[squid-users] squid binding outgoing ip with a username auth
Amos Jeffries
squid3 at treenet.co.nz
Sat Sep 24 21:58:05 UTC 2016
On 24/09/2016 6:13 p.m., --Ahmad-- wrote:
> hi folks .
>
> i have many ips on same server .
> also i have basic_ncsa auth type on squid .
>
> say i have 3 ips and i created 3 users .
>
> the issue i have now is any user can use any outgoing address .
>
> let me explain below :
>
>
> auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user
> acl ncsa_users proxy_auth REQUIRED
> auth_param basic children 100
> http_access allow ncsa_users
>
> ###############
> http_port 100.160.238.0:17648
> http_port 100.160.238.1:48049
> http_port 100.160.238.2:26394
>
> #############
> acl ip1myip 100.160.238.0
> acl ip2 myip 100.160.238.1
> acl ip3 myip 100.160.238.2
> #############
>
> tcp_outgoing_address 100.160.238.0 ip1
> tcp_outgoing_address 100.160.238.1 ip2
> tcp_outgoing_address 100.160.238.2 ip3
>
'myip' matches the Squid IP address.
tcp_outgoing_address is what sets the Squid IP address.
See any problem with using the Squid IP address current value to set the
Squid IP address?
Use the myportname ACL instead. In your above config it will match the
IP:port string on the htp_port line. For example:
acl ip0 myportname 100.160.238.0:17648
tcp_outgoing_address 100.160.238.0 ip0
Or you can add a name= parameter to each port to set a custom name for
it that the myportname ACL looks for.
> ########################
>
> i created 3 users :
>
> htpasswd -cdb /etc/squid/squid_user user1 user1
> htpasswd -cdb /etc/squid/squid_user user2 user2
> htpasswd -cdb /etc/squid/squid_user user3 user3
>
> #################
>
>
>
> now if user1 connected to 100.160.238.0:17648 it will be able to use it
> also if connected to 100.160.238.1:48049 also will be able .
>
> and so for 100.160.238.2:26394.
>
>
> the question is
> how can i let user1 only use 100.160.238.0:17648 and user2 only use 100.160.238.1:48049 and user3 only use 100.160.238.2:26394 ???
>
Use the ext_file_userip_acl helper. The format for entries in the helper
config file is listed in the man page:
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html>
Replace the line "http_access allow ncsa_users" with the following:
external_acl_type userIp %SRC /usr/bin/ext_file_userip_acl -f
/etc/squid/userIP.conf
acl userIp external userIp
http_access deny !ncsa_users
http_access allow userIp
NP: that is all. Do not add userIp check to tcp_outgoing_address lines.
After all the above changes your squid.conf should look something like this:
## ... the default http_access rules at the top ...
##
## Your local custom rules go here:
auth_param basic program /lib/squid/basic_ncsa_auth \
/etc/squid/squid_user
auth_param basic children 100
external_acl_type userIp %SRC %LOGIN /lib/squid/ext_file_userip_acl \
-f /etc/squid/userIP.conf
acl ncsa_users proxy_auth REQUIRED
acl userIp external userIp
http_access deny !ncsa_users
http_access allow userIp
http_access deny all
##
http_port 100.160.238.0:17648 name=0
acl ip0 myportname 0
tcp_outgoing_address 100.160.238.0 ip0
http_port 100.160.238.1:48049 name=1
acl ip1 myportname 1
tcp_outgoing_address 100.160.238.1 ip1
http_port 100.160.238.2:26394 name=2
acl ip2 myportname 2
tcp_outgoing_address 100.160.238.2 ip2
Amos
More information about the squid-users
mailing list