Home / server / Questions / 864931
In Process
xendi
Asked: 2017-07-25 13:27:15 +0800 CST

Wildcards For Squid ACL Names (aclname)

  • 772

I'd like to implement IP-based authentication on my proxy servers. Consider a user of my service called user1. Here's what my ACL currently looks like for that:

acl user11 proxy_auth [-i] user11
acl user12 proxy_auth [-i] user12
acl user13 proxy_auth [-i] user13

with a corresponding outgoing IP address assignment:

tcp_outgoing_address 175.25.11.25 user11
tcp_outgoing_address 175.25.11.26 user12
tcp_outgoing_address 175.25.11.27 user13

This way, user1 can use multiple outbound IP addresses by appending a number to their username when authenticating.

I want user1 to have access to many outgoing IP addresses but use IP-based authentication. As I understand it, I would do IP-based authentication like this:

acl user11 10.0.0.1
acl user12 10.0.0.1
acl user13 10.0.0.1

But that won't work because then the user has no way of using/specifying a different outgoing IP address. This must mean that I have to use a different port for each outbound IP address.

Suppose my server's main IP was 175.25.11.1 (What the user will connect to) and I wanted each port they connect to to have a different outbound IP address. Let's also assume the user's IP is 10.0.0.1 and we want to use IP-based authentication. The way I understand it, this is how I would do that:

http_port 175.25.11.1:3128 name=3128
http_port 175.25.11.1:3129 name=3129
http_port 175.25.11.1:3130 name=3130

acl user13128 myportname 3128 src 10.0.0.1 http_access allow user13128 tcp_outgoing_address 175.25.11.25 user13128
acl user13129 myportname 3129 src 10.0.0.1 http_access allow user13129 tcp_outgoing_address 175.25.11.26 user13129
acl user13130 myportname 3130 src 10.0.0.1 http_access allow user13130 tcp_outgoing_address 175.25.11.27 user13130

Please correct me if I'm wrong. My question is, can I setup the IP-based authentication so that I can change it in 1 place in my squid.conf. That way, if the user changes their IP, I don't have to rewrite a huge list of ACL. Consider that this server has 10,000 IP addresses bound to it. Can I use some sort of wildcard that says:

acl user1* src 10.0.0.1 http_access allow

Please correct any error I may have here. This is my first attempt at IP-based authentication.

proxy

0 Answers