On 19.06.2012 23:57, Anonymous wrote:
Hello Respected All,
I want to setup Time based Video Streaming Access for different IPs
(same subnet), few IPs are allowed every time video/you tube
streaming
access, while other IPs (IPs list in file as SRC) are only allowed in
set time duration any other IPs are not allowed to access Video/You
tube access. Here's setup:
-------------------
Ubuntu 12.04
Squid 3.1.x
Two Groups of IPs
G-1 = Allowd Everytime
G-2 = Time Restriction (09:00-14:59)
G-3 = Everybody, Deny Access to Video/You tube streaming every time.
------------------------------
acl OpenIPs src "/etc/squid3/AlwaysOpenIPs. txt" # G-1= List of IPs
allowed for Video Streaming Everytime.
acl TimedTubed src "/etc/squid3/TimeBasedIPs.txt" # G-2 = List of IPs
allowed for set time duration.
acl NoTubeTime time SMTWHFA 08:30-14:59 # Time duration when you
access to Time based IPs.
acl deny_rep_mime_flashvideo rep_mime_type video/x-flv # ACL to Deny
Video Straming for everyone else.
http_reply_access allow OpenIPs TimedTubed NoTubeTime
This above line can only allow the IPs which are listed in *both*
OpenIPs and TimedTubed.
It will allow them only during NoTubeTime.
If I'm reading your policy description above correctly you actually
want:
# G-1 policy = Allowed Everytime
http_reply_access allow OpenIPs
# G-2 policy = Time Restriction (09:00-14:59)
http_reply_access allow TimedTubed NoTubeTime
http_reply_access deny TimedTubed
That above line seems wrong according to your stated policies. It will
block TimedTubed IPs from going to non-YouTube content.
# G-3 policy = Deny Access to Video/You tube streaming every time.
http_reply_access deny deny_rep_mime_flashvideo
http_reply_access allow all
------------------------------ -----------------------
Above mentioned ACLs are not working properly, General Internet
Access (http_access) is also denied when used with "http_reply_access
deny" I want to only deny video streaming/you tube in set time
duration and allow internet access.
Thank you in advance.
One thing to note here. Blocking in http_reply_access means the video
is already arriving when you decide not to deliver it. squid id forced
to do one of two things:
a) close the server connection and wait out the TCP reset timouts (15
minutes) before re-using the socket. Not a major issue on networks with
low web traffic, but can be a major problem if you are needing to use
those sockets again fast.
b) read in the entire video from the server and discard it before
re-using the socket. Avoids TCP timeouts, but provides wastes bandwidth
and may on some videos take longer than a 15-min TCP reset would have.
NOTE: You also need to consider an http_access or miss_access ACL block
to prevent people not allowed to view videos from even making a request
to the video site in the first place. This front-line block is where the
bandwidth and speed savings will come from. The http_reply_access can be
used as an inefficient but more accurate block only for those requests
which get past your front-line blocking.
Amos
