[squid-users] tcp_outgoing_address problem/miss configuration

From: abuhle <abuhle132_at_googlemail.com>
Date: Thu, 18 Nov 2010 16:15:17 +0100

Hello Squid-Community,

I have a Squid 2.7 installed and would like to achieve that a user is
only allowed to go out over their specified tcp_outgoing_address.
The configurations is working almost perfect, but it seems I have a
small failure in it.

Problem: As long as a customer has access to the proxy (defined with
SRC-ACL) he can set ANY defined tcp_outgoing_address besides of the
specified one's.
The tcp_outgoing_address used by the proxy (in the case a user set an
other tcp_outgoing_address then he has assigned) is always the last
configured  tcp_outgoing_address in the con file.

Solution: A user should be not able to (guess and) use other
tcp_outgoing_addresses then the one's configured for him.

Example: In the config below the user SMTM has the addresses, and assigned BUT he has
also access when he use
In that case the tcp_outgoing_address used by the proxy is always the
last created tcp_outoing_address entry (in that example

Here is the config part:
acl dk src
acl smtm src

acl dkip1 myip
acl dkip2 myip
acl dkip3 myip

acl smtmip1 myip
acl smtmip2 myip
acl smtmip3 myip

acl dkmax maxconn 1
acl smtmmax maxconn 2

http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow admin-allow
http_access deny admin-deny
http_access allow dk
http_access deny dkmax dk
http_access deny dk

http_access allow smtm
http_access deny smtmmax smtm
http_access deny smtm

http_access deny all

tcp_outgoing_address smtmip1 smtm
tcp_outgoing_address smtmip2 smtm
tcp_outgoing_address smtmip3 smtm

tcp_outgoing_address dkip1 dk
tcp_outgoing_address dkip2 dk
tcp_outgoing_address dkip3 dk

Can anyone tell me what the Problem is ?!
Any suggestions ?

Received on Thu Nov 18 2010 - 15:15:19 MST

This archive was generated by hypermail 2.2.0 : Sun Nov 21 2010 - 12:00:03 MST