Search squid archive

Re: Rate limiting inbound requests in squid conf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 24/11/2012 2:18 a.m., Sekar Duraisamy wrote:
Hi Amos,

Could you help me on this?

Just to point you at the same things Eliezer already pointed out.

Why are you asking this question? Rate limiting on a proxy goes against the very principles of what proxies are created to do. Which is to serve as much traffic as fast as possible and reduce the load on upstream servers at the same time.

So, what problem exactly are you trying to cope with?


Hi Elizer,

Ok. I can try with external_acl ...  I need to configure the domain
based dropping / min /sec..

Could you please give me an examples ?

Examples on how to configure Squid with helpers are common. If you test every requests using an external_acl_type helper all you need to do to add rate-limiting on your clients response rate is to write one which rate-limits the responses it sends back to Squid. eg Squid cannot service the client request until after that ACL has responded. It can either respond slowly, or respond with a reject for over-limit requests. As Eliezer already mentioned, this is a pretty terrible way to do it though. Squid can be configured to respond with "deny_info TCP_RESET yourACL", or a regular Access Denied page (the default). But both of those ways screws up the client connection rather than just limiting speed.

We cannot just give you an example of a helper because yoru needs will not be the same as anyone elses, even if lots of people want "rate limiting" the details of what your network is doing, what clients to limit, when and how much are different everywhere. I can write one just for you, but since it would not be of use to anyone else I do not do that for free. (I charge $70 per hour for coding work. Contact me offline if you want to pay.)

Probably easier to do it yourself though. You can make a script to do the work in any scripting languge you are familar with.
http://www.squid-cache.org/Doc/config/external_acl_type/
http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29

It is *definitely* better to do rate limiting at the packet level.

Amos


It would be very great help.

Thanks,
Sekar

On Fri, Nov 23, 2012 at 5:52 PM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:
Hey Sekar,

Basic IPTABLES setup should be able to do that for you.
it's better to do it in IPTABLES level then doing it in the upper level of
the application such as squid.
It will allow the request to be rejected\close properly in the network level
while what squid will prefer or will send error page instead of the content
which I dont really like.

If you are willing to sacrifice some performance you can use external_acl to
count the requests per sec per ip and to allow or deny by that the request
and present to the client a deny_info.

Regards,
Eliezer


On 11/23/2012 1:55 PM, Sekar Duraisamy wrote:
Hi Team,

Can we limit the inbound request rate  in Squid configuration like 30
request/min , 10 request/sec like this regardless of the size.

Thanks,
Sekar

--
Eliezer Croitoru
https://www1.ngtech.co.il
sip:ngtech@xxxxxxxxxxxx
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux