Squid configuration directive tcp_outgoing_address
Available in: 3.1 3.0 2.7 3.HEAD 2.HEAD 2.6
History:
- Changes in 3.1 tcp_outgoing_address
-
This option causes some problems when bridging IPv4 and IPv6. A workaround has been provided.
Squid is built with a capability of bridging the IPv4 and IPv6 internets. tcp_outgoing_address as previously used breaks this bridging by forcing all outbound traffic through a certain IPv4 which may be on the wrong side of the IPv4/IPv6 boundary. To operate with tcp_outgoing_address and keep the bridging benefits an additional ACL needs to be used which ensures the IPv6-bound traffic is never forced or permitted out the IPv4 interface. acl to_ipv6 dst ipv6 tcp_outgoing_address 2002::c001 good_service_net to_ipv6 tcp_outgoing_address 10.0.0.2 good_service_net !to_ipv6 tcp_outgoing_address 2002::beef normal_service_net to_ipv6 tcp_outgoing_address 10.0.0.1 normal_service_net !to_ipv6 tcp_outgoing_address 2002::1 to_ipv6 tcp_outgoing_address 10.0.0.3 !to_ipv6
Configuration Details:
| Option Name: | tcp_outgoing_address |
|---|---|
| Replaces: | |
| Requires: | |
| Default Value: | none |
| Suggested Config: |
|
Allows you to map requests to different outgoing IP addresses
based on the username or source address of the user making
the request.
tcp_outgoing_address ipaddr [[!]aclname] ...
Example where requests from 10.0.0.0/24 will be forwarded
with source address 10.1.0.1, 10.0.2.0/24 forwarded with
source address 10.1.0.2 and the rest will be forwarded with
source address 10.1.0.3.
acl normal_service_net src 10.0.0.0/24
acl good_service_net src 10.0.2.0/24
tcp_outgoing_address 10.1.0.1 normal_service_net
tcp_outgoing_address 10.1.0.2 good_service_net
tcp_outgoing_address 10.1.0.3
Processing proceeds in the order specified, and stops at first fully
matching line.
Note: The use of this directive using client dependent ACLs is
incompatible with the use of server side persistent connections. To
ensure correct results it is best to set server_persistent_connections
to off when using this directive in such configurations.
IPv6 Magic:
Squid is built with a capability of bridging the IPv4 and IPv6
internets.
tcp_outgoing_address as exampled above breaks this bridging by forcing
all outbound traffic through a certain IPv4 which may be on the wrong
side of the IPv4/IPv6 boundary.
To operate with tcp_outgoing_address and keep the bridging benefits
an additional ACL needs to be used which ensures the IPv6-bound traffic
is never forced or permitted out the IPv4 interface.
acl to_ipv6 dst ipv6
tcp_outgoing_address 2002::c001 good_service_net to_ipv6
tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
tcp_outgoing_address 2002::beef normal_service_net to_ipv6
tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
tcp_outgoing_address 2002::1 to_ipv6
tcp_outgoing_address 10.1.0.3 !to_ipv6
WARNING:
'dst ipv6' bases its selection assuming DIRECT access.
If peers are used the peername ACL are needed to select outgoing
address which can link to the peer.
'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
previously in the http_access rules to locate the destination IP.
Some more magic may be needed for that:
http_access allow to_ipv6 !all
(meaning, allow if to IPv6 but not from anywhere ;)
|
|
Search
Introduction
- About Squid
- Why Squid?
- Squid Developers
- How to Help Out
- Getting Squid
- Donate
- Squid Deployment Case-Studies
Documentation
- FAQ | Wiki | Book
- Configuration Reference
- Configuration Guide - Visolve
- Configuration Examples
- Users guide
- Non-English
- Security Advisories
- More...
Support
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products