On 3/09/2015 11:45 a.m., Jason Enzer wrote: > is this possible? > > i have src acl working fine. i can control the outgoing address/port > and incoming address with no issues. > > when i introduce ncsa auth it breaks everything. > Order is important. Read the http_access rules carefully top-to-bottom and you should see whats going wrong. I've annotated your rules with steps 1-8 in order of what Squid is instructed to perform. > acl ncsa_users proxy_auth REQUIRED > http_access allow ncsa_users 1) REQUIRED == require authentication. - dont care what it is, just 401/407 if nothing is present. - Oops. 2) allow if authentication passed. - oops? > > acl src3171 src 23.240 > acl port3171 myportname 3171 > tcp_outgoing_address 172.4 src3171 > http_access allow src3171 port3171 3) allow if IP X arrived through http_port Y > http_access deny src3171 port3171 4) deny if IP X arrived through http_port Y. - already allowed those in (3). does nothing > http_access deny ncsa_users 5) deny if authentication was successful. a) Oops. see (1) b) already allowed those in (2). does nothing > > > acl src3172 src 23.240 Typo? that is the same definition as src3171. > acl port3172 myportname 3172 > tcp_outgoing_address 172.5 port3172 > http_access allow src3172 port3172 6) allow if IP W arrived through http_port V > http_access deny src3172 port3172 7) deny if IP W arrived through http_port V. - already allowed those in (6). does nothing 8) default action: allow all other traffic > > so if i connect to 172.5:3172 it asks for password once authed ( which > i dont want to auth ) then shows outgoing address of 172.4. i realize > its acl related and the acl logic isnt correct. can someone point me > in the right direction? * myportname matches the exact string / text you wrote in squid.conf on the http_port lines name= parameter, or the full-text host:port field if that is absent. It does not match _numbers_. So if your http_port lines actually contain IP:port or host:port then those ACLs wont match, and a default IP is assigned by the TCP stack. * The tcp_outgoing_address is only a hint/request from Squid to the OS TCP stack. If you have any kind of outgoing-IP NAT / MASQUERADE rules configured on the outgoing connnection handling they can override Squids request to use that IP. * If you are using TPROXY spoofing you cannot determine the outgoing-IP. That is set by the client. Though you can disable spoofing to make TPROXY act like a NAT. There may be other less common things I'm overlooking. But that should get you going a lot further. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
