Big Thanks Amos!! I think setting different http_ports for the customers will work best for me. Don't know why I haven't thought about that. Easy & simple -----UrsprÃngliche Nachricht----- Von: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Gesendet: Montag, 22. November 2010 02:38 An: squid-users@xxxxxxxxxxxxxxx Betreff: Re: tcp_outgoing_address problem/miss configuration On Sun, 21 Nov 2010 17:14:01 +0100, abuhle <abuhle132@xxxxxxxxxxxxxx> wrote: > Does nobody have a tip for me ?! > I have tried diferent combinations of the http_access rules over the > weekend with no success. The config you showed below should be working if we assume you have a regular forward-proxy http_port settings and network topology. "myip"/"myport" as the documentation says does not work reliably, NAT and TPROXY modes screw them up completely. You could try http_port listening on each specific IP. Or also named http_port with myportname ACL. Amos > > All users that have access with th eir SRC-address are able ot use > every tcp_outgoing_address but they should be only alloewd to use > their specific configured one's. > Thanks. > > 2010/11/18 abuhle <abuhle132@xxxxxxxxxxxxxx>: >> Hello Squid-Community, >> >> I have a Squid 2.7 installed and would like to achieve that a user is >> only allowed to go out over their specified tcp_outgoing_address. >> The configurations is working almost perfect, but it seems I have a >> small failure in it. >> >> Problem: As long as a customer has access to the proxy (defined with >> SRC-ACL) he can set ANY defined tcp_outgoing_address besides of the >> specified one's. >> The tcp_outgoing_address used by the proxy (in the case a user set an >> other tcp_outgoing_address then he has assigned) is always the last >> configured tcp_outgoing_address in the con file. >> >> Solution: A user should be not able to (guess and) use other >> tcp_outgoing_addresses then the one's configured for him. >> >> Example: In the config below the user SMTM has the addresses >> 109.123.109.8, 109.123.109.9 and 109.123.109.10 assigned BUT he has >> also access when he use 109.123.109.11. >> In that case the tcp_outgoing_address used by the proxy is always the >> last created tcp_outoing_address entry (in that example >> 109.123.93.201) >> >> Here is the config part: >> ----------------------------------------------------------- >> acl dk src 3.3.3.3 >> acl smtm src 3.3.3.4 >> >> acl dkip1 myip 109.123.109.11 >> acl dkip2 myip 109.123.109.12 >> acl dkip3 myip 109.123.93.201 >> >> acl smtmip1 myip 109.123.109.8 >> acl smtmip2 myip 109.123.109.9 >> acl smtmip3 myip 109.123.109.10 >> >> acl dkmax maxconn 1 >> acl smtmmax maxconn 2 >> >> http_access deny purge >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow admin-allow >> http_access deny admin-deny >> http_access allow dk >> http_access deny dkmax dk >> http_access deny dk >> >> http_access allow smtm >> http_access deny smtmmax smtm >> http_access deny smtm >> >> http_access deny all >> >> tcp_outgoing_address 109.123.109.8 smtmip1 smtm tcp_outgoing_address >> 109.123.109.9 smtmip2 smtm tcp_outgoing_address 109.123.109.10 >> smtmip3 smtm >> >> tcp_outgoing_address 109.123.109.11 dkip1 dk tcp_outgoing_address >> 109.123.109.12 dkip2 dk tcp_outgoing_address 109.123.93.201 dkip3 dk >> ----------------------------------------------------------------------------------- >> >> Can anyone tell me what the Problem is ?! >> Any suggestions ? >> >> Thanks&Regards, >> Daniel >>