Re: [squid-users] something better than using IP address?

From: Jian Wang <jianw32_at_gmail.com>
Date: Sat, 12 Jul 2008 17:31:24 -0500

Hi, Amos,

First, thanks for the reply.

> Try ACL, up to and including custom external_acl_type. They can check based
> on just about anything you like and permit/deny redirection via
> url_rewrite_access.

Could you please give me more details(or direct me to some docs) about this?
And in our application, we allow everyone in the subnet to access the
Squid (e.g., a temporary visitor with no user account and is from a
PATed subnet). Therefore, it seems to me that we do not have to
configure much about the ACL--as long as Squid allow the ip address of
the NATed/PATed router ip.

Our goal is to distinguish different client computers, even they are
from different PAT/NAT subnet. Intuitively, MAC address can do this.
However, MAC is the datalink layer protocol. I think it won't work for
the PAT/NAT. So I'm seeking a solution that can uniquely identify a
client computer--despite of different subnet. Is it possible to find
such information from somewhere in Squid? For example, PAT use
different port to assign an IP address, this info should be included
in the packets send to Squid; the quiestion is how can we retrieve
this info?

Thanks a lot.

Jian

On Sat, Jul 12, 2008 at 6:59 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Jian Wang wrote:
>>
>> Hi, all,
>>
>> Recently, we used Squid redirectors to solve an application problem.
>
> Better to fix the application problem than to hack around it with
> complication.
>
>> Our redirectors are checking incoming requests against a database
>> table to see if this IP has already accessed Squid--redirect only if
>> ip is not in database.
>>
>> We now have the concern that it may cause problem when applying our
>> application to a NATed or PATed network. In those networks, private IP
>> addresses are not seen from the upper level router(on where our Squid
>> is sitting). Therefore, it seems to be not possible for us make our
>> redirectors work as expected.
>>
>> In our application, we don't want to use any user name + password for
>> access authentication, our situation is that everyone is authorized.
>>
>> In the Squid redirector input string, we can only get IP address(plus
>> FQDN at most, which doesn't help at all). Is there a way for Squid to
>> solve this problem?
>
> Try ACL, up to and including custom external_acl_type. They can check based
> on just about anything you like and permit/deny redirection via
> url_rewrite_access.
>
> Amos
> --
> Please use Squid 2.7.STABLE3 or 3.0.STABLE7
>
Received on Sat Jul 12 2008 - 22:31:26 MDT

This archive was generated by hypermail 2.2.0 : Sun Jul 13 2008 - 12:00:04 MDT