On 11/07/2014 2:34 p.m., freefall12 wrote: > some http proxy service providers here just assigned an unique proxy address > and port to a user, and the user just need to enter the necessary proxy > address and port to get access.I think this method is superior to username > and password authentication, and also,this makes it possible to proxy a lot > of mobile apps on ios devices and android which don't support traditional > proxy authentication. i found they are using squid for caching and proxying. > can squid alone achieve this? Thank you > The myportname type ACL is used to match the Squid listening http_port. * be aware that there is zero security verification that the client accessing the port is the one you believe it to be. It is far inferior to authentication, and this type of proxy protection can leave your Squid as an "open proxy" / "open relay". For matching remote client IP:port details it is not possible because the source port is randomised by TCP on every connection. Beyond that killer problem all modern clients have between 2 and 8 IP addresses, and the IPv6 so-called "privacy address" changes its value randomly every few minutes. On the subject of superiority, allowing an unverified access is inferior to allowing a verified access. Authentication is simply the name for *the* process of verifing some details are from the source they claim to be (whether that detail be an IP:port or a user:password). So by definition authorizing access to an IP:port without authenticating the IP:port values first is inferior security. Yes allowing based on IP:port (or just IP as usually done) allows a lot of applications that are not compliant with HTTP through the proxy. It also allows a lot of attack types to happen far more easily. Your choice. Amos
