Squid authentication problem

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid authentication problem

Sonya Roy
Hi,

I am running squid on a server with multiple public IPs and I want some users to be able to access the proxy through some of the IPs and other users through other IPs.

At the moment I have acl rules of the form:-
acl abcd myip x.x.x.x

and for these acl rules I have these tcp_outgoing_address:-
tcp_outgoing_address x.x.x.x abcd

And earlier I had proxy_auth acl rules separately, but that allowed any authenticated users to be able to access the proxy through any of those IPs. Since I wanted some users to be able to use the server through some IPs and others through different IPs, I tried this in those acl rules:-

acl abcd myip x.x.x.x proxy_auth user1

and so on. But this doesn't seem to work and I realized that the proxy_auth acl rules need to be separate than these. Is there any workaround for this?

With regards,
Sonya Roy

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid authentication problem

Amos Jeffries
Administrator

On 18/06/17 17:50, Sonya Roy wrote:
> Hi,
>
> I am running squid on a server with multiple public IPs and I want
> some users to be able to access the proxy through some of the IPs and
> other users through other IPs.
>
> At the moment I have acl rules of the form:-
> acl abcd myip x.x.x.x
>

What you need is an ACL that compares the username to the IP.

<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html>
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_edirectory_userip_acl.html>
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_sql_session_acl.html>

or the new 'extras' feature for authenticators in Squid-3.5 that lets
them use the IP as part of the auth approval. Though with this the thing
to be aware of is that the IP becomes like a scope for the user login -
the wrong IP being used to login from results in re-auth challenge just
as would be seen if the password was wrong. So use carefully.
  <http://www.squid-cache.org/Doc/config/auth_param/>
  <http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.2>

> and for these acl rules I have these tcp_outgoing_address:-
> tcp_outgoing_address x.x.x.x abcd
>

Why limit the outgoing? in HTTP that is independent to the incoming
connection and restricting it will lower performance.

> And earlier I had proxy_auth acl rules separately, but that allowed
> any authenticated users to be able to access the proxy through any of
> those IPs. Since I wanted some users to be able to use the server
> through some IPs and others through different IPs, I tried this in
> those acl rules:-
>
> acl abcd myip x.x.x.x proxy_auth user1

FTR: that will match the IP address x.x.x.x and the IP address(es) of
the servers with hostnames "proxy_auth" and "user1" in your local DNS.

Also, the myip ACL is deprecated because it matched different things
based on the traffic type. myportname or localip ACLs are better if you
need to do this at all. Your "squid -k parse" config checks should warn
you about that.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...