[squid-users] doing user/pass auth and src acl on same instance

Amos Jeffries squid3 at treenet.co.nz
Thu Sep 3 01:45:29 UTC 2015 

On 3/09/2015 11:45 a.m., Jason Enzer wrote:
> is this possible?
> 
> i have src acl working fine. i can control the outgoing address/port
> and incoming address with no issues.
> 
> when i introduce ncsa auth it breaks everything.
> 

Order is important. Read the http_access rules carefully top-to-bottom
and you should see whats going wrong.

I've annotated your rules with steps 1-8 in order of what Squid is
instructed to perform.


> acl ncsa_users proxy_auth REQUIRED
> http_access allow ncsa_users

1) REQUIRED == require authentication.
 - dont care what it is, just 401/407 if nothing is present.
 - Oops.

2) allow if authentication passed.
 - oops?

> 
> acl src3171 src 23.240
> acl port3171 myportname 3171
> tcp_outgoing_address 172.4 src3171
> http_access allow src3171 port3171

3) allow if IP X arrived through http_port Y

> http_access deny src3171 port3171

4) deny if IP X arrived through http_port Y.
 - already allowed those in (3). does nothing

> http_access deny ncsa_users

5) deny if authentication was successful.
 a) Oops. see (1)
 b) already allowed those in (2). does nothing

> 
> 
> acl src3172 src 23.240

Typo? that is the same definition as src3171.

> acl port3172 myportname 3172
> tcp_outgoing_address 172.5 port3172
> http_access allow src3172 port3172

6) allow if IP W arrived through http_port V

> http_access deny src3172 port3172

7) deny if IP W arrived through http_port V.
- already allowed those in (6). does nothing


8) default action: allow all other traffic


> 
> so if i connect to 172.5:3172 it asks for password once authed ( which
> i dont want to auth ) then shows outgoing address of 172.4. i realize
> its acl related and the acl logic isnt correct. can someone point me
> in the right direction?


* myportname matches the exact string / text you wrote in squid.conf on
the http_port lines name= parameter, or the full-text host:port field if
that is absent. It does not match _numbers_.

So if your http_port lines actually contain IP:port or host:port then
those ACLs wont match, and a default IP is assigned by the TCP stack.


* The tcp_outgoing_address is only a hint/request from Squid to the OS
TCP stack. If you have any kind of outgoing-IP NAT / MASQUERADE rules
configured on the outgoing connnection handling they can override Squids
request to use that IP.


* If you are using TPROXY spoofing you cannot determine the outgoing-IP.
That is set by the client. Though you can disable spoofing to make
TPROXY act like a NAT.


There may be other less common things I'm overlooking. But that should
get you going a lot further.


HTH
Amos

More information about the squid-users mailing list