On 2016-11-11 22:28, Antony Stone wrote:
On Friday 11 November 2016 at 17:51:04,
jarrett+squid-users@xxxxxxxxxxxxxxxxx
wrote:
I'm trying to use ACLs to direct incoming traffic on assigned ports to
assigned outgoing addresses. But, squid uses the first IP address
assigned to the interface not listed in the config instead.
See http://lists.squid-cache.org/pipermail/squid-users/2016-
October/013270.html
Specifically "IP addressing on the outgoing connections is an operating
system
choice. Squid does not have any direct control over outgoing
connections
besides their destination IP:port."
Hi,
The following configuration works for me on Linux.
1. I set second /32 IP address for Internet facing interface.
# ip addr show wlp3s0 | fgrep 'inet '
inet 192.168.2.102/24 brd 192.168.2.255 scope global dynamic wlp3s0
inet 192.168.2.108/32 scope global wlp3s0
2. I added second http_port, ACL for the second http_port and the rule
to use second IP address if connection is for second http_port.
# diff -u etc/squid.conf.default etc/squid.conf
--- etc/squid.conf.default 2016-10-28 15:54:53.851704360 +0500
+++ etc/squid.conf 2016-11-11 23:18:48.654385840 +0500
@@ -23,6 +23,7 @@
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
+acl port3129 localport 3129
#
# Recommended minimum Access Permission configuration:
@@ -57,6 +58,7 @@
# Squid normally listens to port 3128
http_port 3128
+http_port 3129
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid35/var/cache/squid 100 16 256
@@ -71,3 +73,4 @@
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
+tcp_outgoing_address 192.168.2.108 port3129
3. I initiated two requests on different http ports:
$ curl -x http://127.0.0.1:3128 -H 'Cache-Control: no-cache'
http://mirror.comnet.uz/centos/2/readme.txt > /dev/null
$ curl -x http://127.0.0.1:3129 -H 'Cache-Control: no-cache'
http://mirror.comnet.uz/centos/2/readme.txt > /dev/null
4. Using tcpdump I confirmed that the rule is working.
# tcpdump -i wlp3s0 dst host mirror.comnet.uz
...
23:42:02.230713 IP 192.168.2.102.40506 > mirror.comnet.uz.http: Flags
[P.], seq 0:218, ack 1, win 229, options [nop,nop,TS val 845937144 ecr
1281004287], length 218: HTTP: GET /centos/2/readme.txt HTTP/1.1
...
23:42:15.166311 IP 192.168.2.108.48575 > mirror.comnet.uz.http: Flags
[P.], seq 0:218, ack 1, win 229, options [nop,nop,TS val 845950080 ecr
1281016928], length 218: HTTP: GET /centos/2/readme.txt HTTP/1.1
...
Thanks for attention!
Garri
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users