<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Meiryo;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@Meiryo";
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
font-size:11.0pt;
font-family:"Meiryo",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Consolas",serif;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:99.25pt 85.05pt 85.05pt 85.05pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word;text-justify-trim:punctuation'><div class=WordSection1><p class=MsoNormal>Hey,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I can try to test/check this but I am missing the basic Kerberos auth with AD setup.<o:p></o:p></p><p class=MsoNormal>I have a working setup but the transparent authentication is not working for me.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Eliezer<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>----<o:p></o:p></p><p class=MsoNormal>Eliezer Croitoru<o:p></o:p></p><p class=MsoNormal>Tech Support<o:p></o:p></p><p class=MsoNormal>Mobile: +972-5-28704261<o:p></o:p></p><p class=MsoNormal>Email: <a href="mailto:ngtech1ltd@gmail.com"><span style='color:blue'>ngtech1ltd@gmail.com</span></a><o:p></o:p></p><p class=MsoNormal>Zoom: Coming soon<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> squid-users <squid-users-bounces@lists.squid-cache.org> <b>On Behalf Of </b>Hideyuki Kawai<br><b>Sent:</b> Friday, January 22, 2021 11:23 AM<br><b>To:</b> squid-users@lists.squid-cache.org<br><b>Subject:</b> [squid-users] effective acl for tcp_outgoing_address<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>Hi, this is Kawai.<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'> <o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>Now, I'm trying to set up squid4.x on centOS, but, have one issue.<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>Please let me send inquiry as followings.<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'> <o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>### Requirement ###<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>The squid is required as follows.<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>1. Kerberos auth with Active Directory : auth_param ..... <- Success<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>2. "Security group" check which is gotten from AD : external_acl_type ...(using ext_kerberos_ldap_group_acl) <- success<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>3. Using different outgoing IP based on "Security group" : tcp_outgoing_address + external_acl <span style='color:red;background:yellow;mso-highlight:yellow'><- fail</span><span style='color:red'> (can not work)</span><o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'> <o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>=== sample configuration which I tested. (but, it did not work</span><span style='font-family:"Courier New";mso-fareast-language:JA'>…</span><span style='mso-fareast-language:JA'>) ===<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>external_acl_type kerberos_ldap_group1 ttl=3600 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl </span><span style='font-family:"Courier New";mso-fareast-language:JA'>−</span><span style='mso-fareast-language:JA'>g GROUP1<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>external_acl_type kerberos_ldap_group2 ttl=3600 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl </span><span style='font-family:"Courier New";mso-fareast-language:JA'>−</span><span style='mso-fareast-language:JA'>g GROUP2<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>acl group1 external kerberos_ldap_group1<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>acl group2 external kerberos_ldap_group2<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>tcp_outgoing_address 10.1.0.1 group1<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>tcp_outgoing_address 10.1.0.2 group2<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'> <o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'> <o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>### Inquiry ###<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>Based on the web site, </span><span style='font-family:"Courier New";mso-fareast-language:JA'>“</span><span style='mso-fareast-language:JA'>tcp_outgoing_address</span><span style='font-family:"Courier New";mso-fareast-language:JA'>”</span><span style='mso-fareast-language:JA'> is NOT support "external_acl". Because the external_acl type is slow.<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>In this case, how to configure the squid.conf to satisfy my requirement?<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'> <o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>Please let me inform your comment and knowledge.<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>Thanks in advance.<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'> <o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>-------------------------------------<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'><a href="mailto:h.kawai@ntt.com">h.kawai@ntt.com</a><o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'>-------------------------------------<o:p></o:p></span></p><p class=MsoPlainText><span style='mso-fareast-language:JA'> <o:p></o:p></span></p></div></body></html>