[squid-users] Explicitly use direct client IP in acl

Amos Jeffries squid3 at treenet.co.nz
Sat Jul 11 04:27:11 UTC 2020


On 11/07/20 4:44 am, Orion Poplawski wrote:
> 
> IIUIC - this mainly gives me:
> 
> http_access deny !localnet !authenticated_users
> http_access allow CONNECT Allowed_SSL_Hosts
> http_access allow !localnet Allowed_HTTP_Hosts
> http_access deny all
> 
> But this will only allow connections to the sites listed in Allowed_SSL_Hosts
> or Allowed_HTTP_Hosts (from remote) and not to anything else.  This is not
> what I want.  I want to allow access to any site from a connection that is
> forwarded from e2g.
> 


Yes. The earlier stated policy was:

> We would like to open up access to e2g from the internet but require
> authentication in that case.

I provided the rule adjustment to add that to your existing
restrictions. As you can see the LAN is represented by localnet ACL and
the WAN clients by !localnet.


To match traffic arriving from a specific client application (aka e2g)
you have a couple of options.

a) Simplest is to use a dedicated http_port for that application. The
myportname ACL can then match all that applications traffic.
 This is quick and easy but does not prevent other applications sending
traffic to the port. Additional firewall settings are needed to prevent
that.


b) The system QoS service marking packets coming out of e2g. The
clientside_mark / clientside_tos ACLs can match this marking.


Amos


More information about the squid-users mailing list