[squid-users] squid binding outgoing ip with a username auth

--Ahmad-- ahmed.zaeem at netstream.ps
Sun Sep 25 21:28:59 UTC 2016


hi amos , thanks  for reply .

but let me ask you other question  for clarification .


in  the section :
external_acl_type type-name %SRC %LOGIN /path/to/ext_file_userip_acl -f /path/to/config.file

now i see it has the form :
ip_addr[/netmask] username|@group|ALL|NONE


say i  have 3 users

user1
user2
and user3

======================
user1 ——> 100.160.238.0:17648
user2—>100.160.238.1:48049
user3——>100.160.238.2:26394
=================



will the  file /path/to/config.file  be like below ????


100.160.238.0 user1
100.160.238.1 user2
100.160.238.2 user3



kind regards 
> On Sep 25, 2016, at 12:58 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> 
> On 24/09/2016 6:13 p.m., --Ahmad-- wrote:
>> hi folks .
>> 
>> i have many ips on same server .
>> also i  have  basic_ncsa auth type on squid .
>> 
>> say i have 3 ips  and i created 3 users .
>> 
>> the issue i have now is any user can use any outgoing address .
>> 
>> let me explain below :
>> 
>> 
>> auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user
>> acl ncsa_users proxy_auth REQUIRED
>> auth_param basic children 100
>> http_access allow ncsa_users
>> 
>> ###############
>> http_port 100.160.238.0:17648
>> http_port 100.160.238.1:48049
>> http_port 100.160.238.2:26394
>> 
>> #############
>> acl  ip1myip 100.160.238.0
>> acl  ip2 myip 100.160.238.1
>> acl  ip3 myip 100.160.238.2
>> #############
>> 
>> tcp_outgoing_address 100.160.238.0 ip1
>> tcp_outgoing_address 100.160.238.1 ip2
>> tcp_outgoing_address 100.160.238.2 ip3
>> 
> 
> 'myip' matches the Squid IP address.
> tcp_outgoing_address is what sets the Squid IP address.
> See any problem with using the Squid IP address current value to set the
> Squid IP address?
> 
> Use the myportname ACL instead. In your above config it will match the
> IP:port string on the htp_port line. For example:
> 
>  acl ip0 myportname 100.160.238.0:17648
>  tcp_outgoing_address 100.160.238.0 ip0
> 
> Or you can add a name= parameter to each port to set a custom name for
> it that the myportname ACL looks for.
> 
> 
>> ########################
>> 
>> i created 3 users :
>> 
>> htpasswd -cdb   /etc/squid/squid_user user1 user1
>> htpasswd -cdb   /etc/squid/squid_user user2 user2
>> htpasswd -cdb   /etc/squid/squid_user user3 user3
>> 
>> #################
>> 
>> 
>> 
>> now if user1 connected to 100.160.238.0:17648 it will be able to use it 
>> also if connected to   100.160.238.1:48049 also will be able .
>> 
>> and so for 100.160.238.2:26394.
>> 
>> 
>> the question is
>> how can i let user1 only use  100.160.238.0:17648  and user2 only use  100.160.238.1:48049  and user3 only use 100.160.238.2:26394 ???
>> 
> 
> Use the ext_file_userip_acl helper. The format for entries in the helper
> config file is listed in the man page:
> <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html>>
> 
> Replace the line "http_access allow ncsa_users" with the following:
> 
> external_acl_type userIp %SRC /usr/bin/ext_file_userip_acl -f
> /etc/squid/userIP.conf
> acl userIp external userIp
> 
> http_access deny !ncsa_users
> http_access allow userIp
> 
> NP: that is all. Do not add userIp check to tcp_outgoing_address lines.
> 
> 
> After all the above changes your squid.conf should look something like this:
> 
> ## ... the default http_access rules at the top ...
> ##
> ## Your local custom rules go here:
> 
> auth_param basic program /lib/squid/basic_ncsa_auth \
>    /etc/squid/squid_user
> auth_param basic children 100
> 
> external_acl_type userIp %SRC %LOGIN /lib/squid/ext_file_userip_acl \
>    -f /etc/squid/userIP.conf
> 
> acl ncsa_users proxy_auth REQUIRED
> acl userIp external userIp
> 
> http_access deny !ncsa_users
> http_access allow userIp
> http_access deny all
> 
> ##
> http_port 100.160.238.0:17648 name=0
> acl ip0 myportname 0
> tcp_outgoing_address 100.160.238.0 ip0
> 
> http_port 100.160.238.1:48049 name=1
> acl ip1 myportname 1
> tcp_outgoing_address 100.160.238.1 ip1
> 
> http_port 100.160.238.2:26394 name=2
> acl ip2 myportname 2
> tcp_outgoing_address 100.160.238.2 ip2
> 
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users <http://lists.squid-cache.org/listinfo/squid-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160926/cdb4933c/attachment-0001.html>


More information about the squid-users mailing list