[squid-users] Deny ports to users

Amos Jeffries squid3 at treenet.co.nz
Fri Nov 17 03:29:44 UTC 2017 

On 17/11/17 08:42, Yuri wrote:
> You choose not appropriate tool for you task.
> 
> Squid is a proxy, not a firewall.
> 

Indeed.


> 
> 17.11.2017 1:40, Jonathan thomas Cho пишет:
>> Hello, I was curious how to restrict users from accessing ports .
>>
>> I have 4 workers and need them to have their own ports and not able to 
>> use the other 3.
>>
>> I currently use :
>>
>> http_port 3128 name=ip2
>> http_port 3129 name=ip3
>> http_port 3130 name=ip4

The above are directives for the *listening* ports receiving 
client<->Squid connections.

You have here configured this Squid *process* (all workers of it) to use 
port 3128 on all IP addresses the machine has been assigned. Same for 
port 3129 and 3130.

Squid cannot control which port a client decides to connect to. It can 
only listen (or not).

I assume you mean you want each worker to use different listening ports. 
That can be done by using the ${process_number} config macro in the port 
number itself eg. http_port 313${Process_number}.
  However, be aware that will lead to issues with the coordinator 
process not being able to manage SMP port functionality and worker 
automatic restart after crashes will have issues since the process 
number changes there too. And you thus cannot reliably use the port 
name/number for other things like you seem to be wanting.


>> >> acl ip2 myip x.x.x.2
>> acl ip3 myip x.x.x.3
>> acl ip4 myip x.x.x.4

"myip" is deprecated, it does not work at all well. Use "myportname" 
instead.

Your Squid should complain about this when you run '-k parse' to check 
your config validity. If your Squid does not support that new ACL type 
you definitely need to upgrade.


>> tcp_outgoing_address x.x.x.2 ip2
>> tcp_outgoing_address x.x.x.3 ip3
>> tcp_outgoing_address x.x.x.4 ip4
>>

These are for Squid<->server connections. Has nothing to do with 
client<->Squid connections.

The OS selects which ports are use here. Not Squid.


>> However 3129 still work on all 4 ports.
>>

3129 is a port number. Singular. It does not *listen* on other values.

The traffic arriving on connections *to* there is independent of the 
outgoing connection port numbers - which are not controllable as 
mentioned above. So it is not clear what you are trying to say by that.


Amos

More information about the squid-users mailing list