Join Log in
Score:0
Damiano Dotto avatar Server

Squid proxy service configuration issue

sg flag
Damiano Dotto

I have installed squid proxy to filter outbound traffic from docker. Specifically, I created a jupyterhub environment with docker in order to isolate each user and give them their virtual environment.

Now I would like to go and filter outbound traffic so that they can only access certain domains and the service installed locally with jupyterhub's docker.

Calling the proxy with cURL works fine. It only allows the domains entered and makes us access the local jupyterhub service. Going to open it from the web interface, however, this error occurs:

enter image description here

I have enabled the service the ip 172.17.0.1 and the port 8081 and cUrl test is working.

How can I fix it?

some configs:

config.json (~/.config.json):

{
 "proxies":
{
   "default":
   {
     "httpProxy": "http://127.0.0.1:3128",
     "httpsProxy": "http://127.0.0.1:3128",
     "noProxy": "127.0.0.0/8"
   }
 }
}

squid.conf (/etc/squid/squid.conf):

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl localnet src 172.17.0.1/32

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT

#### 23/06/2021 #############
acl jupyterhub_port port 8081
acl jupyterhub_addr dst 172.17.0.1
http_access allow jupyterhub_port jupyterhub_addr

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

###### 18/06/2021

acl whitelist dstdomain .python.org .pypi.org .pythonhosted.org .pypa.io .yahoo.com
http_access allow whitelist

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

curl through proxy:

curl http://172.17.0.1:8081/hub/api --proxy 127.0.0.1:3128
{"version": "1.4.1"}
73
1 + 1
djdomi avatar
za flag
djdomi
try to add the ip to the awhitelist acl?
0
Reply
Score:0
Damiano Dotto avatar Server
sg flag
Damiano Dotto

At the end, my config file was right ;) I just did the mistake to specified in config.json (~/.config.json) localhost instead the ip LAN address (docker is an external enviroment):

{
 "proxies":
{
   "default":
   {
     "httpProxy": "http://172.31.31.111:3128",
     "httpsProxy": "http://172.31.31.111:3128",
     "noProxy": "172.31.33.81/8"
   }
 }
}
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.