[squid-users] Whitelist Src IP and Tie it to specific ip outgoing ip

Alex Rousskov rousskov at measurement-factory.com
Sat Apr 24 02:58:21 UTC 2021


On 4/23/21 9:28 PM, Andy Frad wrote:

> I would like to know if there is a way to whitelist a users src address
> and tie it to a specific outgoing ip?

The two parts of the question are completely unrelated AFAICT. Since you
already know how to allow traffic, I will focus on the second part.


> I'd like to ... make it so a persons src ip can
> only get access to a specific ip bound to the server.


To tell Squid to use local source IP address X for Squid-server
transactions matching a specialTransaction ACL, consider using

  tcp_outgoing_address X specialTransaction

Your call how to define the specialTransaction ACL (e.g. it could be a
src ACL). IIRC, tcp_outgoing_address supports fast ACLs only.

Please note that if the transaction is going to an IPv6 address but your
X address is an IPv4 address, then Squid will _ignore_ the
"tcp_outgoing_address X" rule(s) for that transaction. Whether that is a
good thing depends on your (unstated) requirements. If needed, you can,
of course, have two rules for each specialTransaction, one for IPv6 and
one for IPv4 addresses.

You cannot block outgoing traffic using tcp_outgoing_address.

Please see tcp_outgoing_address documentation for caveats. Some of them
sound odd to me so I recommend testing before jumping to conclusions.


HTH,

Alex.


More information about the squid-users mailing list