> Why that requirement? I hope connection to squid server with only my own laptop no password is need. > This port receives TLS (HTTPS) connections. You need special browser > configuration to connect to a proxy using TLS. The only browser that > supports this is Chrome when configured with a PAC file or when run > manually with special command line options. > I use stunnel for this, it work well for this. for my browser, I only need proxy 127.0.0.1:8087 > ?? you have both Squid format and Apache format log records being put > into the same log? I specify access.log format, I don't upload those config for this discuss. > The access.log says the request came from a remote Internet IP address > outside your LAN. That is why ARP is not working. Thanks, this is what I need. seem like, not exist a way to auto-verify a special computer. could you please tell me, should squid exist some verify method like ssh public key/private key based auto login? Amos Jeffries writes: > On 14/01/2016 3:29 a.m., Billy.Zheng (zw963) wrote: >> >> It seem like i missing so many reply, Sorry for all. >> >> I try to reproduce everything about what I did in this reply. >> >> Currently, I use newer compile version Squid (3.5.12), see wiki, it >> should support arp acl originally, following is copy from WIKI. >> >>> The arp ACL requires the special configure option --enable-arp-acl in >>> Squid-3.1 and older, for newer Squid versions EUI-48 (aka MAC address) >>> support is enabled by default. Furthermore, the ARP / EUI-48 code is >>> not portable to all operating systems. It works on Linux, Solaris, >>> and some *BSD variants. >> >> So, I think squid arp acl support is not the key. > > If you mean that you think it will not work, you are correct. > >> >> following is my whole config worked for CentOS 7, my need is connection >> to Squid server with my own laptop(with MAC address), no password is need. > > Why that requirement? > >> >> following is my network info, hope can help. >> >> my laptop is connection to internet through a old WIFI router. >> when I run traceroute in my laptop with WIFI conn, can not found any useful info. >> >> traceroute to MY_VPS_IP (MY_VPS_IP), 30 hops max, 60 byte packets >> 1 localhost (192.168.1.1) 2.017 ms 3.294 ms 3.549 mspp >> 2 MY_VPS_IP (MY_VPS_IP) 101.182 ms !X 101.965 ms !X 104.812 ms !p >> >> unless I connection my laptop directly to router with wired conn, >> can output meaningful route infomation. >> >> ------------------------- config begin ------------------------------ >> >> debug_options 11,2 >> >> auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.passwd >> auth_param basic children 5 >> auth_param basic realm Squid proxy-caching web server >> auth_param basic credentialsttl 2 hours >> auth_param basic casesensitive on >> >> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >> acl localnet src fc00::/7 # RFC 4193 local private network range >> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines >> >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> acl proxy_ports localport 8087 # http proxy port >> >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> >> http_access allow localhost manager >> http_access deny manager >> >> acl advance_users arp MY_LAPTOP_MAC_ADDRESS >> http_access allow advance_users proxy_ports >> >> acl superuser proxy_auth zw963 >> http_access allow superuser proxy_ports >> >> acl authorized_users proxy_auth REQUIRED >> acl over_conn_limit maxconn 3 >> >> http_access deny over_conn_limit authorized_users >> http_access allow authorized_users proxy_ports >> >> http_access allow localnet >> http_access allow localhost >> http_access deny all >> >> https_port 8087 cert=/etc/squid/cert.pem key=/etc/squid/key.pem > > This port receives TLS (HTTPS) connections. You need special browser > configuration to connect to a proxy using TLS. The only browser that > supports this is Chrome when configured with a PAC file or when run > manually with special command line options. > > >> ------------------ config end --------------------- >> >> When I use w3m connection to google, w3m tell me user/password is need. >> >> following is squid log: >> >> ==================================== log begin ===================================== >> >> ==> /var/log/squid/cache.log <== >> 2016/01/13 14:19:07.952 kid1| 11,2| client_side.cc(2345) parseHttpRequest: HTTP Client local=*** remote=*** FD 14 flags=1 > > Your rules are al IP and port based. You elided the IP:port information > with "***" >> >> ==> /var/log/squid/access.log <== >> 1452694747.953 1 60.221.132.137 TCP_DENIED/407 4130 GET http://www.google.com/ - HIER_NONE/- text/html >> ****** - - [13/Jan/2016:14:19:07 +0000] "GET http://www.google.com/ >> HTTP/1.0" 407 4130 "-" "w3m/0.5.3+debian-15" TCP_DENIED:HIER_NONE > > ?? you have both Squid format and Apache format log records being put > into the same log? > > >> >> ======================================= log end ================================ >> >> I have no idea why squid Auth is need when I connection from my laptop. >> this situation is same as when no following acl is used. >> >>>> acl advance_users arp MY_LAPTOP_MAC_ADDRESS >>>> http_access allow advance_users proxy_ports >> > > The access.log says the request came from a remote Internet IP address > outside your LAN. That is why ARP is not working. > > ARP / MAC address in IPv4 only works within a single flat subnet where > all devices are directly connected. As soon as packets go through a > router the MAC/ARP address is changed. > > IPv6 this is somewhat better, since SLAAC configuration sends the EUI-64 > address as part of the client IPv6 address. When that happens the MAC is > visible through router hops. But when DHCP or "Privacy" addressing is > used the EUI/MAC is not available at all even in the same subnet. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -- Geek, Rubyist, Emacser Homepage: http://zw963.github.io _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
