On 08.02.2012 05:00, Stephen McGuinness wrote:
I am trying to force the users behind my proxy to be forced into a
human interaction based ACL at a certain time every night. I have it
working
pretty well, but there is still traffic that is not getting filtered
by that ACL.
From what I can figure out so far, if connections are active before
the time ACL kicks in,
Hold up. Idea Correction:
1) ACL do not "kick in", they are simple trilean true/false/dunno
states. Like Schroedingers cat, they may be any one of those states at
any time, but unless they are checked you can't tell. *_access is where
those checks happen...
2) *_access lines do "kick in" at certain pre-defined points in the
transaction *process*. Completely unrelated to timing or other
dimensions.
These two properties are at the core of the time and quota "problems".
... to be continued ...
some are forced to the ACL that requires
human interaction, but not for all content. It seems that traffic
making it through has a mime type of application/javascript or
application/json, or no specified mime-type at all. It could be
something else, but from what I can get out of the logs, that's all i
can figure.
Time ACL only checks the Squid machine clock against the value in
squid.conf. Traffic types etc are not relevant.
This sounds like you have some other ACL matching mime types, query
strings, path regex, or similar and permitting them before the time is
checked.
Hard to tell without seeing your full access control config.
Sadly there so much traffic going though the proxy, I can't turn on
the debug
logging to see which ACL might be letting them through, but the
requests are
showing in the logs, which makes me think it's going through the
ACLs.
Worst case you can toggle debug on very briefly for a already running
Squid (ie some few hundred ms) using the "squid -k debug" command twice
in a row. cache.log will fill with the trace between when the on/off
signals were received.
Does anyone know how to reset all the connections without having to
restart the service, or something else more drastic like messing with
the system firewall via a script?
It is not supported at this time in Squid.
I have one project looking for a sponsor or developer to do it though,
hint, hint.
Amos
