Search squid archive

Re: about delay_pools

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/07/11 01:40, Carlos Manuel Trepeu Pupo wrote:
2011/7/8 Amos Jeffries<squid3@xxxxxxxxxxxxx>:
On 08/07/11 02:36, Carlos Manuel Trepeu Pupo wrote:

Hi! I'm using squid 3.0 STABLE1. Here are my delay_pool in the squid.conf

acl enterprise src 10.10.10.2/32
acl bad_guys src 10.10.10.52/32
acl dsl_bandwidth src 10.10.48.48/32

delay_pools 3

delay_class 1 1
delay_parameters 1 25600/25600
delay_access 1 allow bad_guys
delay_access 1 deny all

delay_class 2 1
delay_parameters 2 65536/65536
delay_access 2 allow enterprise
delay_access 2 deny all

delay_class 3 1
delay_parameters 3 10240/10240
delay_access 3 allow dsl_bandwidth
delay_access 3 deny all


I think everything was right, but since yesterday I see "bad_guys"
downloading from youtube using all my bandwidth !! I have a channel of
128 Kb in technology ATM. So I hope you can help me !!!!!!!

step 1) please verify that a recent release still has this problem.
3.0.STABLE1 was obsoleted years ago.

step 2) check for things like follow_x_forwarded_for allowing them to fake
their source address. 3.0 series did not check this properly and allows
people to trivially bypass any IP-based security if you trust that header.

Amos

I

If I deny "bad_guys" they can't surf. The user it's a client who have
a Kerio Firewall-Proxy with 10 users. I make the test to visit them
and stop his service, then the bandwidth go down, so I check they are
who violate the delay_pool. Now, the question is why this happen?

I just gave you several possible answers to that.

Considering that you only listed 10.10.10.52 and Kerio pass on X-Forwarded-For headers, the comment I made about follow_x_forwarded_for becomes a very important thing to know. Trusting XFF from their Kerio means firstly that "src 10.10.10.52" does not match and secondly that your delay pools, if it did match, gives each of their 10 internal machines a different pool.

(Every time this happen I check the destination domain it's youtube
and they are downloading from there.)

Another possibility is that it is in fact an "upload" that you can see. delay_pools in 3.0 only work on bytes fetched _from_ the server. Outgoing bytes are not limited.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.14
  Beta testers wanted for 3.2.0.9


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux