[squid-users] Squid authentication problem
Amos Jeffries
squid3 at treenet.co.nz
Sun Jun 18 12:56:31 UTC 2017
On 18/06/17 17:50, Sonya Roy wrote:
> Hi,
>
> I am running squid on a server with multiple public IPs and I want
> some users to be able to access the proxy through some of the IPs and
> other users through other IPs.
>
> At the moment I have acl rules of the form:-
> acl abcd myip x.x.x.x
>
What you need is an ACL that compares the username to the IP.
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html>
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_edirectory_userip_acl.html>
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_sql_session_acl.html>
or the new 'extras' feature for authenticators in Squid-3.5 that lets
them use the IP as part of the auth approval. Though with this the thing
to be aware of is that the IP becomes like a scope for the user login -
the wrong IP being used to login from results in re-auth challenge just
as would be seen if the password was wrong. So use carefully.
<http://www.squid-cache.org/Doc/config/auth_param/>
<http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.2>
> and for these acl rules I have these tcp_outgoing_address:-
> tcp_outgoing_address x.x.x.x abcd
>
Why limit the outgoing? in HTTP that is independent to the incoming
connection and restricting it will lower performance.
> And earlier I had proxy_auth acl rules separately, but that allowed
> any authenticated users to be able to access the proxy through any of
> those IPs. Since I wanted some users to be able to use the server
> through some IPs and others through different IPs, I tried this in
> those acl rules:-
>
> acl abcd myip x.x.x.x proxy_auth user1
FTR: that will match the IP address x.x.x.x and the IP address(es) of
the servers with hostnames "proxy_auth" and "user1" in your local DNS.
Also, the myip ACL is deprecated because it matched different things
based on the traffic type. myportname or localip ACLs are better if you
need to do this at all. Your "squid -k parse" config checks should warn
you about that.
Amos
More information about the squid-users
mailing list