I'd like to implement IP-based authentication on my proxy servers. Consider a user of my service called user1. Here's what my ACL currently looks like for that:
acl user11 proxy_auth [-i] user11
acl user12 proxy_auth [-i] user12
acl user13 proxy_auth [-i] user13
with a corresponding outgoing IP address assignment:
tcp_outgoing_address 175.25.11.25 user11
tcp_outgoing_address 175.25.11.26 user12
tcp_outgoing_address 175.25.11.27 user13
This way, user1 can use multiple outbound IP addresses by appending a number to their username when authenticating.
I want user1 to have access to many outgoing IP addresses but use IP-based authentication. As I understand it, I would do IP-based authentication like this:
acl user11 10.0.0.1
acl user12 10.0.0.1
acl user13 10.0.0.1
But that won't work because then the user has no way of using/specifying a different outgoing IP address. This must mean that I have to use a different port for each outbound IP address.
Suppose my server's main IP was 175.25.11.1 (What the user will connect to) and I wanted each port they connect to to have a different outbound IP address. Let's also assume the user's IP is 10.0.0.1 and we want to use IP-based authentication. The way I understand it, this is how I would do that:
http_port 175.25.11.1:3128 name=3128
http_port 175.25.11.1:3129 name=3129
http_port 175.25.11.1:3130 name=3130
acl user13128 myportname 3128 src 10.0.0.1 http_access allow user13128 tcp_outgoing_address 175.25.11.25 user13128
acl user13129 myportname 3129 src 10.0.0.1 http_access allow user13129 tcp_outgoing_address 175.25.11.26 user13129
acl user13130 myportname 3130 src 10.0.0.1 http_access allow user13130 tcp_outgoing_address 175.25.11.27 user13130
Please correct me if I'm wrong. My question is, can I setup the IP-based authentication so that I can change it in 1 place in my squid.conf. That way, if the user changes their IP, I don't have to rewrite a huge list of ACL. Consider that this server has 10,000 IP addresses bound to it. Can I use some sort of wildcard that says:
acl user1* src 10.0.0.1 http_access allow
Please correct any error I may have here. This is my first attempt at IP-based authentication.
