[squid-users] squid binding outgoing ip with a username auth

Amos Jeffries squid3 at treenet.co.nz
Sat Sep 24 21:58:05 UTC 2016 

On 24/09/2016 6:13 p.m., --Ahmad-- wrote:
> hi folks .
> 
> i have many ips on same server .
> also i  have  basic_ncsa auth type on squid .
> 
> say i have 3 ips  and i created 3 users .
> 
> the issue i have now is any user can use any outgoing address .
> 
> let me explain below :
> 
> 
> auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user
> acl ncsa_users proxy_auth REQUIRED
> auth_param basic children 100
> http_access allow ncsa_users
> 
> ###############
> http_port 100.160.238.0:17648
> http_port 100.160.238.1:48049
> http_port 100.160.238.2:26394
> 
> #############
> acl  ip1myip 100.160.238.0
> acl  ip2 myip 100.160.238.1
> acl  ip3 myip 100.160.238.2
> #############
> 
> tcp_outgoing_address 100.160.238.0 ip1
> tcp_outgoing_address 100.160.238.1 ip2
> tcp_outgoing_address 100.160.238.2 ip3
> 

'myip' matches the Squid IP address.
tcp_outgoing_address is what sets the Squid IP address.
See any problem with using the Squid IP address current value to set the
Squid IP address?

Use the myportname ACL instead. In your above config it will match the
IP:port string on the htp_port line. For example:

  acl ip0 myportname 100.160.238.0:17648
  tcp_outgoing_address 100.160.238.0 ip0

Or you can add a name= parameter to each port to set a custom name for
it that the myportname ACL looks for.


> ########################
> 
> i created 3 users :
> 
> htpasswd -cdb   /etc/squid/squid_user user1 user1
> htpasswd -cdb   /etc/squid/squid_user user2 user2
> htpasswd -cdb   /etc/squid/squid_user user3 user3
> 
> #################
> 
> 
> 
> now if user1 connected to 100.160.238.0:17648 it will be able to use it 
> also if connected to   100.160.238.1:48049 also will be able .
> 
>  and so for 100.160.238.2:26394.
> 
> 
> the question is
>  how can i let user1 only use  100.160.238.0:17648  and user2 only use  100.160.238.1:48049  and user3 only use  100.160.238.2:26394 ???
> 

Use the ext_file_userip_acl helper. The format for entries in the helper
config file is listed in the man page:
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html>

Replace the line "http_access allow ncsa_users" with the following:

 external_acl_type userIp %SRC /usr/bin/ext_file_userip_acl -f
/etc/squid/userIP.conf
 acl userIp external userIp

 http_access deny !ncsa_users
 http_access allow userIp

NP: that is all. Do not add userIp check to tcp_outgoing_address lines.


After all the above changes your squid.conf should look something like this:

 ## ... the default http_access rules at the top ...
 ##
 ## Your local custom rules go here:

 auth_param basic program /lib/squid/basic_ncsa_auth \
    /etc/squid/squid_user
 auth_param basic children 100

 external_acl_type userIp %SRC %LOGIN /lib/squid/ext_file_userip_acl \
    -f /etc/squid/userIP.conf

 acl ncsa_users proxy_auth REQUIRED
 acl userIp external userIp

 http_access deny !ncsa_users
 http_access allow userIp
 http_access deny all

 ##
 http_port 100.160.238.0:17648 name=0
 acl ip0 myportname 0
 tcp_outgoing_address 100.160.238.0 ip0

 http_port 100.160.238.1:48049 name=1
 acl ip1 myportname 1
 tcp_outgoing_address 100.160.238.1 ip1

 http_port 100.160.238.2:26394 name=2
 acl ip2 myportname 2
 tcp_outgoing_address 100.160.238.2 ip2


Amos

More information about the squid-users mailing list