Re: [squid-users] tcp_outgoing_address problem/miss configuration

From: abuhle <abuhle132_at_googlemail.com>
Date: Sun, 21 Nov 2010 17:14:01 +0100

Does nobody have a tip for me ?!
I have tried diferent combinations of the http_access rules over the
weekend with no success.

All users that have access with th eir SRC-address are able ot use
every tcp_outgoing_address but they should be only alloewd to use
their specific configured one's.
Thanks.

2010/11/18 abuhle <abuhle132_at_googlemail.com>:
> Hello Squid-Community,
>
> I have a Squid 2.7 installed and would like to achieve that a user is
> only allowed to go out over their specified tcp_outgoing_address.
> The configurations is working almost perfect, but it seems I have a
> small failure in it.
>
> Problem: As long as a customer has access to the proxy (defined with
> SRC-ACL) he can set ANY defined tcp_outgoing_address besides of the
> specified one's.
> The tcp_outgoing_address used by the proxy (in the case a user set an
> other tcp_outgoing_address then he has assigned) is always the last
> configured  tcp_outgoing_address in the con file.
>
> Solution: A user should be not able to (guess and) use other
> tcp_outgoing_addresses then the one's configured for him.
>
> Example: In the config below the user SMTM has the addresses
> 109.123.109.8, 109.123.109.9 and 109.123.109.10 assigned BUT he has
> also access when he use 109.123.109.11.
> In that case the tcp_outgoing_address used by the proxy is always the
> last created tcp_outoing_address entry (in that example
> 109.123.93.201)
>
> Here is the config part:
> -----------------------------------------------------------
> acl dk src 3.3.3.3
> acl smtm src 3.3.3.4
>
> acl dkip1 myip 109.123.109.11
> acl dkip2 myip 109.123.109.12
> acl dkip3 myip 109.123.93.201
>
> acl smtmip1 myip 109.123.109.8
> acl smtmip2 myip 109.123.109.9
> acl smtmip3 myip 109.123.109.10
>
> acl dkmax maxconn 1
> acl smtmmax maxconn 2
>
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow admin-allow
> http_access deny admin-deny
> http_access allow dk
> http_access deny dkmax dk
> http_access deny dk
>
> http_access allow smtm
> http_access deny smtmmax smtm
> http_access deny smtm
>
> http_access deny all
>
> tcp_outgoing_address 109.123.109.8 smtmip1 smtm
> tcp_outgoing_address 109.123.109.9 smtmip2 smtm
> tcp_outgoing_address 109.123.109.10 smtmip3 smtm
>
> tcp_outgoing_address 109.123.109.11 dkip1 dk
> tcp_outgoing_address 109.123.109.12 dkip2 dk
> tcp_outgoing_address 109.123.93.201 dkip3 dk
> -----------------------------------------------------------------------------------
>
> Can anyone tell me what the Problem is ?!
> Any suggestions ?
>
> Thanks&Regards,
> Daniel
>
Received on Sun Nov 21 2010 - 16:14:04 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 22 2010 - 12:00:03 MST