Search squid archive

RE: max_user_ip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>>> -----Original Message-----
>>> From: Scott Mayo [mailto:sgmayo@xxxxxxxxxxxxxxxxxxxxxxxxx]
>>> Sent: Friday, December 02, 2005 6:11 AM
>>> To: squid
>>> Subject:  max_user_ip
>>>
>>>
>>> If I want to make it to where each user can only be logged onto the
>>> internet from one workstation at a time, do I need to add:
>>>
>>> acl <domainusers> max_user_ip -s 1
>>>
>>> Is there anything else I need to change, like the athenticate_ttl?
>>> If so what should I set that to?  If I set the authenticate_ttl to
>>> something like 5 hours, that just means that squid will keep the
>>> authentication for 5 hours when they are still logged onto the
>>> internet correct?  If they actually close the web browser, they could
>>> go directly to another machine or open the browser back up on this
>>> machine and get back on, they would not have to wait 5 hours would
>>> they?  If I read this correctly, then the 5 hours is just alive as
>>> along as that one instance of the web browser is open..or until the 5
>>> hours is up.
>>>
>>> Thanks.
>>>
>>> -- Scott Mayo
>>
>> I'll quote squid.conf.default here as I think it lays it out pretty
>> clearly:
>>
>> #       acl aclname max_user_ip [-s] number
>> #         # This will be matched when the user attempts to log in from
>> more
>> #         # than <number> different ip addresses. The authenticate_ip_ttl
>> #         # parameter controls the timeout on the ip entries.
>>
>> and
>>
>> #  TAG: authenticate_ip_ttl
>> #       If you use proxy authentication and the 'max_user_ip' ACL, this
>> #       directive controls how long Squid remembers the IP addresses
>> #       associated with each user.  Use a small value (e.g., 60 seconds)
>> if
>> #       your users might change addresses quickly, as is the case with
>> #       dialups. You might be safe using a larger value (e.g., 2 hours) in
>> a
>> #       corporate LAN environment with relatively static address
>> assignments.
>>
>> and
>>
>> #  TAG: authenticate_ttl
>> #       The time a user & their credentials stay in the logged in user
>> cache
>> #       since their last request. When the garbage interval passes, all
>> user
>> #       credentials that have passed their TTL are removed from memory.
>>
>> If your authentication mechanism is slow, bump up the authenticate_ttl.
>> If your users hop computers often, keep authenticate_ip_tll low.
>>
>> Chris
>>
> 
> This is what I had been reading.  So from what it says, they will not be
> able to open a 2nd browser until the authenticate_ttl is up.  

authenticate_ip_ttl, not authenticate_ttl.  They are different.

> That kind of
> makes things tough, if it is set to so many hours, then they cannot open a
> 2nd browser up for quite a while once the 1st is closed, but if I set it
> very low, then they could just be opening browsers up all over the place
> (which is what I am trying to avoid).

So set it somewhere in between.  If you set authenticate_ip_ttl for 5 minutes, then one login being shared on multiple computers would cause a fair bit of disruption: one computer would have exclusive access for 5 minutes, the others would be denied.  After 5 minutes access would be up-for-grabs and who ever got it would have exclusive access for 5 minutes.

> 
> It looks like it should clear the cache out out as soon as they log off
> the browser and reset the ttl.  I guess that is more what I am wanting to
> do.  I'll go back through the squid.conf to see if I can find a way to do
> that.

HTTP is a stateless protocol.  There is no method of saying "Thanks, I'm done browsing now" other than session cookies.  Using a cookie based authentication method is possible, but not trivial.  Perhaps it is what you are looking for.  It's a good deal more work but it's more flexible.

> 
> Thanks.
> Scott
> 
> 

Chris


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux