[squid-users] Multi-clients VPS - Authentication been shared.
Alex Rousskov
rousskov at measurement-factory.com
Tue Nov 16 18:23:00 UTC 2021
On 11/16/21 11:53 AM, Graminsta wrote:
> Hello friends,
>
>
>
> I'm using these user authentication lines in squid.conf based on user’s
> authentication list:
>
>
>
> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/users
>
> auth_param basic children 5
>
> auth_param basic realm Squid proxy-caching web server
>
> auth_param basic credentialsttl 2 hours
>
> auth_param basic casesensitive off
>
>
>
> http_access allow localhost
>
> acl clientes proxy_auth REQUIRED
>
> http_access allow clientes
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny all
Please note that you are allowing authenticated clients to send traffic
to unsafe ports. For example, they can CONNECT to non-SSL ports. You may
want to reorder the above rules if that is not what you want.
> #List of outgoings (all IPs are fake)
>
> http_port 181.111.11.111:4000 name=3
> acl ip3 myportname 3
> tcp_outgoing_address 2804:1934:2E1::3D6 ip3
>
>
>
> http_port 181.111.11.112:4001 name=4
> acl ip4 myportname 4
> tcp_outgoing_address 2804:1934:3a8::3D7 ip4
>
>
>
> The problem is that everyone whom is in the users file are allow to use
> all tcp_outgoing_address.
>
> If a smarter client scans for open IPs and ports will be able to find
> these outgoings.
>
>
>
> How can I restrict each user to their own tcp_outgoing_address output?
I suspect you are asking the wrong question. A better question is "How
do I restrict each user to their own http_port?". The answer is "Use
http_access to deny authenticated users connected to wrong ports."
However, you should also ask yourself another question: "Why am I using
multiple http_ports if all I care about is who uses which
tcp_outgoing_address?". The listening ports have virtually nothing to do
with tcp_outgoing_address...
I suspect you want something like this instead:
http_port ...
tcp_outgoing_address ...:3D01 user1
tcp_outgoing_address ...:3D02 user2
tcp_outgoing_address ...:3D03 user3
...
...where userN is an ACL that matches an authenticated user N.
HTH,
Alex.
More information about the squid-users
mailing list