So, if I understand correctly, squid has no way for me to force a user account to be expired or cleared prematurely. Setting the nonce_max_duration low wouldn't block a user with a constant stream of traffic, say watching a video for example. If the above statements are correct, then do you have any thoughts on how challenging a change like this would be at the code level? For example, having a command similar to "squid -k reconfigure" (e.g. "squid -r user_to_expire") in which case squid would simply expire the given credentials, thus "tricking" squid into re-authenticating on demand? If user credentials are simply a table in memory this seems conceptually simple to accomplish. Though I'm a java developer and haven't touched C/++ in many years, so I'm not sure this is worth considering unless you think it's as simple as it seems like it could be. Thanks! Dave p.s. my purpose in following this line of questioning is to monitor log files for per user traffic, and after a user exceeds their data transfer quota, I need to block further access. I don't want to slow access for users within their quota. -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Monday, March 22, 2010 12:35 AM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: Disable user accounts David Parks wrote: > I will be monitoring squid usage logs and need to disable user > accounts from an external app (block them from making use of the proxy > after they are authenticated). > > I'm not quite following the FAQ on this > (http://wiki.squid-cache.org/Features/Authentication?action=show&redir > ect=SquidFaq/ProxyAuthentication#How_do_I_ask_for_authentication_of_an > _already_authenticated_user.3F) because I don't have any criteria on > which the ACL might force a re-negotiation (or I just don't understand > the proposed solution). Re-challenge is automatic whenever a new request needs to be authed and the currently known credentials are unknown or too old to be used. > > I'm also not clear if ("nonce_garbage_interval") and > ("nonce_max_duration") are actually forcing a password check against > the authentication module, or if they are just dealing with the > nuances of the digest authentication protocol. I have them set to garbage collection only removes things known to be dead already. The garbage interval determines how often the memory caches are cleaned out above and beyond the regular as-used cleanings. nonce_max_duration determines how long the nonces may be used for. It's closer to what you are wanting, but I'm not sure of there are any nasty side effects of setting it too low. > their defaults, but after making a change to the password file that > digest_pw_auth helper uses, I do not get challenged for the updated > password. Could it just be that digest_pw_auth didn't re-read the > password file after I made the change? Yes. > > Thanks! David > > > p.s. thanks for all of the responses to this point, I haven't replied > as such with a "thanks", but the help on this user group is fantastic > and is really appreciated, particularly Amos, you're a god-send! Welcome. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18