[squid-users] Deny ports to users
Amos Jeffries
squid3 at treenet.co.nz
Fri Nov 17 03:29:44 UTC 2017
On 17/11/17 08:42, Yuri wrote:
> You choose not appropriate tool for you task.
>
> Squid is a proxy, not a firewall.
>
Indeed.
>
> 17.11.2017 1:40, Jonathan thomas Cho пишет:
>> Hello, I was curious how to restrict users from accessing ports .
>>
>> I have 4 workers and need them to have their own ports and not able to
>> use the other 3.
>>
>> I currently use :
>>
>> http_port 3128 name=ip2
>> http_port 3129 name=ip3
>> http_port 3130 name=ip4
The above are directives for the *listening* ports receiving
client<->Squid connections.
You have here configured this Squid *process* (all workers of it) to use
port 3128 on all IP addresses the machine has been assigned. Same for
port 3129 and 3130.
Squid cannot control which port a client decides to connect to. It can
only listen (or not).
I assume you mean you want each worker to use different listening ports.
That can be done by using the ${process_number} config macro in the port
number itself eg. http_port 313${Process_number}.
However, be aware that will lead to issues with the coordinator
process not being able to manage SMP port functionality and worker
automatic restart after crashes will have issues since the process
number changes there too. And you thus cannot reliably use the port
name/number for other things like you seem to be wanting.
>> >> acl ip2 myip x.x.x.2
>> acl ip3 myip x.x.x.3
>> acl ip4 myip x.x.x.4
"myip" is deprecated, it does not work at all well. Use "myportname"
instead.
Your Squid should complain about this when you run '-k parse' to check
your config validity. If your Squid does not support that new ACL type
you definitely need to upgrade.
>> tcp_outgoing_address x.x.x.2 ip2
>> tcp_outgoing_address x.x.x.3 ip3
>> tcp_outgoing_address x.x.x.4 ip4
>>
These are for Squid<->server connections. Has nothing to do with
client<->Squid connections.
The OS selects which ports are use here. Not Squid.
>> However 3129 still work on all 4 ports.
>>
3129 is a port number. Singular. It does not *listen* on other values.
The traffic arriving on connections *to* there is independent of the
outgoing connection port numbers - which are not controllable as
mentioned above. So it is not clear what you are trying to say by that.
Amos
More information about the squid-users
mailing list