Search squid archive

AW: tcp_outgoing_address problem/miss configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Big Thanks Amos!!

I think setting different http_ports for the customers will work best for me. 
Don't know why I haven't thought about that. Easy & simple

-----UrsprÃngliche Nachricht-----
Von: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] 
Gesendet: Montag, 22. November 2010 02:38
An: squid-users@xxxxxxxxxxxxxxx
Betreff: Re:  tcp_outgoing_address problem/miss configuration

On Sun, 21 Nov 2010 17:14:01 +0100, abuhle <abuhle132@xxxxxxxxxxxxxx>
wrote:
> Does nobody have a tip for me ?!
> I have tried diferent combinations of the http_access rules over the 
> weekend with no success.

The config you showed below should be working if we assume you have a regular forward-proxy http_port settings and network topology.
"myip"/"myport" as the documentation says does not work reliably, NAT and TPROXY modes screw them up completely.

You could try http_port listening on each specific IP.

Or also named http_port with myportname ACL.

Amos

> 
> All users that have access with th eir SRC-address are able ot use 
> every tcp_outgoing_address but they should be only alloewd to use 
> their specific configured one's.
> Thanks.
> 
> 2010/11/18 abuhle <abuhle132@xxxxxxxxxxxxxx>:
>> Hello Squid-Community,
>>
>> I have a Squid 2.7 installed and would like to achieve that a user is 
>> only allowed to go out over their specified tcp_outgoing_address.
>> The configurations is working almost perfect, but it seems I have a 
>> small failure in it.
>>
>> Problem: As long as a customer has access to the proxy (defined with
>> SRC-ACL) he can set ANY defined tcp_outgoing_address besides of the 
>> specified one's.
>> The tcp_outgoing_address used by the proxy (in the case a user set an 
>> other tcp_outgoing_address then he has assigned) is always the last 
>> configured  tcp_outgoing_address in the con file.
>>
>> Solution: A user should be not able to (guess and) use other 
>> tcp_outgoing_addresses then the one's configured for him.
>>
>> Example: In the config below the user SMTM has the addresses 
>> 109.123.109.8, 109.123.109.9 and 109.123.109.10 assigned BUT he has 
>> also access when he use 109.123.109.11.
>> In that case the tcp_outgoing_address used by the proxy is always the 
>> last created tcp_outoing_address entry (in that example
>> 109.123.93.201)
>>
>> Here is the config part:
>> -----------------------------------------------------------
>> acl dk src 3.3.3.3
>> acl smtm src 3.3.3.4
>>
>> acl dkip1 myip 109.123.109.11
>> acl dkip2 myip 109.123.109.12
>> acl dkip3 myip 109.123.93.201
>>
>> acl smtmip1 myip 109.123.109.8
>> acl smtmip2 myip 109.123.109.9
>> acl smtmip3 myip 109.123.109.10
>>
>> acl dkmax maxconn 1
>> acl smtmmax maxconn 2
>>
>> http_access deny purge
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow admin-allow
>> http_access deny admin-deny
>> http_access allow dk
>> http_access deny dkmax dk
>> http_access deny dk
>>
>> http_access allow smtm
>> http_access deny smtmmax smtm
>> http_access deny smtm
>>
>> http_access deny all
>>
>> tcp_outgoing_address 109.123.109.8 smtmip1 smtm tcp_outgoing_address 
>> 109.123.109.9 smtmip2 smtm tcp_outgoing_address 109.123.109.10 
>> smtmip3 smtm
>>
>> tcp_outgoing_address 109.123.109.11 dkip1 dk tcp_outgoing_address 
>> 109.123.109.12 dkip2 dk tcp_outgoing_address 109.123.93.201 dkip3 dk
>>
-----------------------------------------------------------------------------------
>>
>> Can anyone tell me what the Problem is ?!
>> Any suggestions ?
>>
>> Thanks&Regards,
>> Daniel
>>




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux