Page MenuHomeVyOS Platform

Webproxy is prohibited from listening on all IP addresses
Needs testing, Requires assessmentPublicBUG

Description

Currently, an explicit locally configured listen-address is required in the webproxy configuration. But there might be situations when an IP address assigning dynamically or can change during work. For such cases, the http_port option in the squid.conf should contain IP address 0.0.0.0 or only port value.
Of course, this is an insecure config, but it can be protected by a firewall rule.

We need to allow 0.0.0.0 in listen-address or make it non-mandatory to fix this.

Details

Difficulty level
Easy (less than an hour)
Version
1.4-rolling-202102060218, 1.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

PR https://github.com/vyos/vyos-1x/pull/728

set service webproxy default-port '3128'
set service webproxy listen-address 0.0.0.0 disable-transparent
set service webproxy url-filtering squidguard default-action 'block'
set service webproxy url-filtering squidguard local-ok 'vyos.io'
set service webproxy url-filtering squidguard local-ok 'forum.vyos.io'
commit

check connections

vyos@r2-roll:~$ show system connections | match 3128
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN
Viacheslav changed the task status from Open to Needs testing.Mon, Feb 22, 10:46 AM