[squid-users] Questions about tcp_outgoing_address

Amos Jeffries squid3 at treenet.co.nz
Sun Jan 10 04:56:29 UTC 2016 

On 9/01/2016 4:54 p.m., VerĂ³nica Ovando wrote:
> Hi!
> 
> I have a some specific questions about the directive
> /tcp_outgoing_address/. I need to know if it could works for my deployment:
> 
> My Squid 34.8 runs over Debian Jessie. I have a multiwan environment
> with dual internet connection.
> 
> There are some clients that visit web pages that only allow certain
> public IPs to access them. Only one of my two public IPs is allowed to
> access those services. I red some examples about /tcp_outgoing_address/
> from de Squid docs and other resources and they are all like this one:
>    
>     acl abc src 10.0.0.0/24
>     acl xyz 10.0.2.0/24
>     tcp_outgoing_address 10.1.0.1 abc
>     tcp_outgoing_address 10.1.0.2 xyz
>     tcp_outgoing_address 10.1.0.3
> 
> I am not sure (this is the reason of my question) if I can use the
> directive in this way:
> 
>     acl pages url_regex -i "/path/to/restricted_access_pages"
>     tcp_outgoing_address my_gateway_ip abc
> 

You can. The directive ACLs have access to anything in the HTTP request
message, TCP client connection state, and the destination server IP but
no other server details than IP.

Just be aware that order is important, the first line to match for any
connection will be applied and the remainder ignored.


> Also, in multiwan environments frequent disconnect issues are common.
> Can Squid handle the problem with /tcp_outgoing_address/, for example
> when users need to access to email, for avoid those disconnection
> problems? (I don't have load balancing, so the http requests use both
> ADSL connections) Example:
> 
>     acl email url_regex -i "/path/to/email_pages"
>     tcp_outgoing_address my_gateway_ip email
>  

No. All it does is select which IP to set on the TCP packets when
opening a new outbound TCP connection. That in turn hints to the OS
about which routing needs to be applied, but no more than that.

It is also restricted in that the rules will only affect traffic of the
same IP version as the address wanting to be set. A line with IPv4
address will have no effect on IPv6 outbound connections, and vice versa.

PS / FYI: there is no good reason for a multi-WAN environment to
encounter disconnection issues. If you are seeing such, then something
is broken in your network routing or traffic management software. That
is off topic here, but hopefully will head you in the right direction
for a useful fix.

Amos

More information about the squid-users mailing list