Search squid archive

Re: Multi-clients VPS - Authentication been shared.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/16/21 11:53 AM, Graminsta wrote:
> Hello friends,
> 
>  
> 
> I'm using these user authentication lines in squid.conf based on user’s
> authentication list:
> 
>  
> 
> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/users
> 
> auth_param basic children 5
> 
> auth_param basic realm Squid proxy-caching web server
> 
> auth_param basic credentialsttl 2 hours
> 
> auth_param basic casesensitive off
> 
>  
> 
> http_access allow localhost
> 
> acl clientes proxy_auth REQUIRED
> 
> http_access allow clientes
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny all

Please note that you are allowing authenticated clients to send traffic
to unsafe ports. For example, they can CONNECT to non-SSL ports. You may
want to reorder the above rules if that is not what you want.


> #List of outgoings (all IPs are fake)
> 
> http_port 181.111.11.111:4000 name=3
> acl ip3 myportname 3
> tcp_outgoing_address 2804:1934:2E1::3D6 ip3
> 
>  
> 
> http_port 181.111.11.112:4001 name=4
> acl ip4 myportname 4
> tcp_outgoing_address 2804:1934:3a8::3D7 ip4
> 
>  
> 
> The problem is that everyone whom is in the users file are allow to use
> all tcp_outgoing_address.
> 
> If a smarter client scans for open IPs and ports will be able to find
> these outgoings.
> 
>  
> 
> How can I restrict each user to their own tcp_outgoing_address output?

I suspect you are asking the wrong question. A better question is "How
do I restrict each user to their own http_port?". The answer is "Use
http_access to deny authenticated users connected to wrong ports."

However, you should also ask yourself another question: "Why am I using
multiple http_ports if all I care about is who uses which
tcp_outgoing_address?". The listening ports have virtually nothing to do
with tcp_outgoing_address...

I suspect you want something like this instead:

    http_port ...
    tcp_outgoing_address ...:3D01 user1
    tcp_outgoing_address ...:3D02 user2
    tcp_outgoing_address ...:3D03 user3
    ...

...where userN is an ACL that matches an authenticated user N.


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux