>>> -----Original Message----- >>> From: Scott Mayo [mailto:sgmayo@xxxxxxxxxxxxxxxxxxxxxxxxx] >>> Sent: Friday, December 02, 2005 6:11 AM >>> To: squid >>> Subject: max_user_ip >>> >>> >>> If I want to make it to where each user can only be logged onto the >>> internet from one workstation at a time, do I need to add: >>> >>> acl <domainusers> max_user_ip -s 1 >>> >>> Is there anything else I need to change, like the athenticate_ttl? >>> If so what should I set that to? If I set the authenticate_ttl to >>> something like 5 hours, that just means that squid will keep the >>> authentication for 5 hours when they are still logged onto the >>> internet correct? If they actually close the web browser, they could >>> go directly to another machine or open the browser back up on this >>> machine and get back on, they would not have to wait 5 hours would >>> they? If I read this correctly, then the 5 hours is just alive as >>> along as that one instance of the web browser is open..or until the 5 >>> hours is up. >>> >>> Thanks. >>> >>> -- Scott Mayo >> >> I'll quote squid.conf.default here as I think it lays it out pretty >> clearly: >> >> # acl aclname max_user_ip [-s] number >> # # This will be matched when the user attempts to log in from >> more >> # # than <number> different ip addresses. The authenticate_ip_ttl >> # # parameter controls the timeout on the ip entries. >> >> and >> >> # TAG: authenticate_ip_ttl >> # If you use proxy authentication and the 'max_user_ip' ACL, this >> # directive controls how long Squid remembers the IP addresses >> # associated with each user. Use a small value (e.g., 60 seconds) >> if >> # your users might change addresses quickly, as is the case with >> # dialups. You might be safe using a larger value (e.g., 2 hours) in >> a >> # corporate LAN environment with relatively static address >> assignments. >> >> and >> >> # TAG: authenticate_ttl >> # The time a user & their credentials stay in the logged in user >> cache >> # since their last request. When the garbage interval passes, all >> user >> # credentials that have passed their TTL are removed from memory. >> >> If your authentication mechanism is slow, bump up the authenticate_ttl. >> If your users hop computers often, keep authenticate_ip_tll low. >> >> Chris >> > > This is what I had been reading. So from what it says, they will not be > able to open a 2nd browser until the authenticate_ttl is up. authenticate_ip_ttl, not authenticate_ttl. They are different. > That kind of > makes things tough, if it is set to so many hours, then they cannot open a > 2nd browser up for quite a while once the 1st is closed, but if I set it > very low, then they could just be opening browsers up all over the place > (which is what I am trying to avoid). So set it somewhere in between. If you set authenticate_ip_ttl for 5 minutes, then one login being shared on multiple computers would cause a fair bit of disruption: one computer would have exclusive access for 5 minutes, the others would be denied. After 5 minutes access would be up-for-grabs and who ever got it would have exclusive access for 5 minutes. > > It looks like it should clear the cache out out as soon as they log off > the browser and reset the ttl. I guess that is more what I am wanting to > do. I'll go back through the squid.conf to see if I can find a way to do > that. HTTP is a stateless protocol. There is no method of saying "Thanks, I'm done browsing now" other than session cookies. Using a cookie based authentication method is possible, but not trivial. Perhaps it is what you are looking for. It's a good deal more work but it's more flexible. > > Thanks. > Scott > > Chris
