>> -----Original Message----- >> From: Scott Mayo [mailto:sgmayo@xxxxxxxxxxxxxxxxxxxxxxxxx] >> Sent: Friday, December 02, 2005 6:11 AM >> To: squid >> Subject: max_user_ip >> >> >> If I want to make it to where each user can only be logged onto the >> internet from one workstation at a time, do I need to add: >> >> acl <domainusers> max_user_ip -s 1 >> >> Is there anything else I need to change, like the athenticate_ttl? >> If so what should I set that to? If I set the authenticate_ttl to >> something like 5 hours, that just means that squid will keep the >> authentication for 5 hours when they are still logged onto the >> internet correct? If they actually close the web browser, they could >> go directly to another machine or open the browser back up on this >> machine and get back on, they would not have to wait 5 hours would >> they? If I read this correctly, then the 5 hours is just alive as >> along as that one instance of the web browser is open..or until the 5 >> hours is up. >> >> Thanks. >> >> -- Scott Mayo > > I'll quote squid.conf.default here as I think it lays it out pretty > clearly: > > # acl aclname max_user_ip [-s] number > # # This will be matched when the user attempts to log in from > more > # # than <number> different ip addresses. The authenticate_ip_ttl > # # parameter controls the timeout on the ip entries. > > and > > # TAG: authenticate_ip_ttl > # If you use proxy authentication and the 'max_user_ip' ACL, this > # directive controls how long Squid remembers the IP addresses > # associated with each user. Use a small value (e.g., 60 seconds) > if > # your users might change addresses quickly, as is the case with > # dialups. You might be safe using a larger value (e.g., 2 hours) in > a > # corporate LAN environment with relatively static address > assignments. > > and > > # TAG: authenticate_ttl > # The time a user & their credentials stay in the logged in user > cache > # since their last request. When the garbage interval passes, all > user > # credentials that have passed their TTL are removed from memory. > > If your authentication mechanism is slow, bump up the authenticate_ttl. > If your users hop computers often, keep authenticate_ip_tll low. > > Chris > This is what I had been reading. So from what it says, they will not be able to open a 2nd browser until the authenticate_ttl is up. That kind of makes things tough, if it is set to so many hours, then they cannot open a 2nd browser up for quite a while once the 1st is closed, but if I set it very low, then they could just be opening browsers up all over the place (which is what I am trying to avoid). It looks like it should clear the cache out out as soon as they log off the browser and reset the ttl. I guess that is more what I am wanting to do. I'll go back through the squid.conf to see if I can find a way to do that. Thanks. Scott
