external ACL based on requested port?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

external ACL based on requested port?

Kevin Kretz
Hi,

I'm using an external ACL script to allow/limit access based on some factors including (authenticated) username, client IP, the domain of the requested URL.

I'd also like to base the access on the port of the destination.  Most would just be 80 or 443, but I'd like to limit/allow access to particular ports with the external script based on the other factors (a rule that would allow a connection to domain.com on port 80 from user 'user' coming from his IP address, for example), so a simple "acl allow_port port 80" would be too broad.

It looks, though, like the <lp format code doesn't have a value until after the connection is made (or attempted) so I can't use it for this purpose.

Is there a way to provide the desired port to the external ACL along with the other information?


thanks

Kevin


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: external ACL based on requested port?

Alex Rousskov
On 11/29/18 3:53 PM, Kevin Kretz wrote:

> I'd also like to base the access on the port of the destination.

> Is there a way to provide the desired port to the external ACL along
> with the other information?

How about using one of the following %codes?

 [http::]>ru     Request URL from client
 [http::]>rP     Request URL port from client

You may need to handle default ports on your own, and you may need be
careful about requests on pinned connections (e.g., bumped HTTPS traffic
and connection-based authentication), but I think it should work in
principle.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users