On 2024-03-04 06:31, Szilárd Horváth wrote:
Thank you so much your answer but this solution isn't work.
Please note that I did not (try to) offer a solution. I only tried to
correct a specific problem in a specific configuration statement.
I hope that Francesco will continue to guide you towards the solution
that works in your environment. It may be useful to know what exactly
does not work at this point (e.g., the transaction never gets a
limited=yes annotation, which you can check by logging %note to
access.log, OR the transaction is annotated as expected but is not
delayed as expected).
Good luck,
Alex.
Please check
my config maybe i made a mistake. Or maybe have you any other solution?
I can use proxy users from QUOTA_EXCEEDED_USERS.acl which contain e-mail
address or get from ldap with external_acl_type overkvota
children-max=10 children-startup=10 ttl=600 negative_ttl=600 %LOGIN
/usr/lib/squid/ext_ldap_group_acl -Z -v 3 -P -p 389 -h ldapm1.xxxxx.hu
-s sub -D cn=squid_proxy,o=services -W /etc/squid/secret -b o=xxxx -f
"(&(mail=%u)(objectclass=InetorgPerson)(InternetUser=true)(QuotaExceeded=true))"
*acl QUOTA_EXCEEDED_USERS ext_user "/etc/squid/QUOTA_EXCEEDED_USERS.acl"*
*acl markAsLimited annotate_transaction limited=yes*
*acl markedAsLimited note limited yes*
*http_access allow QUOTA_EXCEEDED_USERS markAsLimited !all
*
*delay_pools 1
delay_class 1 1
delay_parameters 1 32000/32000
delay_access 1 allow markedAsLimited
delay_access 1 deny all*
br,
Szilard
Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> 02/20/2024, 04:52 PM >>>
On 2024-02-20 03:14, Francesco Chemolli wrote:
> acl users ext_user foo bar gazonk
> http_access allow users all # always allow
The above does not always allow. What you meant it probably this:
# This rule never matches. It is used for its side effect:
# The rule evaluates users ACL, caching evaluation result.
http_access allow users !all
> delay_access 3 allow users
>
> should do the trick
... but sometimes will not. Wiki recommendation to "exploit caching" is
an ugly outdated hack that should be avoided. The correct solution these
days is to use annotate_transaction ACL to mark the transaction
accordingly. Here is an untested sketch:
acl fromUserThatShouldBeLimited ext_user ...
acl markAsLimited annotate_transaction limited=yes
acl markedAsLimited note limited yes
# This rule never matches; used for its annotation side effect.
http_access allow fromUserThatShouldBeLimited markAsLimited !all
delay_access 3 allow markedAsLimited
HTH,
Alex.
> On Tue, Feb 20, 2024 at 2:15 PM Szilárd Horváth wrote:
>
> Good Day!
>
> I try to make limitation bandwidth for some user group. I have an
> external acl which get the users from ldap database server. In the
> old version of config we blocked the internet with http_access deny
> GROUP, but now i try to allow the internet which has limited
> bandwidth. I know that the delay_access work with only fast ACL and
> external acl or proxy_auth acl are slow. I already tried some
> opportunity but i couldn't solve.
>
> Maybe have you any solution for this? Or any idea how can limitation
> the bandwidth for some user? I need use the username (e-mail address
> format) because that use to login to the proxy.
>
> Version: Squid Cache: Version 5.6
>
> Thank you so much and i am waiting for your answer!
>
> Have a good day!
>
> Br,
> Szilard Horvath
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
> https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>
>
>
>
> --
> Francesco
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
