Search squid archive

R: delay pools

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you very much amos.
May I use a thing like this for Kerberos auth?
external_acl_type internetfullthrottle_grp children=20 ttl=3600  negative_ttl=3600 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g InternetFullThrottle -D xxx

CLASSIFICATION: PUBLIC [ ]  CONFIDENTIAL [X]  RESTRICT [ ]

Matteo De Lazzari
Information Technology

PREVINET S.p.A.
Via E. Forlanini, 24 - 31022 Preganziol (TV) - ITALY
tel +39 - 0422 1745279
matteo.delazzari@xxxxxxxxxxx

Ai sensi del D.Lgs. 196/2003 sulla tutela dei dati personali, la presente comunicazione e ogni suo allegato e' destinata esclusivamente al soggetto indicato quale destinatario o ad eventuali altri soggetti autorizzati a riceverla. L'utilizzo non autorizzato e' vietato e potrebbe costituire reato. Essa contiene informazioni strettamente confidenziali e riservate, la cui comunicazione o diffusione a terzi e' proibita, salvo che non sia stata espressamente autorizzata. Se avete ricevuto questa e-mail per errore, Vi preghiamo di comunicarlo senza indugio al mittente e di cancellarne ogni evidenza dai Vostri supporti. 
This message is intended only for the named recipient and may contain confidential, proprietary or legally privileged information. Unauthorized persons are not permitted access to this information. Any dissemination, distribution or copying of this information is strictly prohibited. If you have received this message in error, please advise the sender by reply e-mail and delete this message and any attachments.


-----Messaggio originale-----
Da: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Per conto di Amos Jeffries
Inviato: lunedì 26 ottobre 2015 22:43
A: squid-users@xxxxxxxxxxxxxxxxxxxxx
Oggetto: Re:  delay pools

On 27/10/2015 7:42 a.m., De Lazzari Matteo wrote:
> 
> Hi, is it possible to use Active directory groups in delay pools 
> configuration?

Yes. Although to do it easily will require a Squid-3.4 or later where transaction annotations are available. Also a helper that sends back the group=X to Squid about what group(s) the user is in (could be auth helper or external ACL helper).
 So far only the kerberos auth helper does that and it sends the SSID value as the group=X value for all the groups listed in the Kerberos token.

With a helper returning the group names to Squid, a "note" type ACL can be used to check the group=X annotation values in any access control rules. Including delay_access.


> And someone can tell me an example about how to use class 5 delay 
> pool?
> 

That delay pool requires that an external_acl_type helper is being used and sending some tag=X back to Squid to attach 'tag' each request / transaction.

That helper has to be tested on one of the *_access rules where async / slow group lookups will work. The delay_access rules will *not* work since they are a fast-group check. http_access is the usual place and the heper decides both whether to allow use of Squid and what to tag the request with.


You define the pool to be of class 5 with a Bytes/sec rate:
  delay_pools 1 1
  delay_parameters 1 5 20480

You define delay_access to match for the requests that are to have that pools traffic rate limit applied:
  delay_access 1 allow localnet

Squid will automatically arrange so each unique tag=X value the helper assigns to those pooled requests will have a pool. All requests to which the helper replies 'tag=ZZ' will share a one pool, but requests the helper replies with 'tag=YY' will have a different pool. etc.
 Requests not having a tag at all share one pool (I think, havent checked that).

That is it.

The difficult bits are that only one tag= value can be assigned to a transaction, attempts to repeat or alter one assigned wont work, and that detail about the async/slow access lists being the only ones where the helper can be checked.


HTH
Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux