Search squid archive

Re: delay-pool based on authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27/03/18 02:46, vvv25@xxxxxxx wrote:
> Dear Yuri,
> 
> thank you for your quick reply.
> I spend weekend trying and testing some options.
> 
> My problem is, i cannot separate authenticated users from not
> authenticated.
> 

This is because
 a) nobody is allowed to even use the proxy unless they are
authenticated, and
 b) pool #2 affects all clients.


> Here in detail:
> if I try to do something like this
> ---- cut ----
> acl users proxy_auth "/etc/squid/users"
> http_access allow users
> 
> delay_pools 2
> 
> delay_class 1 1
> delay_parameters 1 -1/-1 # no limit
> 

This wastes a lot of CPU time and memory. It also does not set "no
limit". It sets this pool to unlimited bytes. Other pools can and will
limit these same clients.

To actually set "no limit" remove this pool, and use deny lines to
exclude the relevant transactions from having the other pools applied.


> delay_access 1 allow users
> delay_access 1 deny all
> 
> delay_class 2 3
> delay_parameters 2 -1/-1 -1/-1 196608/786432    # no limit, no limit,
> 1.5 Mbit/s per user 6.0 Mbis/s once
> 
> delay_access 2 allow all

Use:
 delay_access 2 deny !users all


> ---- cut ----
> 
> then every user is asked for authentication. If they cancel that, they
> cannot access nothing.

This behaviour is what you configured with "http_access allow users".

If that is incorrect, skip the pools for a while and get your
http_access rules working first.

> 
> if I try to start with the restricted delay pool
> ---- cut ----
> delay_pools 2
> 
> delay_class 1 1
> delay_parameters 1 -1/-1 # no limit
> 
> delay_access 1 allow users
> delay_access 1 deny all
> 
> delay_class 2 3
> delay_parameters 2 -1/-1 -1/-1 196608/786432    # no limit, no limit,
> 1.5 Mbit/s per user 6.0 Mbis/s once
> 
> delay_access 2 allow all
> 
> acl users proxy_auth "/etc/squid/users"
> http_access allow users
> ---- cut ----
> than every user is restricted and no query for authentication occurs.
> 
> How can I separate not authenticated users from authenticated?
> I cannot use IPs because all IPs are in the same range.

Depends on your Squid version.

This trick works with all Squid to deny non-authenticated users, but
only when used in the "slow" type access controls:

 acl loggedIn proxy_auth REQUIRED
 http_access deny !loggedIn all


The latest Squid versions retain a username annotation that can be
tracked independent of performing authentication and works anywhere
after authentication is checked:

 acl foo note user .*
 http_access deny !foo


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux