
amd64

Description

We allow an additional subnet (OpenVPN Roadwarriors) on our squid proxy server additionally to the LAN interface.

The setting we used for this is "Allowed Subnets" on the ACL tab of the squid configuration.

Previous to the package update this worked, now it does not.

I hacked /usr/local/pkg/squid.inc to add our openvpn net (xx.yy.zz.0/24) to the "acl localnet" line, but clearly this is not a long-term solution ;-)

$conf .= "acl localnet src $src XX.YY.ZZ.0/24\n";

Actions
Copy link
 #1

Updated by Viktor Gurov about 4 years ago

There is only one change in https://github.com/pfsense/FreeBSD-ports/pull/830
- fixes IPv6 duplicate addresses in localnet ACL
- allows to use IPv6 addresses in ACL

after quick test with "Allowed subnets" I see correct allowed_subnets and localnet entries in /usr/local/etc/squid/squid.conf:

acl allowed_subnets src 192.168.7.0/24 192.168.8.0/24
acl localnet src  192.168.3.0/24 fc00:55::/64
...
http_access allow allowed_subnets
http_access allow localnet

can you check it in your squid.conf?
Need more information

Actions
Copy link
 #2

Updated by Tobias Meyer about 4 years ago

Viktor Gurov wrote:

can you check it in your squid.conf?
Need more information

I can see the subnet on the URI /pkg_edit.php?xml=squid_nac.xml&id=0

Yet, I just checked and it does not show in /usr/local/etc/squid/squid.conf (excpet for the hacked location)

The allowd_subnets setting also does not show in /cf/conf/config.xml. The only references to our roadwarrior subnet are an alias definition and the OpenVPN config.

Could this be related to changes in 4.5.0? I could not install that yet.

Actions
Copy link
 #3

Updated by Viktor Gurov about 4 years ago

ACLs are blank on pre-2.4.5 pfSense,
caused by the absence of idn_to_ascii()

Fix:
https://github.com/pfsense/FreeBSD-ports/pull/834

Actions
Copy link
 #4

Updated by Jim Pingle about 4 years ago

  • Status changed from New to Pull Request Review
Actions
Copy link
 #5

Updated by Tobias Meyer about 4 years ago

Thanks for your quick update :)

I patched the file and it works as before.

Actions
Copy link
 #6

Updated by Renato Botelho about 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions
Copy link
 #7

Updated by Viktor Gurov about 4 years ago

  • Status changed from Feedback to Resolved

squid pkg 0.4.44_21 - OK

Actions
Copy link

Also available in: Atom PDF