[squid-users] Explicitly use direct client IP in acl
Orion Poplawski
orion at nwra.com
Thu Jul 9 21:54:24 UTC 2020
Hello -
We're using a setup like this:
client -> e2guardian -> squid -> internet
e2guardian is providing filtering and SSL inspection. Currently we only
allow access to e2guardian from our internal network. Currently we
enforce access to squid come from localhost, except for some specific
sites which do not work with SSL inspection.
Then we allow:
client -> squid -> internet
this is based on the (non-forwarded) client IP.
We would like to open up access to e2g from the internet but require
authentication in that case. This would require the use of forwarded
IPs so the squid could distinguish between them (e2g does not do auth
directly - it lets squid handle that). But then this breaks our config
above because we no longer can distinguish between connections from e2g
and direct ones.
Is there any way in an acl to explicitly request the "direct" (i.e.
non-indirect) IP address? This would allow use to use one type for some
acls and the other for other acls. This doesn't seem possible from what
I can see.
I'm guessing we'll need to implement a separate proxy configuration for
external access, but I'd like to avoid it if possible.
Thanks,
Orion
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200709/d3ac1dd3/attachment-0001.bin>
More information about the squid-users
mailing list