Search squid archive

Re: Squid authentication problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 18/06/17 17:50, Sonya Roy wrote:

Hi,
I am running squid on a server with multiple public IPs and I want some users to be able to access the proxy through some of the IPs and other users through other IPs. 

At the moment I have acl rules of the form:-
acl abcd myip x.x.x.x



What you need is an ACL that compares the username to the IP.

<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html>
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_edirectory_userip_acl.html>
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_sql_session_acl.html>
or the new 'extras' feature for authenticators in Squid-3.5 that lets them use the IP as part of the auth approval. Though with this the thing to be aware of is that the IP becomes like a scope for the user login - the wrong IP being used to login from results in re-auth challenge just as would be seen if the password was wrong. So use carefully. 
 <http://www.squid-cache.org/Doc/config/auth_param/>
 <http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.2>


and for these acl rules I have these tcp_outgoing_address:-
tcp_outgoing_address x.x.x.x abcd
Why limit the outgoing? in HTTP that is independent to the incoming connection and restricting it will lower performance.
And earlier I had proxy_auth acl rules separately, but that allowed any authenticated users to be able to access the proxy through any of those IPs. Since I wanted some users to be able to use the server through some IPs and others through different IPs, I tried this in those acl rules:- 

acl abcd myip x.x.x.x proxy_auth user1
FTR: that will match the IP address x.x.x.x and the IP address(es) of the servers with hostnames "proxy_auth" and "user1" in your local DNS.
Also, the myip ACL is deprecated because it matched different things based on the traffic type. myportname or localip ACLs are better if you need to do this at all. Your "squid -k parse" config checks should warn you about that. 

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux