On 24/09/2016 6:13 p.m., --Ahmad-- wrote: > hi folks . > > i have many ips on same server . > also i have basic_ncsa auth type on squid . > > say i have 3 ips and i created 3 users . > > the issue i have now is any user can use any outgoing address . > > let me explain below : > > > auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user > acl ncsa_users proxy_auth REQUIRED > auth_param basic children 100 > http_access allow ncsa_users > > ############### > http_port 100.160.238.0:17648 > http_port 100.160.238.1:48049 > http_port 100.160.238.2:26394 > > ############# > acl ip1myip 100.160.238.0 > acl ip2 myip 100.160.238.1 > acl ip3 myip 100.160.238.2 > ############# > > tcp_outgoing_address 100.160.238.0 ip1 > tcp_outgoing_address 100.160.238.1 ip2 > tcp_outgoing_address 100.160.238.2 ip3 > 'myip' matches the Squid IP address. tcp_outgoing_address is what sets the Squid IP address. See any problem with using the Squid IP address current value to set the Squid IP address? Use the myportname ACL instead. In your above config it will match the IP:port string on the htp_port line. For example: acl ip0 myportname 100.160.238.0:17648 tcp_outgoing_address 100.160.238.0 ip0 Or you can add a name= parameter to each port to set a custom name for it that the myportname ACL looks for. > ######################## > > i created 3 users : > > htpasswd -cdb /etc/squid/squid_user user1 user1 > htpasswd -cdb /etc/squid/squid_user user2 user2 > htpasswd -cdb /etc/squid/squid_user user3 user3 > > ################# > > > > now if user1 connected to 100.160.238.0:17648 it will be able to use it > also if connected to 100.160.238.1:48049 also will be able . > > and so for 100.160.238.2:26394. > > > the question is > how can i let user1 only use 100.160.238.0:17648 and user2 only use 100.160.238.1:48049 and user3 only use 100.160.238.2:26394 ??? > Use the ext_file_userip_acl helper. The format for entries in the helper config file is listed in the man page: <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html> Replace the line "http_access allow ncsa_users" with the following: external_acl_type userIp %SRC /usr/bin/ext_file_userip_acl -f /etc/squid/userIP.conf acl userIp external userIp http_access deny !ncsa_users http_access allow userIp NP: that is all. Do not add userIp check to tcp_outgoing_address lines. After all the above changes your squid.conf should look something like this: ## ... the default http_access rules at the top ... ## ## Your local custom rules go here: auth_param basic program /lib/squid/basic_ncsa_auth \ /etc/squid/squid_user auth_param basic children 100 external_acl_type userIp %SRC %LOGIN /lib/squid/ext_file_userip_acl \ -f /etc/squid/userIP.conf acl ncsa_users proxy_auth REQUIRED acl userIp external userIp http_access deny !ncsa_users http_access allow userIp http_access deny all ## http_port 100.160.238.0:17648 name=0 acl ip0 myportname 0 tcp_outgoing_address 100.160.238.0 ip0 http_port 100.160.238.1:48049 name=1 acl ip1 myportname 1 tcp_outgoing_address 100.160.238.1 ip1 http_port 100.160.238.2:26394 name=2 acl ip2 myportname 2 tcp_outgoing_address 100.160.238.2 ip2 Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
