On 20.06.2012 20:31, Anonymous wrote:
Dear Amos Jeffries and All,
Thank you very much for great help. I am trying to understand the
actual working of "http_reply_access [allow|deny]" and "http_access
[allow|deny]". Can you please tell me the format, especailly the
"ORDER" of ACL Statements, as "http_reply_access [allow|deny]" and
"http_access [allow|deny]" are bit tricky and I am confused howto set
the order of acl statements.
http_access lines are tested as soon as the HTTP request is received.
Using only the TCP connection and HTTP request details (no HTTP reply
details). To decide whether Squid is going to reject the request or try
to handle it.
http_reply_access is tested as soon the HTTP reply is received. Using
TCP connection details, HTTP request and reply details. To decide
whether Squid is going to deliver the response or send an error instead.
There is no configuration relevant in ordering of between http_access
and http_reply_access lines. Each one will be separated in to a sequence
of its own type of line.
eg
http_access allow A
http_reply_access deny B
http_access allow C
is the same as:
http_access allow A
http_access allow C
http_reply_access deny B
"acl" directive lines are just definitions of how to run a particular
test. The only ordering they have is to be listed in the config before
they are used on any other directive lines.
Lines for each access directive type (eg, http_access) are processed
top-to-bottom first matching whole line does its action. Individual ACL
on each line are tested left-to-right with first mis-matching ACL
stopping that lines test.
For example:
http_access allow A B C
http_access deny D E
means:
if A *and* B *and* C tests all match, ALLOW the request
OR,
if D *and* E tests all match, DENY the request
OR
do the opposite of DENY
With some logic performance tricks like:
If B does not match the whole first line will not match so C will not
be tested. (one less test == faster handling time).
More details can be found at
http://wiki.squid-cache.org/SquidFaq/SquidAcl
HTH
Amos
Thank you very much for your time and help.
--- On Wed, 6/20/12, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
Subject: Re: Time based Video Streaming Access
To: squid-users@xxxxxxxxxxxxxxx
Date: Wednesday, June 20, 2012, 7:23 AM
On 19.06.2012 23:57, Anonymous
wrote:
> Hello Respected All,
>
> I want to setup Time based Video Streaming Access for
different IPs
> (same subnet), few IPs are allowed every time video/you
tube streaming
> access, while other IPs (IPs list in file as SRC) are
only allowed in
> set time duration any other IPs are not allowed to
access Video/You
> tube access. Here's setup:
> -------------------
> Ubuntu 12.04
> Squid 3.1.x
> Two Groups of IPs
> G-1 = Allowd Everytime
> G-2 = Time Restriction (09:00-14:59)
> G-3 = Everybody, Deny Access to Video/You tube
streaming every time.
> ------------------------------
> acl OpenIPs src "/etc/squid3/AlwaysOpenIPs. txt" # G-1=
List of IPs
> allowed for Video Streaming Everytime.
> acl TimedTubed src "/etc/squid3/TimeBasedIPs.txt" # G-2
= List of IPs
> allowed for set time duration.
> acl NoTubeTime time SMTWHFA 08:30-14:59 # Time duration
when you
> access to Time based IPs.
> acl deny_rep_mime_flashvideo rep_mime_type video/x-flv
# ACL to Deny
> Video Straming for everyone else.
> http_reply_access allow OpenIPs TimedTubed NoTubeTime
This above line can only allow the IPs which are listed in
*both* OpenIPs and TimedTubed.
It will allow them only during NoTubeTime.
If I'm reading your policy description above correctly you
actually want:
# G-1 policy = Allowed Everytime
http_reply_access allow OpenIPs
# G-2 policy = Time Restriction (09:00-14:59)
http_reply_access allow TimedTubed NoTubeTime
> http_reply_access deny TimedTubed
That above line seems wrong according to your stated
policies. It will block TimedTubed IPs from going to
non-YouTube content.
# G-3 policy = Deny Access to Video/You tube
streaming every time.
> http_reply_access deny deny_rep_mime_flashvideo
http_reply_access allow all
> ------------------------------ -----------------------
> Above mentioned ACLs are not working properly, General
Internet
> Access (http_access) is also denied when used with
"http_reply_access
> deny" I want to only deny video streaming/you tube in
set time
> duration and allow internet access.
>
> Thank you in advance.
One thing to note here. Blocking in http_reply_access means
the video is already arriving when you decide not to deliver
it. squid id forced to do one of two things:
a) close the server connection and wait out the TCP reset
timouts (15 minutes) before re-using the socket. Not a major
issue on networks with low web traffic, but can be a major
problem if you are needing to use those sockets again fast.
b) read in the entire video from the server and discard it
before re-using the socket. Avoids TCP timeouts, but
provides wastes bandwidth and may on some videos take longer
than a 15-min TCP reset would have.
NOTE: You also need to consider an http_access or
miss_access ACL block to prevent people not allowed to view
videos from even making a request to the video site in the
first place. This front-line block is where the bandwidth
and speed savings will come from. The http_reply_access can
be used as an inefficient but more accurate block only for
those requests which get past your front-line blocking.
Amos