| Index | Alphabetical Index |
| Option Name: | tcp_outgoing_address |
|---|---|
| Replaces: | |
| Requires: | |
| Default Value: | none |
| Suggested Config: |
|
Allows you to map requests to different outgoing IP addresses
based on the username or source address of the user making
the request.
tcp_outgoing_address ipaddr [[!]aclname] ...
Example where requests from 10.0.0.0/24 will be forwarded
with source address 10.1.0.1, 10.0.2.0/24 forwarded with
source address 10.1.0.2 and the rest will be forwarded with
source address 10.1.0.3.
acl normal_service_net src 10.0.0.0/24
acl good_service_net src 10.0.2.0/24
tcp_outgoing_address 10.1.0.1 normal_service_net
tcp_outgoing_address 10.1.0.2 good_service_net
tcp_outgoing_address 10.1.0.3
Processing proceeds in the order specified, and stops at first fully
matching line.
Note: The use of this directive using client dependent ACLs is
incompatible with the use of server side persistent connections. To
ensure correct results it is best to set server_persistent_connections
to off when using this directive in such configurations.
IPv6 Magic:
Squid is built with a capability of bridging the IPv4 and IPv6
internets.
tcp_outgoing_address as exampled above breaks this bridging by forcing
all outbound traffic through a certain IPv4 which may be on the wrong
side of the IPv4/IPv6 boundary.
To operate with tcp_outgoing_address and keep the bridging benefits
an additional ACL needs to be used which ensures the IPv6-bound traffic
is never forced or permitted out the IPv4 interface.
# IPv6 destination test along with a dummy access control to perofrm the required DNS
# This MUST be place before any ALLOW rules.
acl to_ipv6 dst ipv6
http_access deny ipv6 !all
tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6
tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6
tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
tcp_outgoing_address 2001:db8::1 to_ipv6
tcp_outgoing_address 10.1.0.3 !to_ipv6
WARNING:
'dst ipv6' bases its selection assuming DIRECT access.
If peers are used the peername ACL are needed to select outgoing
address which can link to the peer.
'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
previously in the http_access rules to locate the destination IP.
Some more magic may be needed for that:
http_access allow to_ipv6 !all
(meaning, allow if to IPv6 but not from anywhere ;)
|
|
| Index | Alphabetical Index |