Hello Squid-Community,
I have a Squid 2.7 installed and would like to achieve that a user is
only allowed to go out over their specified tcp_outgoing_address.
The configurations is working almost perfect, but it seems I have a
small failure in it.
Problem: As long as a customer has access to the proxy (defined with
SRC-ACL) he can set ANY defined tcp_outgoing_address besides of the
specified one's.
The tcp_outgoing_address used by the proxy (in the case a user set an
other tcp_outgoing_address then he has assigned) is always the last
configured tcp_outgoing_address in the con file.
Solution: A user should be not able to (guess and) use other
tcp_outgoing_addresses then the one's configured for him.
Example: In the config below the user SMTM has the addresses
109.123.109.8, 109.123.109.9 and 109.123.109.10 assigned BUT he has
also access when he use 109.123.109.11.
In that case the tcp_outgoing_address used by the proxy is always the
last created tcp_outoing_address entry (in that example
109.123.93.201)
Here is the config part:
-----------------------------------------------------------
acl dk src 3.3.3.3
acl smtm src 3.3.3.4
acl dkip1 myip 109.123.109.11
acl dkip2 myip 109.123.109.12
acl dkip3 myip 109.123.93.201
acl smtmip1 myip 109.123.109.8
acl smtmip2 myip 109.123.109.9
acl smtmip3 myip 109.123.109.10
acl dkmax maxconn 1
acl smtmmax maxconn 2
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow admin-allow
http_access deny admin-deny
http_access allow dk
http_access deny dkmax dk
http_access deny dk
http_access allow smtm
http_access deny smtmmax smtm
http_access deny smtm
http_access deny all
tcp_outgoing_address 109.123.109.8 smtmip1 smtm
tcp_outgoing_address 109.123.109.9 smtmip2 smtm
tcp_outgoing_address 109.123.109.10 smtmip3 smtm
tcp_outgoing_address 109.123.109.11 dkip1 dk
tcp_outgoing_address 109.123.109.12 dkip2 dk
tcp_outgoing_address 109.123.93.201 dkip3 dk
-----------------------------------------------------------------------------------
Can anyone tell me what the Problem is ?!
Any suggestions ?
Thanks&Regards,
Daniel
Received on Thu Nov 18 2010 - 15:15:19 MST
This archive was generated by hypermail 2.2.0 : Sun Nov 21 2010 - 12:00:03 MST