Search squid archive

Re: Time based ACLs not affecting all traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08.02.2012 05:00, Stephen McGuinness wrote:
I am trying to force the users behind my proxy to be forced into a
human interaction based ACL at a certain time every night. I have it working
pretty well, but there is still traffic that is not getting filtered
by that ACL.

From what I can figure out so far, if connections are active before
the time ACL kicks in,

Hold up. Idea Correction:

1) ACL do not "kick in", they are simple trilean true/false/dunno states. Like Schroedingers cat, they may be any one of those states at any time, but unless they are checked you can't tell. *_access is where those checks happen...

2) *_access lines do "kick in" at certain pre-defined points in the transaction *process*. Completely unrelated to timing or other dimensions.

These two properties are at the core of the time and quota "problems".

... to be continued ...

some are forced to the ACL that requires
human interaction, but not for all content. It seems that traffic
making it through has a mime type of application/javascript or
application/json, or no specified mime-type at all. It could be
something else, but from what I can get out of the logs, that's all i
can figure.

Time ACL only checks the Squid machine clock against the value in squid.conf. Traffic types etc are not relevant.

This sounds like you have some other ACL matching mime types, query strings, path regex, or similar and permitting them before the time is checked.
Hard to tell without seeing your full access control config.


Sadly there so much traffic going though the proxy, I can't turn on the debug logging to see which ACL might be letting them through, but the requests are showing in the logs, which makes me think it's going through the ACLs.

Worst case you can toggle debug on very briefly for a already running Squid (ie some few hundred ms) using the "squid -k debug" command twice in a row. cache.log will fill with the trace between when the on/off signals were received.


Does anyone know how to reset all the connections without having to
restart the service, or something else more drastic like messing with
the system firewall via a script?

It is not supported at this time in Squid.

I have one project looking for a sponsor or developer to do it though, hint, hint.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux