[squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?
Billy.Zheng (zw963)
zw963 at 163.com
Wed Jan 13 14:29:14 UTC 2016
It seem like i missing so many reply, Sorry for all.
I try to reproduce everything about what I did in this reply.
Currently, I use newer compile version Squid (3.5.12), see wiki, it
should support arp acl originally, following is copy from WIKI.
> The arp ACL requires the special configure option --enable-arp-acl in
> Squid-3.1 and older, for newer Squid versions EUI-48 (aka MAC address)
> support is enabled by default. Furthermore, the ARP / EUI-48 code is
> not portable to all operating systems. It works on Linux, Solaris,
> and some *BSD variants.
So, I think squid arp acl support is not the key.
following is my whole config worked for CentOS 7, my need is connection
to Squid server with my own laptop(with MAC address), no password is need.
following is my network info, hope can help.
my laptop is connection to internet through a old WIFI router.
when I run traceroute in my laptop with WIFI conn, can not found any useful info.
traceroute to MY_VPS_IP (MY_VPS_IP), 30 hops max, 60 byte packets
1 localhost (192.168.1.1) 2.017 ms 3.294 ms 3.549 mspp
2 MY_VPS_IP (MY_VPS_IP) 101.182 ms !X 101.965 ms !X 104.812 ms !p
unless I connection my laptop directly to router with wired conn,
can output meaningful route infomation.
------------------------- config begin ------------------------------
debug_options 11,2
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl proxy_ports localport 8087 # http proxy port
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
acl advance_users arp MY_LAPTOP_MAC_ADDRESS
http_access allow advance_users proxy_ports
acl superuser proxy_auth zw963
http_access allow superuser proxy_ports
acl authorized_users proxy_auth REQUIRED
acl over_conn_limit maxconn 3
http_access deny over_conn_limit authorized_users
http_access allow authorized_users proxy_ports
http_access allow localnet
http_access allow localhost
http_access deny all
https_port 8087 cert=/etc/squid/cert.pem key=/etc/squid/key.pem
cache_effective_user squid
cache_effective_group squid
visible_hostname squid.proxy
cache_mgr MY_EMAIL_ADDRESS
cache_mem 64 MB
cache_dir ufs /var/spool/squid 256 16 256
coredump_dir /var/spool/squid
maximum_object_size 512 KB
maximum_object_size_in_memory 64 KB
cache_swap_high 95
cache_swap_low 80
cache_store_log none
cache_log /var/log/squid/cache.log
cache_access_log /var/log/squid/access.log
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
forwarded_for off
logfile_rotate 60
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
------------------ config end ---------------------
When I use w3m connection to google, w3m tell me user/password is need.
following is squid log:
==================================== log begin =====================================
==> /var/log/squid/cache.log <==
2016/01/13 14:19:07.952 kid1| 11,2| client_side.cc(2345) parseHttpRequest: HTTP Client local=*** remote=*** FD 14 flags=1
2016/01/13 14:19:07.952 kid1| 11,2| client_side.cc(2346) parseHttpRequest: HTTP Client REQUEST:
---------
GET http://www.google.com/ HTTP/1.0
User-Agent: w3m/0.5.3+debian-15
Accept: text/html, text/*;q=0.5, image/*, application/*, video/*, audio/*, x-scheme-handler/*, x-content/*, misc/*, inode/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: www.google.com
----------
2016/01/13 14:19:07.953 kid1| 11,2| client_side.cc(1391) sendStartOfMessage: HTTP Client local=***** remote=***** FD 14 flags=1
2016/01/13 14:19:07.953 kid1| 11,2| client_side.cc(1392) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 407 Proxy Authentication Required
Server: squid/3.5.12
Mime-Version: 1.0
Date: Wed, 13 Jan 2016 14:19:07 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3704
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
X-Cache: MISS from squid.proxy
Via: 1.1 squid.proxy (squid/3.5.12)
Connection: close
==> /var/log/squid/access.log <==
1452694747.953 1 60.221.132.137 TCP_DENIED/407 4130 GET http://www.google.com/ - HIER_NONE/- text/html
****** - - [13/Jan/2016:14:19:07 +0000] "GET http://www.google.com/
HTTP/1.0" 407 4130 "-" "w3m/0.5.3+debian-15" TCP_DENIED:HIER_NONE
======================================= log end ================================
I have no idea why squid Auth is need when I connection from my laptop.
this situation is same as when no following acl is used.
>> acl advance_users arp MY_LAPTOP_MAC_ADDRESS
>> http_access allow advance_users proxy_ports
Thanks.
Antony Stone writes:
> On Friday 01 January 2016 at 16:03:00, Billy.Zheng(zw963) wrote:
>
>> My config is a little longer, But it worked fine in recent months.
>
> Please:
>
> 1. Describe your network setup - specifically:
> - what is the client-facing IP address of your Squid server?
> - what network range are the clients in?
>
> 2. Post your squid.conf without comments or blank lines.
>
> Partial information will almost certainly result in partial assistance from
> the list (not deliberately, just because we don't know enough to help as mich
> as we might).
>
>
> Thanks,
>
>
> Antony.
--
Geek, Rubyist, Emacser
Homepage: http://zw963.github.io
More information about the squid-users
mailing list