[squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 13 16:31:56 UTC 2016 

On 14/01/2016 3:29 a.m., Billy.Zheng (zw963) wrote:
> 
> It seem like i missing so many reply, Sorry for all.
> 
> I try to reproduce everything about what I did in this reply.
> 
> Currently, I use newer compile version Squid (3.5.12), see wiki, it
> should support arp acl originally, following is copy from WIKI.
> 
>> The arp ACL requires the special configure option --enable-arp-acl in
>> Squid-3.1 and older, for newer Squid versions EUI-48 (aka MAC address)
>> support is enabled by default. Furthermore, the ARP / EUI-48 code is
>> not portable to all operating systems. It works on Linux, Solaris,
>> and some *BSD variants.
> 
> So, I think squid arp acl support is not the key.

If you mean that you think it will not work, you are correct.

> 
> following is my whole config worked for CentOS 7, my need is connection
> to Squid server with my own laptop(with MAC address), no password is need.

Why that requirement?

> 
> following is my network info, hope can help.
> 
> my laptop is connection to internet through a old WIFI router.
> when I run traceroute in my laptop with WIFI conn, can not found any useful info.
> 
> traceroute to MY_VPS_IP (MY_VPS_IP), 30 hops max, 60 byte packets
>  1  localhost (192.168.1.1)  2.017 ms  3.294 ms  3.549 mspp
>  2  MY_VPS_IP (MY_VPS_IP)  101.182 ms !X  101.965 ms !X  104.812 ms !p
> 
> unless I connection my laptop directly to router with wired conn,
> can output meaningful route infomation.
> 
> ------------------------- config begin ------------------------------
> 
> debug_options 11,2
> 
> auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.passwd
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive on
> 
> acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
> acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
> acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
> 
> acl SSL_ports port 443
> acl Safe_ports port 80		# http
> acl Safe_ports port 21		# ftp
> acl Safe_ports port 443		# https
> acl Safe_ports port 70		# gopher
> acl Safe_ports port 210		# wais
> acl Safe_ports port 1025-65535	# unregistered ports
> acl Safe_ports port 280		# http-mgmt
> acl Safe_ports port 488		# gss-http
> acl Safe_ports port 591		# filemaker
> acl Safe_ports port 777		# multiling http
> acl CONNECT method CONNECT
> acl proxy_ports localport 8087       # http proxy port
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> 
> http_access allow localhost manager
> http_access deny manager
> 
> acl advance_users arp MY_LAPTOP_MAC_ADDRESS
> http_access allow advance_users proxy_ports
> 
> acl superuser proxy_auth zw963
> http_access allow superuser proxy_ports
> 
> acl authorized_users proxy_auth REQUIRED
> acl over_conn_limit maxconn 3
> 
> http_access deny over_conn_limit authorized_users
> http_access allow authorized_users proxy_ports
> 
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> 
> https_port 8087 cert=/etc/squid/cert.pem key=/etc/squid/key.pem

This port receives TLS (HTTPS) connections. You need special browser
configuration to connect to a proxy using TLS. The only browser that
supports this is Chrome when configured with a PAC file or when run
manually with special command line options.


> ------------------ config end ---------------------
> 
> When I use w3m connection to google, w3m tell me user/password is need.
> 
> following is squid log:
> 
> ==================================== log begin =====================================
> 
> ==> /var/log/squid/cache.log <==
> 2016/01/13 14:19:07.952 kid1| 11,2| client_side.cc(2345) parseHttpRequest: HTTP Client local=*** remote=*** FD 14 flags=1

Your rules are al IP and port based. You elided the IP:port information
with "***"
> 
> ==> /var/log/squid/access.log <==
> 1452694747.953      1 60.221.132.137 TCP_DENIED/407 4130 GET http://www.google.com/ - HIER_NONE/- text/html
> ****** - - [13/Jan/2016:14:19:07 +0000] "GET http://www.google.com/
> HTTP/1.0" 407 4130 "-" "w3m/0.5.3+debian-15" TCP_DENIED:HIER_NONE

?? you have both Squid format and Apache format log records being put
into the same log?


> 
> ======================================= log end ================================
> 
> I have no idea why squid  Auth is need when I connection from my laptop.
> this situation is same as when no following acl is used.
> 
>>> acl advance_users arp MY_LAPTOP_MAC_ADDRESS
>>> http_access allow advance_users proxy_ports
> 

The access.log says the request came from a remote Internet IP address
outside your LAN. That is why ARP is not working.

ARP / MAC address in IPv4 only works within a single flat subnet where
all devices are directly connected. As soon as packets go through a
router the MAC/ARP address is changed.

IPv6 this is somewhat better, since SLAAC configuration sends the EUI-64
address as part of the client IPv6 address. When that happens the MAC is
visible through router hops. But when DHCP or "Privacy" addressing is
used the EUI/MAC is not available at all even in the same subnet.

Amos

More information about the squid-users mailing list