Page MenuHomeVyOS Platform
Create Task
Maniphest T3299

Allow the web proxy service to listen on all IP addresses
Closed, ResolvedPublicBUG
Actions

Description

Currently, an explicit locally configured listen-address is required in the webproxy configuration. But there might be situations when an IP address assigning dynamically or can change during work. For such cases, the http_port option in the squid.conf should contain IP address 0.0.0.0 or only port value.
Of course, this is an insecure config, but it can be protected by a firewall rule.

We need to allow 0.0.0.0 in listen-address or make it non-mandatory to fix this.

Details

Difficulty level
Easy (less than an hour)
Version
1.4-rolling-202102060218, 1.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)

Related Objects

Mentioned In
1.3.3
1.3.1

Event Timeline

zsdc created this task.Feb 10 2021, 5:38 PM
Viacheslav added a project: VyOS 1.4 Sagitta.Feb 10 2021, 9:02 PM
Viacheslav added a subscriber: Viacheslav.Feb 10 2021, 9:12 PM

PR https://github.com/vyos/vyos-1x/pull/728

set service webproxy default-port '3128'
set service webproxy listen-address 0.0.0.0 disable-transparent
set service webproxy url-filtering squidguard default-action 'block'
set service webproxy url-filtering squidguard local-ok 'vyos.io'
set service webproxy url-filtering squidguard local-ok 'forum.vyos.io'
commit

check connections

vyos@r2-roll:~$ show system connections | match 3128
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN
Viacheslav claimed this task.Feb 10 2021, 9:12 PM
Viacheslav removed Viacheslav as the assignee of this task.Feb 15 2021, 6:01 PM
Viacheslav changed the task status from Open to Needs testing.Feb 22 2021, 10:46 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:24 AM
Viacheslav closed this task as Resolved.Dec 27 2021, 6:45 PM
Viacheslav reopened this task as Backport candidate.
Viacheslav claimed this task.
Viacheslav moved this task from Need Triage to Backport Candidates on the VyOS 1.4 Sagitta board.
Viacheslav added a comment.Jan 9 2022, 2:56 PM

Cherry-pick PR https://github.com/vyos/vyos-1x/pull/1146

Viacheslav edited projects, added VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.3 Equuleus (1.3.0).Jan 9 2022, 2:56 PM
Viacheslav closed this task as Resolved.Jan 10 2022, 9:32 AM
Viacheslav moved this task from Backport Candidates to Finished on the VyOS 1.4 Sagitta board.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
dmbaturin renamed this task from Webproxy is prohibited from listening on all IP addresses to Allow the web proxy service to listen on all IP addresses.Mar 21 2022, 8:06 AM
dmbaturin set Issue type to Improvement (missing useful functionality).
dmbaturin mentioned this in 1.3.1.Jun 11 2022, 8:40 AM
dmbaturin mentioned this in 1.3.3.Sep 22 2022, 10:56 AM