Proxy chaining with Squid - possible?

torch · January 9, 2023, 8:23am

What happened?

I tried to configure the server runnning Pomerium to use Squid for internet access

What did you expect to happen?

Expected that Pomerium would use Squid as a next-hop proxy for routes going to the internet

How’d it happen?

Installed Pomerium on a standalone virtual server and configured Squid with environment vars (http_proxy|https_proxy) in both /etc/profile and /etc/systemd/system/pomerium.service.d/override.conf
Tried accessing the configured route
Saw that proxied traffic was still going directly to internet instead of to Squid

What’s your environment like?

Pomerium version (retrieve with pomerium --version): 0.20.0-1668445494+9413123c
Server Operating System/Architecture/Cloud: RHEL 8.7

What’s your config.yaml?

# Required settings below.  See complete documentation at https://www.pomerium.com/reference/

# To run on :443 set AmbientCapabilities=CAP_NET_BIND_SERVICE
# in a systemd override
address: 0.0.0.0:443

# this is the domain the identity provider will callback after a user authenticates
authenticate_service_url: https://auth.my_internal_service.com

# certificate settings:  https://www.pomerium.com/docs/reference/certificates.html
autocert: false
certificates:
  - cert: /etc/pki/http/my_configured_cert.crt
    key: /etc/pki/http/my_configured_cert.key

shared_secret: <generated secret>
cookie_secret: <another generated secret>
idp_provider: oidc
idp_provider_url: https://sso.my_internal_service.com/auth/realms/pomerium
idp_client_id: pomerium-client-001
idp_client_secret: <sso client secret>

routes:
- from: https://test.my_internal_service.com
  to: https://internal_test.my_internal_service.com
  tls_skip_verify: true
  policy:
  - allow:
      or:
      - domain:
          is: my_internal_domain.com

What did you see in the logs?

Nothing out of the ordinary

Additional context

Is it possible to get Pomerium to send internet bound traffic to a second proxy?

calebdoxsey · January 9, 2023, 6:16pm

Pomerium does not currently support this. I have added an issue to track this feature request: Proxy support for outbound connections · Issue #3875 · pomerium/pomerium · GitHub.

bobby · January 9, 2023, 6:55pm

@torch – thanks for the feature request. Could you provide a bit more context about why this is important in your environment? Would be very helpful thank you.

torch · January 10, 2023, 9:16am

Hi, and thanks for looking into this.

In our environment company policy dictates that internet-bound traffic should be explicitly whitelisted and predominantly routed through a forward proxy, for security reasons and for optimization/caching.

In addition, since we’re whitelisting outbound traffic on Squid, server admins and application owners can configure access lists without involving the firewall team.

Hope that’s helpful

Topic		Replies	Views
OIDC behind pomerium route Support docker , idp	4	591	August 2, 2023
Deployment architecture Support	5	355	August 26, 2022
"authenticate_service_url" and upstream routes with the same URL no longer working in 0.16.1 Support	2	316	January 27, 2022
Pomerium / nginx with google Support	11	357	December 20, 2021
Forward to DOMAIN/.pomerium/ Support	9	503	February 9, 2023