[squid-users] How to allow users authenticated to access only their own ports.

Thu Jul 7 23:13:41 UTC 2022

Hi everyone ;)

I have a little bit complex task at hand.

What I must do:

1-Allow an user to access squid only through specific port. This same user
can access 1 port or several ports, depending on how many routes he have.

2- Authenticated users can access only their own ports.

3- Every access is via IP:Port that brings the user to a different
tcp_outgoing_address

Example

An user must have 2 routes:

192.168.0.2:3001 this route brings this user to tcp_outgoing_address
200.2.2.11

192.168.0.2:3002 this route brings this user to tcp_outgoing_address
200.2.2.12

Yes, every port have to route to a different tcp outgoing address.

The closest I could get to a solution was using this:

http_port 192.168.0.2:3001 name=5

acl ip5 myportname 5

tcp_outgoing_address 200.2.2.11 ip5

This way, an user that enters via 192.168.0.2:3001 goes out via 200.2.2.11.

And its fine, but this way, every authenticated user can access all routes.

I have tried several ways to bind an username in this solution, but it is
not working.
Authentication was via basic_db_auth, but I "downgraded it" to
basic_ncsa_auth to simplify tests. Authentication is working fine.

My last try was using the setup below, but It made squid a little dizzy:

acl ip3 proxy_auth test myportname 3

http_access allow ip3

http_port 192.168.0.2:2000 name=3

tcp_outgoing_address 200.2.2.11 ip3

http_access deny ip3

acl ip4 proxy_auth test1 myportname 4

http_access allow ip4

http_port 192.168.0.2:2000 name=4

tcp_outgoing_address 200.2.2.12 ip4

http_access deny ip4

The problem is to bind specific incoming via ip:port to specific outgoing
ip:port using user authentication so users cant access each other routes.

Thanks for help.

Marcelo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220707/8a386ecb/attachment.htm>