[squid-users] Explicitly use direct client IP in acl

Orion Poplawski orion at nwra.com
Thu Jul 9 21:54:24 UTC 2020

Hello -

   We're using a setup like this:

client -> e2guardian -> squid -> internet

e2guardian is providing filtering and SSL inspection.  Currently we only 
allow access to e2guardian from our internal network.  Currently we 
enforce access to squid come from localhost, except for some specific 
sites which do not work with SSL inspection.

Then we allow:

client -> squid -> internet

this is based on the (non-forwarded) client IP.

We would like to open up access to e2g from the internet but require 
authentication in that case.  This would require the use of forwarded 
IPs so the squid could distinguish between them (e2g does not do auth 
directly - it lets squid handle that).  But then this breaks our config 
above because we no longer can distinguish between connections from e2g 
and direct ones.

Is there any way in an acl to explicitly request the "direct" (i.e. 
non-indirect) IP address?  This would allow use to use one type for some 
acls and the other for other acls.  This doesn't seem possible from what 
I can see.

I'm guessing we'll need to implement a separate proxy configuration for 
external access, but I'd like to avoid it if possible.


Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200709/d3ac1dd3/attachment-0001.bin>

More information about the squid-users mailing list