>>>> -----Original Message----- >>>> From: Scott Mayo [mailto:sgmayo@xxxxxxxxxxxxxxxxxxxxxxxxx] >>>> Sent: Friday, December 02, 2005 6:11 AM >>>> To: squid >>>> Subject: max_user_ip >>>> >>>> >>>> If I want to make it to where each user can only be logged onto the >>>> internet from one workstation at a time, do I need to add: >>>> >>>> acl <domainusers> max_user_ip -s 1 >>>> >>>> Is there anything else I need to change, like the athenticate_ttl? >>>> If so what should I set that to? If I set the authenticate_ttl to >>>> something like 5 hours, that just means that squid will keep the >>>> authentication for 5 hours when they are still logged onto the >>>> internet correct? If they actually close the web browser, they could >>>> go directly to another machine or open the browser back up on this >>>> machine and get back on, they would not have to wait 5 hours would >>>> they? If I read this correctly, then the 5 hours is just alive as >>>> along as that one instance of the web browser is open..or until the 5 >>>> hours is up. >>>> >>>> Thanks. >>>> >>>> -- Scott Mayo >>> >>> I'll quote squid.conf.default here as I think it lays it out pretty >>> clearly: >>> >>> # acl aclname max_user_ip [-s] number >>> # # This will be matched when the user attempts to log in from >>> more >>> # # than <number> different ip addresses. The >>> authenticate_ip_ttl >>> # # parameter controls the timeout on the ip entries. >>> >>> and >>> >>> # TAG: authenticate_ip_ttl >>> # If you use proxy authentication and the 'max_user_ip' ACL, this >>> # directive controls how long Squid remembers the IP addresses >>> # associated with each user. Use a small value (e.g., 60 >>> seconds) >>> if >>> # your users might change addresses quickly, as is the case with >>> # dialups. You might be safe using a larger value (e.g., 2 hours) >>> in >>> a >>> # corporate LAN environment with relatively static address >>> assignments. >>> >>> and >>> >>> # TAG: authenticate_ttl >>> # The time a user & their credentials stay in the logged in user >>> cache >>> # since their last request. When the garbage interval passes, all >>> user >>> # credentials that have passed their TTL are removed from memory. >>> >>> If your authentication mechanism is slow, bump up the authenticate_ttl. >>> If your users hop computers often, keep authenticate_ip_tll low. >>> >>> Chris >>> >> >> This is what I had been reading. So from what it says, they will not be >> able to open a 2nd browser until the authenticate_ttl is up. > > authenticate_ip_ttl, not authenticate_ttl. They are different. > >> That kind of >> makes things tough, if it is set to so many hours, then they cannot open >> a >> 2nd browser up for quite a while once the 1st is closed, but if I set it >> very low, then they could just be opening browsers up all over the place >> (which is what I am trying to avoid). > > So set it somewhere in between. If you set authenticate_ip_ttl for 5 > minutes, then one login being shared on multiple computers would cause a > fair bit of disruption: one computer would have exclusive access for 5 > minutes, the others would be denied. After 5 minutes access would be > up-for-grabs and who ever got it would have exclusive access for 5 > minutes. > >> >> It looks like it should clear the cache out out as soon as they log off >> the browser and reset the ttl. I guess that is more what I am wanting >> to >> do. I'll go back through the squid.conf to see if I can find a way to >> do >> that. > > HTTP is a stateless protocol. There is no method of saying "Thanks, I'm > done browsing now" other than session cookies. Using a cookie based > authentication method is possible, but not trivial. Perhaps it is what > you are looking for. It's a good deal more work but it's more flexible. > >> >> Thanks. >> Scott >> >> > > Chris > Thanks for the information. That is what I was needing to hear I guess. I don't want students to be able to share passwords and be on the internet at the same time, but I also, I run into the trouble, that a user may log in and then move to a different computer within 30 seconds to a minute. With what I was reading in the squid.conf.default, I saw no way to handle this, which it looks like I cannot from what you say without some sort of 'session cookie'. Thanks again, I will see what I can find on this. Scott
