On 14/01/2016 3:29 a.m., Billy.Zheng (zw963) wrote: > > It seem like i missing so many reply, Sorry for all. > > I try to reproduce everything about what I did in this reply. > > Currently, I use newer compile version Squid (3.5.12), see wiki, it > should support arp acl originally, following is copy from WIKI. > >> The arp ACL requires the special configure option --enable-arp-acl in >> Squid-3.1 and older, for newer Squid versions EUI-48 (aka MAC address) >> support is enabled by default. Furthermore, the ARP / EUI-48 code is >> not portable to all operating systems. It works on Linux, Solaris, >> and some *BSD variants. > > So, I think squid arp acl support is not the key. If you mean that you think it will not work, you are correct. > > following is my whole config worked for CentOS 7, my need is connection > to Squid server with my own laptop(with MAC address), no password is need. Why that requirement? > > following is my network info, hope can help. > > my laptop is connection to internet through a old WIFI router. > when I run traceroute in my laptop with WIFI conn, can not found any useful info. > > traceroute to MY_VPS_IP (MY_VPS_IP), 30 hops max, 60 byte packets > 1 localhost (192.168.1.1) 2.017 ms 3.294 ms 3.549 mspp > 2 MY_VPS_IP (MY_VPS_IP) 101.182 ms !X 101.965 ms !X 104.812 ms !p > > unless I connection my laptop directly to router with wired conn, > can output meaningful route infomation. > > ------------------------- config begin ------------------------------ > > debug_options 11,2 > > auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.passwd > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive on > > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > acl proxy_ports localport 8087 # http proxy port > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > http_access allow localhost manager > http_access deny manager > > acl advance_users arp MY_LAPTOP_MAC_ADDRESS > http_access allow advance_users proxy_ports > > acl superuser proxy_auth zw963 > http_access allow superuser proxy_ports > > acl authorized_users proxy_auth REQUIRED > acl over_conn_limit maxconn 3 > > http_access deny over_conn_limit authorized_users > http_access allow authorized_users proxy_ports > > http_access allow localnet > http_access allow localhost > http_access deny all > > https_port 8087 cert=/etc/squid/cert.pem key=/etc/squid/key.pem This port receives TLS (HTTPS) connections. You need special browser configuration to connect to a proxy using TLS. The only browser that supports this is Chrome when configured with a PAC file or when run manually with special command line options. > ------------------ config end --------------------- > > When I use w3m connection to google, w3m tell me user/password is need. > > following is squid log: > > ==================================== log begin ===================================== > > ==> /var/log/squid/cache.log <== > 2016/01/13 14:19:07.952 kid1| 11,2| client_side.cc(2345) parseHttpRequest: HTTP Client local=*** remote=*** FD 14 flags=1 Your rules are al IP and port based. You elided the IP:port information with "***" > > ==> /var/log/squid/access.log <== > 1452694747.953 1 60.221.132.137 TCP_DENIED/407 4130 GET http://www.google.com/ - HIER_NONE/- text/html > ****** - - [13/Jan/2016:14:19:07 +0000] "GET http://www.google.com/ > HTTP/1.0" 407 4130 "-" "w3m/0.5.3+debian-15" TCP_DENIED:HIER_NONE ?? you have both Squid format and Apache format log records being put into the same log? > > ======================================= log end ================================ > > I have no idea why squid Auth is need when I connection from my laptop. > this situation is same as when no following acl is used. > >>> acl advance_users arp MY_LAPTOP_MAC_ADDRESS >>> http_access allow advance_users proxy_ports > The access.log says the request came from a remote Internet IP address outside your LAN. That is why ARP is not working. ARP / MAC address in IPv4 only works within a single flat subnet where all devices are directly connected. As soon as packets go through a router the MAC/ARP address is changed. IPv6 this is somewhat better, since SLAAC configuration sends the EUI-64 address as part of the client IPv6 address. When that happens the MAC is visible through router hops. But when DHCP or "Privacy" addressing is used the EUI/MAC is not available at all even in the same subnet. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
