[squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?

Billy.Zheng (zw963) zw963 at 163.com
Thu Jan 21 08:37:52 UTC 2016 

> Why that requirement?

I hope connection to squid server with only my own laptop no
password is need.

> This port receives TLS (HTTPS) connections. You need special browser
> configuration to connect to a proxy using TLS. The only browser that
> supports this is Chrome when configured with a PAC file or when run
> manually with special command line options.
>

I use stunnel for this, it work well for this.
for my browser, I only need proxy 127.0.0.1:8087

> ?? you have both Squid format and Apache format log records being put
> into the same log?

I specify access.log format, I don't upload those config for this
discuss.

> The access.log says the request came from a remote Internet IP address
> outside your LAN. That is why ARP is not working.

Thanks, this is what I need. seem like, not exist a way to auto-verify
a special computer. could you please tell me, should squid exist some
verify method like ssh public key/private key based auto login?

Amos Jeffries writes:

> On 14/01/2016 3:29 a.m., Billy.Zheng (zw963) wrote:
>> 
>> It seem like i missing so many reply, Sorry for all.
>> 
>> I try to reproduce everything about what I did in this reply.
>> 
>> Currently, I use newer compile version Squid (3.5.12), see wiki, it
>> should support arp acl originally, following is copy from WIKI.
>> 
>>> The arp ACL requires the special configure option --enable-arp-acl in
>>> Squid-3.1 and older, for newer Squid versions EUI-48 (aka MAC address)
>>> support is enabled by default. Furthermore, the ARP / EUI-48 code is
>>> not portable to all operating systems. It works on Linux, Solaris,
>>> and some *BSD variants.
>> 
>> So, I think squid arp acl support is not the key.
>
> If you mean that you think it will not work, you are correct.
>
>> 
>> following is my whole config worked for CentOS 7, my need is connection
>> to Squid server with my own laptop(with MAC address), no password is need.
>
> Why that requirement?
>
>> 
>> following is my network info, hope can help.
>> 
>> my laptop is connection to internet through a old WIFI router.
>> when I run traceroute in my laptop with WIFI conn, can not found any useful info.
>> 
>> traceroute to MY_VPS_IP (MY_VPS_IP), 30 hops max, 60 byte packets
>>  1  localhost (192.168.1.1)  2.017 ms  3.294 ms  3.549 mspp
>>  2  MY_VPS_IP (MY_VPS_IP)  101.182 ms !X  101.965 ms !X  104.812 ms !p
>> 
>> unless I connection my laptop directly to router with wired conn,
>> can output meaningful route infomation.
>> 
>> ------------------------- config begin ------------------------------
>> 
>> debug_options 11,2
>> 
>> auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.passwd
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive on
>> 
>> acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
>> acl localnet src fc00::/7       # RFC 4193 local private network range
>> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
>> 
>> acl SSL_ports port 443
>> acl Safe_ports port 80		# http
>> acl Safe_ports port 21		# ftp
>> acl Safe_ports port 443		# https
>> acl Safe_ports port 70		# gopher
>> acl Safe_ports port 210		# wais
>> acl Safe_ports port 1025-65535	# unregistered ports
>> acl Safe_ports port 280		# http-mgmt
>> acl Safe_ports port 488		# gss-http
>> acl Safe_ports port 591		# filemaker
>> acl Safe_ports port 777		# multiling http
>> acl CONNECT method CONNECT
>> acl proxy_ports localport 8087       # http proxy port
>> 
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> 
>> http_access allow localhost manager
>> http_access deny manager
>> 
>> acl advance_users arp MY_LAPTOP_MAC_ADDRESS
>> http_access allow advance_users proxy_ports
>> 
>> acl superuser proxy_auth zw963
>> http_access allow superuser proxy_ports
>> 
>> acl authorized_users proxy_auth REQUIRED
>> acl over_conn_limit maxconn 3
>> 
>> http_access deny over_conn_limit authorized_users
>> http_access allow authorized_users proxy_ports
>> 
>> http_access allow localnet
>> http_access allow localhost
>> http_access deny all
>> 
>> https_port 8087 cert=/etc/squid/cert.pem key=/etc/squid/key.pem
>
> This port receives TLS (HTTPS) connections. You need special browser
> configuration to connect to a proxy using TLS. The only browser that
> supports this is Chrome when configured with a PAC file or when run
> manually with special command line options.
>
>
>> ------------------ config end ---------------------
>> 
>> When I use w3m connection to google, w3m tell me user/password is need.
>> 
>> following is squid log:
>> 
>> ==================================== log begin =====================================
>> 
>> ==> /var/log/squid/cache.log <==
>> 2016/01/13 14:19:07.952 kid1| 11,2| client_side.cc(2345) parseHttpRequest: HTTP Client local=*** remote=*** FD 14 flags=1
>
> Your rules are al IP and port based. You elided the IP:port information
> with "***"
>> 
>> ==> /var/log/squid/access.log <==
>> 1452694747.953      1 60.221.132.137 TCP_DENIED/407 4130 GET http://www.google.com/ - HIER_NONE/- text/html
>> ****** - - [13/Jan/2016:14:19:07 +0000] "GET http://www.google.com/
>> HTTP/1.0" 407 4130 "-" "w3m/0.5.3+debian-15" TCP_DENIED:HIER_NONE
>
> ?? you have both Squid format and Apache format log records being put
> into the same log?
>
>
>> 
>> ======================================= log end ================================
>> 
>> I have no idea why squid  Auth is need when I connection from my laptop.
>> this situation is same as when no following acl is used.
>> 
>>>> acl advance_users arp MY_LAPTOP_MAC_ADDRESS
>>>> http_access allow advance_users proxy_ports
>> 
>
> The access.log says the request came from a remote Internet IP address
> outside your LAN. That is why ARP is not working.
>
> ARP / MAC address in IPv4 only works within a single flat subnet where
> all devices are directly connected. As soon as packets go through a
> router the MAC/ARP address is changed.
>
> IPv6 this is somewhat better, since SLAAC configuration sends the EUI-64
> address as part of the client IPv6 address. When that happens the MAC is
> visible through router hops. But when DHCP or "Privacy" addressing is
> used the EUI/MAC is not available at all even in the same subnet.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Geek, Rubyist, Emacser
Homepage: http://zw963.github.io

More information about the squid-users mailing list