bytedance/g3

Determine auth based upon source IP in g3proxy

Closed this issue · 3 comments

Hey! I have been using Squid for a long time, and I came across your project and was super excited. Thanks for all the time and effort you and the team have put into this!

I was hoping you could point me in the right direction. Today in Squid, I can use the code block, and allow all traffic from localhost, without authentication like so:

# Allow localhost access without auth
acl localnet src 127.0.0.1/8
http_access allow localnet

# Allow any user that is not 127.0.0.1/8, to access with auth.
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth ${squid_username}
http_access allow authenticated

Problem: I have some applications that do not support using authentication when defining the http proxy, only host and port. For this use-case, I create a tunnel using proxytunnel, to bind a port locally, and then forward through that, without auth, to localhost on the Squid host, which allows me to solve the problem.

/usr/bin/proxytunnel -v -E --passfile=~/.proxytunnel_credentials--proxy=${PROXY_HOST}:${PROXY_PORT} --dest=localhost:8080  --standalone=${LOCAL_BIND_PORT}

This double tunneling is obviously not great for certain scenarios, but it does allow me to do what I need to do.

My understanding of g3proxy right now is that as soon as you apply a user group to the server block, it requires all users to authenticate using any user group allowed in that block, regardless of source IP.

Is there a way to do the same in g3proxy, to require authentication from everywhere, except from localhost?

My understanding of g3proxy right now is that as soon as you apply a user group to the server block, it requires all users to authenticate using any user group allowed in that block, regardless of source IP.

You can enable the anonymous_user in user_group config and set it to only allow ingress network 127.0.0.0/8. But it won't work for Java http clients as the response for unauthorized requests from other networks will be 403 instead of 407.

Is there a way to do the same in g3proxy, to require authentication from everywhere, except from localhost?

You can add another unauthorized server along with the previous authorized one, by listening to different socket address (127.0.0.1:3128 and 0.0.0.0:3128). Ingress network ACL can be set at server level.

While brainstorming (before you responded) I tried the additional server block and that worked, however, the anonymous user is cleaner and works exactly as intended.

Thanks again for being incredibly responsive in this repo. I owe you a beer!

with c52c373 now g3proxy will return 407 when denied by anonymous user's ingress network ACL