[squid-users] Squid authentication problem

Amos Jeffries squid3 at treenet.co.nz
Sun Jun 18 12:56:31 UTC 2017


On 18/06/17 17:50, Sonya Roy wrote:
> Hi,
>
> I am running squid on a server with multiple public IPs and I want 
> some users to be able to access the proxy through some of the IPs and 
> other users through other IPs.
>
> At the moment I have acl rules of the form:-
> acl abcd myip x.x.x.x
>

What you need is an ACL that compares the username to the IP.

<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html>
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_edirectory_userip_acl.html>
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_sql_session_acl.html>

or the new 'extras' feature for authenticators in Squid-3.5 that lets 
them use the IP as part of the auth approval. Though with this the thing 
to be aware of is that the IP becomes like a scope for the user login - 
the wrong IP being used to login from results in re-auth challenge just 
as would be seen if the password was wrong. So use carefully.
  <http://www.squid-cache.org/Doc/config/auth_param/>
  <http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.2>

> and for these acl rules I have these tcp_outgoing_address:-
> tcp_outgoing_address x.x.x.x abcd
>

Why limit the outgoing? in HTTP that is independent to the incoming 
connection and restricting it will lower performance.

> And earlier I had proxy_auth acl rules separately, but that allowed 
> any authenticated users to be able to access the proxy through any of 
> those IPs. Since I wanted some users to be able to use the server 
> through some IPs and others through different IPs, I tried this in 
> those acl rules:-
>
> acl abcd myip x.x.x.x proxy_auth user1

FTR: that will match the IP address x.x.x.x and the IP address(es) of 
the servers with hostnames "proxy_auth" and "user1" in your local DNS.

Also, the myip ACL is deprecated because it matched different things 
based on the traffic type. myportname or localip ACLs are better if you 
need to do this at all. Your "squid -k parse" config checks should warn 
you about that.

Amos


More information about the squid-users mailing list