Search squid archive

Re: Deny ports to users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 17/11/17 08:42, Yuri wrote:
You choose not appropriate tool for you task.

Squid is a proxy, not a firewall.


Indeed.



17.11.2017 1:40, Jonathan thomas Cho пишет:
Hello, I was curious how to restrict users from accessing ports .

I have 4 workers and need them to have their own ports and not able to use the other 3.

I currently use :

http_port 3128 name=ip2
http_port 3129 name=ip3
http_port 3130 name=ip4

The above are directives for the *listening* ports receiving client<->Squid connections.

You have here configured this Squid *process* (all workers of it) to use port 3128 on all IP addresses the machine has been assigned. Same for port 3129 and 3130.

Squid cannot control which port a client decides to connect to. It can only listen (or not).

I assume you mean you want each worker to use different listening ports. That can be done by using the ${process_number} config macro in the port number itself eg. http_port 313${Process_number}. However, be aware that will lead to issues with the coordinator process not being able to manage SMP port functionality and worker automatic restart after crashes will have issues since the process number changes there too. And you thus cannot reliably use the port name/number for other things like you seem to be wanting.


>> acl ip2 myip x.x.x.2
acl ip3 myip x.x.x.3
acl ip4 myip x.x.x.4

"myip" is deprecated, it does not work at all well. Use "myportname" instead.

Your Squid should complain about this when you run '-k parse' to check your config validity. If your Squid does not support that new ACL type you definitely need to upgrade.


tcp_outgoing_address x.x.x.2 ip2
tcp_outgoing_address x.x.x.3 ip3
tcp_outgoing_address x.x.x.4 ip4


These are for Squid<->server connections. Has nothing to do with client<->Squid connections.

The OS selects which ports are use here. Not Squid.


However 3129 still work on all 4 ports.


3129 is a port number. Singular. It does not *listen* on other values.

The traffic arriving on connections *to* there is independent of the outgoing connection port numbers - which are not controllable as mentioned above. So it is not clear what you are trying to say by that.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux