[squid-users] Explicitly use direct client IP in acl

Amos Jeffries squid3 at treenet.co.nz
Fri Jul 10 00:50:11 UTC 2020


On 10/07/20 9:54 am, Orion Poplawski wrote:
> Hello -
> 
>   We're using a setup like this:
> 
> client -> e2guardian -> squid -> internet
> 
> e2guardian is providing filtering and SSL inspection.  Currently we only
> allow access to e2guardian from our internal network.  Currently we
> enforce access to squid come from localhost, except for some specific
> sites which do not work with SSL inspection.
> 
> Then we allow:
> 
> client -> squid -> internet
> 
> this is based on the (non-forwarded) client IP.
> 
> We would like to open up access to e2g from the internet but require
> authentication in that case.

Okay.

>  This would require the use of forwarded
> IPs so the squid could distinguish between them (e2g does not do auth
> directly - it lets squid handle that).  But then this breaks our config
> above because we no longer can distinguish between connections from e2g
> and direct ones.


How do you come to that conclusion?

What is your Squid version?

What is your current squid.conf contents?


Amos


More information about the squid-users mailing list