squid proxy: one user per IP?

chatmasta

chatmasta

Well-known member
Jan 7, 2007
2,611
68
48
NYC
EDIT!!!!

FUCK YEAH, FIGURED IT OUT. Figures a minute after I post here I get it, even after spending the last 2 hours with this shit. The trick was:

Code: 
# CHANGE THIS:
http_access allow ip1_users
http_access allow ip2_users

# TO THIS:
http_access allow ip1_users ip1_conns
http_access allow ip2_users ip2_conns
This way the connection has to be both an authenticated user and connecting to the proper IP. If they enter in a correct username for the wrong IP, they just get an access denied page.

Thank God

-----------------------


:mad:

I'm posting this here in the off chance anybody knows the answer (:bowdown:), since I've been pulling my hair out for the last 2 hours...for some reason this issue is very undocumented.

Situation:


  • My box has multiple IP addresses.
  • If a client connects to IP#1, I want to forward his request through IP#1. If he connects to IP#2, I want to forward his request through IP#2. I can do all of this no problem.
  • Client must authenticate on connection (I am using ncsa with a simple htpasswd file). I can also do this no problem.
  • HOWEVER. The issue is that as long as the client provides SOME correct username/password pair, he can authenticate with any IP. I only want user1 to auth with IP#1, user2 to auth with IP#2, etc. There should be no overlap.
What I have so far (note: miles = user1, steve = user2):

ACL listings
Code: 
acl ip1_users proxy_auth miles
acl ip1_conns myip #.#.#.58

acl ip2_users proxy_auth steve
acl ip2_conns myip #.#.#.208
Explicit http_access allow
Code: 
http_access allow ip1_users
http_access allow ip2_users

# .... other stuff ....
# deny it for the rest 
http_access deny all
Forward tcp requests
Code: 
tcp_outgoing_address #.#.#.58 ip1_conns
tcp_outgoing_address #.#.#.58 ip1_users

tcp_outgoing_address #.#.#.208 ip2_conns
tcp_outgoing_address #.#.#.208 ip2_users
AS FAR AS I CAN TELL, this should work??

Right now, it properly asks for authentication. It properly forwards the request to the correct IP. The problem is just that "miles" and "steve" can authenticate to each other's IPs.

Anyone??
 


lol in all seriousness it was surprisingly undocumented on the web. I guess everyone who uses squid is such a sysadmin dork that the config manual is enough for them. Everything seems to be working now though. :)

You'll be happy to know I'm writing python scripts to set it all up...complete with a bottle.py API :stonedsmilie:
 
chatmasta said:
lol in all seriousness it was surprisingly undocumented on the web. I guess everyone who uses squid is such a sysadmin dork that the config manual is enough for them. Everything seems to be working now though. :)

You'll be happy to know I'm writing python scripts to set it all up...complete with a bottle.py API :stonedsmilie:
Click to expand...

I'm glad you're out of php land, but I'm the resident Ruby guy so I do wish you didn't go to the darkside
 
chatmasta said:
EDIT!!!!

FUCK YEAH, FIGURED IT OUT. Figures a minute after I post here I get it, even after spending the last 2 hours with this shit. The trick was:

Code: 
# CHANGE THIS:
http_access allow ip1_users
http_access allow ip2_users

# TO THIS:
http_access allow ip1_users ip1_conns
http_access allow ip2_users ip2_conns
This way the connection has to be both an authenticated user and connecting to the proper IP. If they enter in a correct username for the wrong IP, they just get an access denied page.

Thank God

-----------------------


:mad:

I'm posting this here in the off chance anybody knows the answer (:bowdown:), since I've been pulling my hair out for the last 2 hours...for some reason this issue is very undocumented.

Situation:


  • My box has multiple IP addresses.
  • If a client connects to IP#1, I want to forward his request through IP#1. If he connects to IP#2, I want to forward his request through IP#2. I can do all of this no problem.
  • Client must authenticate on connection (I am using ncsa with a simple htpasswd file). I can also do this no problem.
  • HOWEVER. The issue is that as long as the client provides SOME correct username/password pair, he can authenticate with any IP. I only want user1 to auth with IP#1, user2 to auth with IP#2, etc. There should be no overlap.
What I have so far (note: miles = user1, steve = user2):

ACL listings
Code: 
acl ip1_users proxy_auth miles
acl ip1_conns myip #.#.#.58

acl ip2_users proxy_auth steve
acl ip2_conns myip #.#.#.208
Explicit http_access allow
Code: 
http_access allow ip1_users
http_access allow ip2_users

# .... other stuff ....
# deny it for the rest 
http_access deny all
Forward tcp requests
Code: 
tcp_outgoing_address #.#.#.58 ip1_conns
tcp_outgoing_address #.#.#.58 ip1_users

tcp_outgoing_address #.#.#.208 ip2_conns
tcp_outgoing_address #.#.#.208 ip2_users
AS FAR AS I CAN TELL, this should work??

Right now, it properly asks for authentication. It properly forwards the request to the correct IP. The problem is just that "miles" and "steve" can authenticate to each other's IPs.

Anyone??
Click to expand...

Thanks, starting my own proxy service brb.
 
You must log in or register to reply here.
Top Bottom