'Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] Squid MAC address ACL is not worked, and how to get the MAC address Squid see?
From:       Billy.Zheng(zw963) <zw963 () 163 ! com>
Date:       2016-01-21 8:37:52
Message-ID: 87vb6n2uqn.fsf () 163 ! com
[Download RAW message or body]


> Why that requirement?

I hope connection to squid server with only my own laptop no
password is need.

> This port receives TLS (HTTPS) connections. You need special browser
> configuration to connect to a proxy using TLS. The only browser that
> supports this is Chrome when configured with a PAC file or when run
> manually with special command line options.
> 

I use stunnel for this, it work well for this.
for my browser, I only need proxy 127.0.0.1:8087

> ?? you have both Squid format and Apache format log records being put
> into the same log?

I specify access.log format, I don't upload those config for this
discuss.

> The access.log says the request came from a remote Internet IP address
> outside your LAN. That is why ARP is not working.

Thanks, this is what I need. seem like, not exist a way to auto-verify
a special computer. could you please tell me, should squid exist some
verify method like ssh public key/private key based auto login?

Amos Jeffries writes:

> On 14/01/2016 3:29 a.m., Billy.Zheng (zw963) wrote:
> > 
> > It seem like i missing so many reply, Sorry for all.
> > 
> > I try to reproduce everything about what I did in this reply.
> > 
> > Currently, I use newer compile version Squid (3.5.12), see wiki, it
> > should support arp acl originally, following is copy from WIKI.
> > 
> > > The arp ACL requires the special configure option --enable-arp-acl in
> > > Squid-3.1 and older, for newer Squid versions EUI-48 (aka MAC address)
> > > support is enabled by default. Furthermore, the ARP / EUI-48 code is
> > > not portable to all operating systems. It works on Linux, Solaris,
> > > and some *BSD variants.
> > 
> > So, I think squid arp acl support is not the key.
> 
> If you mean that you think it will not work, you are correct.
> 
> > 
> > following is my whole config worked for CentOS 7, my need is connection
> > to Squid server with my own laptop(with MAC address), no password is need.
> 
> Why that requirement?
> 
> > 
> > following is my network info, hope can help.
> > 
> > my laptop is connection to internet through a old WIFI router.
> > when I run traceroute in my laptop with WIFI conn, can not found any useful info.
> > 
> > traceroute to MY_VPS_IP (MY_VPS_IP), 30 hops max, 60 byte packets
> > 1  localhost (192.168.1.1)  2.017 ms  3.294 ms  3.549 mspp
> > 2  MY_VPS_IP (MY_VPS_IP)  101.182 ms !X  101.965 ms !X  104.812 ms !p
> > 
> > unless I connection my laptop directly to router with wired conn,
> > can output meaningful route infomation.
> > 
> > ------------------------- config begin ------------------------------
> > 
> > debug_options 11,2
> > 
> > auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid.passwd
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive on
> > 
> > acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
> > acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
> > acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
> > acl localnet src fc00::/7       # RFC 4193 local private network range
> > acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
> > 
> > acl SSL_ports port 443
> > acl Safe_ports port 80		# http
> > acl Safe_ports port 21		# ftp
> > acl Safe_ports port 443		# https
> > acl Safe_ports port 70		# gopher
> > acl Safe_ports port 210		# wais
> > acl Safe_ports port 1025-65535	# unregistered ports
> > acl Safe_ports port 280		# http-mgmt
> > acl Safe_ports port 488		# gss-http
> > acl Safe_ports port 591		# filemaker
> > acl Safe_ports port 777		# multiling http
> > acl CONNECT method CONNECT
> > acl proxy_ports localport 8087       # http proxy port
> > 
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > 
> > http_access allow localhost manager
> > http_access deny manager
> > 
> > acl advance_users arp MY_LAPTOP_MAC_ADDRESS
> > http_access allow advance_users proxy_ports
> > 
> > acl superuser proxy_auth zw963
> > http_access allow superuser proxy_ports
> > 
> > acl authorized_users proxy_auth REQUIRED
> > acl over_conn_limit maxconn 3
> > 
> > http_access deny over_conn_limit authorized_users
> > http_access allow authorized_users proxy_ports
> > 
> > http_access allow localnet
> > http_access allow localhost
> > http_access deny all
> > 
> > https_port 8087 cert=/etc/squid/cert.pem key=/etc/squid/key.pem
> 
> This port receives TLS (HTTPS) connections. You need special browser
> configuration to connect to a proxy using TLS. The only browser that
> supports this is Chrome when configured with a PAC file or when run
> manually with special command line options.
> 
> 
> > ------------------ config end ---------------------
> > 
> > When I use w3m connection to google, w3m tell me user/password is need.
> > 
> > following is squid log:
> > 
> > ==================================== log begin \
> > ===================================== 
> > ==> /var/log/squid/cache.log <==
> > 2016/01/13 14:19:07.952 kid1| 11,2| client_side.cc(2345) parseHttpRequest: HTTP \
> > Client local=*** remote=*** FD 14 flags=1
> 
> Your rules are al IP and port based. You elided the IP:port information
> with "***"
> > 
> > ==> /var/log/squid/access.log <==
> > 1452694747.953      1 60.221.132.137 TCP_DENIED/407 4130 GET \
> >                 http://www.google.com/ - HIER_NONE/- text/html
> > ****** - - [13/Jan/2016:14:19:07 +0000] "GET http://www.google.com/
> > HTTP/1.0" 407 4130 "-" "w3m/0.5.3+debian-15" TCP_DENIED:HIER_NONE
> 
> ?? you have both Squid format and Apache format log records being put
> into the same log?
> 
> 
> > 
> > ======================================= log end ================================
> > 
> > I have no idea why squid  Auth is need when I connection from my laptop.
> > this situation is same as when no following acl is used.
> > 
> > > > acl advance_users arp MY_LAPTOP_MAC_ADDRESS
> > > > http_access allow advance_users proxy_ports
> > 
> 
> The access.log says the request came from a remote Internet IP address
> outside your LAN. That is why ARP is not working.
> 
> ARP / MAC address in IPv4 only works within a single flat subnet where
> all devices are directly connected. As soon as packets go through a
> router the MAC/ARP address is changed.
> 
> IPv6 this is somewhat better, since SLAAC configuration sends the EUI-64
> address as part of the client IPv6 address. When that happens the MAC is
> visible through router hops. But when DHCP or "Privacy" addressing is
> used the EUI/MAC is not available at all even in the same subnet.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Geek, Rubyist, Emacser
Homepage: http://zw963.github.io

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic