I’d like to implement IP-based authentication on my proxy servers. Consider a user of my service called
user1. Here’s what my ACL currently looks like for that:
acl user11 proxy_auth [-i] user11 acl user12 proxy_auth [-i] user12 acl user13 proxy_auth [-i] user13
with a corresponding outgoing IP address assignment:
tcp_outgoing_address 18.104.22.168 user11 tcp_outgoing_address 22.214.171.124 user12 tcp_outgoing_address 126.96.36.199 user13
user1 can use multiple outbound IP addresses by appending a number to their username when authenticating.
user1 to have access to many outgoing IP addresses but use IP-based authentication. As I understand it, I would do IP-based authentication like this:
acl user11 10.0.0.1 acl user12 10.0.0.1 acl user13 10.0.0.1
But that won’t work because then the user has no way of using/specifying a different outgoing IP address. This must mean that I have to use a different port for each outbound IP address.
Suppose my server’s main IP was
188.8.131.52 (What the user will connect to) and I wanted each port they connect to to have a different outbound IP address. Let’s also assume the user’s IP is
10.0.0.1 and we want to use IP-based authentication. The way I understand it, this is how I would do that:
http_port 184.108.40.206:3128 name=3128 http_port 220.127.116.11:3129 name=3129 http_port 18.104.22.168:3130 name=3130 acl user13128 myportname 3128 src 10.0.0.1 http_access allow user13128 tcp_outgoing_address 22.214.171.124 user13128 acl user13129 myportname 3129 src 10.0.0.1 http_access allow user13129 tcp_outgoing_address 126.96.36.199 user13129 acl user13130 myportname 3130 src 10.0.0.1 http_access allow user13130 tcp_outgoing_address 188.8.131.52 user13130
Please correct me if I’m wrong. My question is, can I setup the IP-based authentication so that I can change it in 1 place in my
squid.conf. That way, if the user changes their IP, I don’t have to rewrite a huge list of ACL. Consider that this server has 10,000 IP addresses bound to it. Can I use some sort of wildcard that says:
acl user1* src 10.0.0.1 http_access allow
Please correct any error I may have here. This is my first attempt at IP-based authentication.