[squid-users] squid binding outgoing ip with a username auth
--Ahmad--
ahmed.zaeem at netstream.ps
Sun Sep 25 21:28:59 UTC 2016
hi amos , thanks for reply .
but let me ask you other question for clarification .
in the section :
external_acl_type type-name %SRC %LOGIN /path/to/ext_file_userip_acl -f /path/to/config.file
now i see it has the form :
ip_addr[/netmask] username|@group|ALL|NONE
say i have 3 users
user1
user2
and user3
======================
user1 ——> 100.160.238.0:17648
user2—>100.160.238.1:48049
user3——>100.160.238.2:26394
=================
will the file /path/to/config.file be like below ????
100.160.238.0 user1
100.160.238.1 user2
100.160.238.2 user3
kind regards
> On Sep 25, 2016, at 12:58 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
> On 24/09/2016 6:13 p.m., --Ahmad-- wrote:
>> hi folks .
>>
>> i have many ips on same server .
>> also i have basic_ncsa auth type on squid .
>>
>> say i have 3 ips and i created 3 users .
>>
>> the issue i have now is any user can use any outgoing address .
>>
>> let me explain below :
>>
>>
>> auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user
>> acl ncsa_users proxy_auth REQUIRED
>> auth_param basic children 100
>> http_access allow ncsa_users
>>
>> ###############
>> http_port 100.160.238.0:17648
>> http_port 100.160.238.1:48049
>> http_port 100.160.238.2:26394
>>
>> #############
>> acl ip1myip 100.160.238.0
>> acl ip2 myip 100.160.238.1
>> acl ip3 myip 100.160.238.2
>> #############
>>
>> tcp_outgoing_address 100.160.238.0 ip1
>> tcp_outgoing_address 100.160.238.1 ip2
>> tcp_outgoing_address 100.160.238.2 ip3
>>
>
> 'myip' matches the Squid IP address.
> tcp_outgoing_address is what sets the Squid IP address.
> See any problem with using the Squid IP address current value to set the
> Squid IP address?
>
> Use the myportname ACL instead. In your above config it will match the
> IP:port string on the htp_port line. For example:
>
> acl ip0 myportname 100.160.238.0:17648
> tcp_outgoing_address 100.160.238.0 ip0
>
> Or you can add a name= parameter to each port to set a custom name for
> it that the myportname ACL looks for.
>
>
>> ########################
>>
>> i created 3 users :
>>
>> htpasswd -cdb /etc/squid/squid_user user1 user1
>> htpasswd -cdb /etc/squid/squid_user user2 user2
>> htpasswd -cdb /etc/squid/squid_user user3 user3
>>
>> #################
>>
>>
>>
>> now if user1 connected to 100.160.238.0:17648 it will be able to use it
>> also if connected to 100.160.238.1:48049 also will be able .
>>
>> and so for 100.160.238.2:26394.
>>
>>
>> the question is
>> how can i let user1 only use 100.160.238.0:17648 and user2 only use 100.160.238.1:48049 and user3 only use 100.160.238.2:26394 ???
>>
>
> Use the ext_file_userip_acl helper. The format for entries in the helper
> config file is listed in the man page:
> <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html>>
>
> Replace the line "http_access allow ncsa_users" with the following:
>
> external_acl_type userIp %SRC /usr/bin/ext_file_userip_acl -f
> /etc/squid/userIP.conf
> acl userIp external userIp
>
> http_access deny !ncsa_users
> http_access allow userIp
>
> NP: that is all. Do not add userIp check to tcp_outgoing_address lines.
>
>
> After all the above changes your squid.conf should look something like this:
>
> ## ... the default http_access rules at the top ...
> ##
> ## Your local custom rules go here:
>
> auth_param basic program /lib/squid/basic_ncsa_auth \
> /etc/squid/squid_user
> auth_param basic children 100
>
> external_acl_type userIp %SRC %LOGIN /lib/squid/ext_file_userip_acl \
> -f /etc/squid/userIP.conf
>
> acl ncsa_users proxy_auth REQUIRED
> acl userIp external userIp
>
> http_access deny !ncsa_users
> http_access allow userIp
> http_access deny all
>
> ##
> http_port 100.160.238.0:17648 name=0
> acl ip0 myportname 0
> tcp_outgoing_address 100.160.238.0 ip0
>
> http_port 100.160.238.1:48049 name=1
> acl ip1 myportname 1
> tcp_outgoing_address 100.160.238.1 ip1
>
> http_port 100.160.238.2:26394 name=2
> acl ip2 myportname 2
> tcp_outgoing_address 100.160.238.2 ip2
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users <http://lists.squid-cache.org/listinfo/squid-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160926/cdb4933c/attachment-0001.html>
More information about the squid-users
mailing list