[squid-users] delay pools

Amos Jeffries squid3 at treenet.co.nz
Mon Oct 26 21:43:12 UTC 2015

On 27/10/2015 7:42 a.m., De Lazzari Matteo wrote:
> Hi, is it possible to use Active directory groups in delay pools
> configuration?

Yes. Although to do it easily will require a Squid-3.4 or later where
transaction annotations are available. Also a helper that sends back the
group=X to Squid about what group(s) the user is in (could be auth
helper or external ACL helper).
 So far only the kerberos auth helper does that and it sends the SSID
value as the group=X value for all the groups listed in the Kerberos token.

With a helper returning the group names to Squid, a "note" type ACL can
be used to check the group=X annotation values in any access control
rules. Including delay_access.

> And someone can tell me an example about how to use
> class 5 delay pool?

That delay pool requires that an external_acl_type helper is being used
and sending some tag=X back to Squid to attach 'tag' each request /

That helper has to be tested on one of the *_access rules where async /
slow group lookups will work. The delay_access rules will *not* work
since they are a fast-group check. http_access is the usual place and
the heper decides both whether to allow use of Squid and what to tag the
request with.

You define the pool to be of class 5 with a Bytes/sec rate:
  delay_pools 1 1
  delay_parameters 1 5 20480

You define delay_access to match for the requests that are to have that
pools traffic rate limit applied:
  delay_access 1 allow localnet

Squid will automatically arrange so each unique tag=X value the helper
assigns to those pooled requests will have a pool. All requests to which
the helper replies 'tag=ZZ' will share a one pool, but requests the
helper replies with 'tag=YY' will have a different pool. etc.
 Requests not having a tag at all share one pool (I think, havent
checked that).

That is it.

The difficult bits are that only one tag= value can be assigned to a
transaction, attempts to repeat or alter one assigned wont work, and
that detail about the async/slow access lists being the only ones where
the helper can be checked.


More information about the squid-users mailing list