Search squid archive

Re: [squid][v5.6] : problem with "slow" or "fast" acl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Amos,

This seems to be a solved issue. With your advices, I have manage to limit all my user except those who had a login starting by cg_*.

1 - annotation of the "cg_*" 's flow :
# Comptes generiques
acl userCgPrefix proxy_auth_regex ^cg_
acl markCgGroup annotate_transaction cgUsers=true

http_access allow userCgPrefix markCgGroup !all
http_access allow my_ldap_auth !emeraude

 2 - fixed limits for all except "cg_*" users

acl cgen note cgUsers true
acl userrgt src 10.0.0.0/8
reply_body_max_size 800 MB bureau !cgen userrgt
request_body_max_size 5 MB
delay_pools 1
delay_class 1 4
delay_access 1 allow bureau !cgen !emeraude
delay_parameters 1 -1/-1 -1/-1 -1/-1 512000/512000

I will make some other tests later on with the "usual way" you also preconised :
"The usual way to do that is with the authentication systems "group" functionality and a helper to fetch that."

Thanks very much to you, David and Eliezer 

Regards,
 
Eric Perrot

Le 06/09/2022 20:46, Amos Jeffries a écrit :

On 6/09/22 00:56, PERROT Eric DNUM SDCAST BST SSAIM wrote:
Hello, We use directives "reply_body_max_size", "request_body_max_size" and "delay_access" to limit upload, download and passband in our infra.
All of which are "fast" type.
This configuration existes since a while, but we have noticed that with squid v4.16, our delay pool didn't react as we wanted anymore.
FYI, use of "slow" type ACLs in "fast" type checks is subject to what Squid happens to have in its processing state information and available in caches from previous traffic.

Even if a config like this *appears* to work, it may not be actually working for all transactions. The delicate balance may change at any time.
Can you tell me if what we want to do is still possible? Limiting upload/download/passband for all logged user except those starting by cg_*..?.
You need to:

 1) do authentication checks to http_access.



 2) make the cg_* accounts part of a "group".

 The usual way to do that is with the authentication systems "group" functionality and a helper to fetch that.

 However, in Squid-4+ you can also add a temporary "group" label as needed based on other ACL checks (eg the username regex matching) like so:

   acl userCgPrefix proxy_auth_regex ^cg_
   acl markCgGroup annotate_transaction group=cgUsers
   http_access allow userCgPrefix markCgGroup !all


3) check the 'group' annotation in fast type controls, not the username:

  acl userrgt note group cgUsers

  reply_body_max_size 800 MB userrgt
  deny_access 1 deny userrgt

FTR; the above should work on any Squid-4 or later. So you can revert to the v4 Squid install which was otherwise working for you.


HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux