On 27/03/18 02:46, vvv25@xxxxxxx wrote: > Dear Yuri, > > thank you for your quick reply. > I spend weekend trying and testing some options. > > My problem is, i cannot separate authenticated users from not > authenticated. > This is because a) nobody is allowed to even use the proxy unless they are authenticated, and b) pool #2 affects all clients. > Here in detail: > if I try to do something like this > ---- cut ---- > acl users proxy_auth "/etc/squid/users" > http_access allow users > > delay_pools 2 > > delay_class 1 1 > delay_parameters 1 -1/-1 # no limit > This wastes a lot of CPU time and memory. It also does not set "no limit". It sets this pool to unlimited bytes. Other pools can and will limit these same clients. To actually set "no limit" remove this pool, and use deny lines to exclude the relevant transactions from having the other pools applied. > delay_access 1 allow users > delay_access 1 deny all > > delay_class 2 3 > delay_parameters 2 -1/-1 -1/-1 196608/786432 # no limit, no limit, > 1.5 Mbit/s per user 6.0 Mbis/s once > > delay_access 2 allow all Use: delay_access 2 deny !users all > ---- cut ---- > > then every user is asked for authentication. If they cancel that, they > cannot access nothing. This behaviour is what you configured with "http_access allow users". If that is incorrect, skip the pools for a while and get your http_access rules working first. > > if I try to start with the restricted delay pool > ---- cut ---- > delay_pools 2 > > delay_class 1 1 > delay_parameters 1 -1/-1 # no limit > > delay_access 1 allow users > delay_access 1 deny all > > delay_class 2 3 > delay_parameters 2 -1/-1 -1/-1 196608/786432 # no limit, no limit, > 1.5 Mbit/s per user 6.0 Mbis/s once > > delay_access 2 allow all > > acl users proxy_auth "/etc/squid/users" > http_access allow users > ---- cut ---- > than every user is restricted and no query for authentication occurs. > > How can I separate not authenticated users from authenticated? > I cannot use IPs because all IPs are in the same range. Depends on your Squid version. This trick works with all Squid to deny non-authenticated users, but only when used in the "slow" type access controls: acl loggedIn proxy_auth REQUIRED http_access deny !loggedIn all The latest Squid versions retain a username annotation that can be tracked independent of performing authentication and works anywhere after authentication is checked: acl foo note user .* http_access deny !foo Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
