Squid: restrict proxy_auth (userid) only from selectec sources (src ip)

Question

I need a way to restrict userid (proxy_auth) only from authentic user pc (src ip). Because: a userX take lent a userid (login) from another user (boss user) and can access all sites without restrictions. I need to restrict that userid login can be authenticated only from src ip (from user) that really is the own of this userid login

this can be done?

score 0 · Answer 1 · answered Aug 02 '13 at 22:16

0

You could try the following

acl local_clients proxy_auth REQUIRED
acl BOSS proxy_auth boss
acl boss_local_ip src 192.168.127.10

http_access allow local_clients BOSS boss_local_ip
http_access deny all

answered Aug 02 '13 at 22:16

ALex_hha

7,193
1
25
40

score 0 · Accepted Answer · edited Aug 23 '13 at 20:12

Thank you! I did like you tell, but with some adjusts:

acl boss_cnn proxy_auth REQUIRED
acl boss_login proxy_auth bossusername
acl boss_ip src 192.168.0.1
http_access allow boss_cnn boss_login boss_ip
http_access deny boss_cnn boss_login !boss_ip

Pay attention in the order of this two lines of http_access. First I allowed access, but a warning here is allow unnecessary acls (like denied domains). So in the end, I deny proxy_auth REQUIRED (in acl cnn) with this login when it came from all ip <> ip boss

score 0 · Answer 3 · answered May 04 '14 at 07:15

Please refer the case :

Using ADS authentication: just allow proxy auth to specific users and block all other ads users.

acl Fulltime time M T W H F S A 00:30-23:59

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

auth_param basic children 5

auth_param basic realm SimpleWall

auth_param basic credentialsttl 2 hours

acl avdhoot proxy_auth avdhoot

acl chetan proxy_auth chetan

acl sharad proxy_auth sharad

acl satish proxy_auth satish

acl sujit proxy_auth sujit

acl Bad_URLs dstdomain -i .youtube.com .fbstatic .fbcdn.net .facebook.com .rediff.com

acl Download_Policies rep_mime_type -i ^video/mp4$ ^video/mpeg$

acl Upload_Policies req_mime_type -i ^image/png$

acl Banned_Patterns url_regex -i .[Ii][Ss][Oo]$

acl Port_Based_Policy port 21

acl Ip_Based_Policy dst 208.64.57.152

deny_info Bad_URLs Bad_URLs

deny_info Download_Policies Download_Policies

deny_info Upload_Policies Upload_Policies

deny_info Banned_Patterns Banned_Patterns

deny_info Port_Based_Policy Port_Based_Policy

deny_info Ip_Based_Policy Ip_Based_Policy

deny_info Fulltime Fulltime

Last bottom line : deny all other ads users.

acl maped proxy_auth avdhoot chetan sharad satish sujit

acl simplewall proxy_auth REQUIRED

http_access deny simplewall !maped

Squid: restrict proxy_auth (userid) only from selectec sources (src ip)

3 Answers3

Last bottom line : deny all other ads users.