[SQU] Squid + Interscan VirusWall + ACL lists

From: <[email protected]>
Date: Tue, 22 Aug 2000 16:36:10 +1000

Hi,

I am currently performing an evaluation of squid together
with interscan viruswall.

I have come across a problem when I try to implement an
acl of valid users based upon IP address who then have
also to supply a username and password to access
the internet. The acls that I have used to do this are

acl passwd proxy_auth REQUIRED
acl test_group src "/usr/local/squid/etc/iplist"
acl all src 0.0.0.0/0.0.0.0
http_access allow test_group passwd
http_access deny all

the file /usr/local/squid/etc/iplist contains the following
entries

161.143.76.182/255.255.0.0

The interscan virus wall is running on the same Linux box
as squid and is using port 8080 (squid is running on 2728)

The browser on the client (161.143.76.182) is setup to point to
port 8080.

What I want to happen is for squid to check if the request is
coming from 161.143.76.182, and if so then to prompt for
a username and password.

If the request is not coming from 161.143.76.182 then the user
should be shown the squid generated error page, instead
they are prompted for a username and password - which if
valid will allow them to connect to the net. This in effect allows
them to circumvent the acl specifing that they must be from
the .182 address.

I beleive this is caused by the line in the /usr/local/squid/etc/iplist
file. I have determined this by setting the client to port 2728
(bypassing the interscan virus wall) and changing the line in
the iplist file to

161.143.76.182/255.255.255.255

and everything works as expected - the problem is that when
I point the client back to using the interscan virus wall port (8080)
Squid does not accept the client's ip address as being one
contained in the /usr/local/squid/etc/iplist file (though it is).

I suspect that because the request is first going through the
virus wall's port before going onto squid, the ip address is
somehow being altered.

If anyone can give me some advice on how to fix this problem
can they please reply. Also if I haven't given enough information
let me know and I can post the relevent details.

Thanks

Michael Anderson
(michael.anderson@osr.qld.gov.au)

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Tue Aug 22 2000 - 00:40:43 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:54:57 MST