[squid-users] R: delay pools

De Lazzari Matteo Matteo.DeLazzari at previnet.it
Tue Oct 27 13:47:43 UTC 2015 

Or better, something like this can work?

external_acl_type internetfullthrottle_grp children=20 ttl=3600  negative_ttl=3600 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g InternetFullThrottle -D xxx
acl internetfullthrottle external internetfullthrottle_grp

delay_pools 1
delay_class 1 1
delay_parameters 1 1250000/1250000
delay_access 1 allow internetfullthrottle
delay_access 1 deny all

PS: I'm using ext_kerberos_ldap_group_acl to assing an internet "profile" to users, using groups in active directory.

Thanks a lot!

CLASSIFICATION: PUBLIC [ ]  CONFIDENTIAL [X]  RESTRICT [ ]

Matteo De Lazzari
Information Technology

PREVINET S.p.A.
Via E. Forlanini, 24 - 31022 Preganziol (TV) - ITALY
tel +39 - 0422 1745279
matteo.delazzari at previnet.it

Ai sensi del D.Lgs. 196/2003 sulla tutela dei dati personali, la presente comunicazione e ogni suo allegato e' destinata esclusivamente al soggetto indicato quale destinatario o ad eventuali altri soggetti autorizzati a riceverla. L'utilizzo non autorizzato e' vietato e potrebbe costituire reato. Essa contiene informazioni strettamente confidenziali e riservate, la cui comunicazione o diffusione a terzi e' proibita, salvo che non sia stata espressamente autorizzata. Se avete ricevuto questa e-mail per errore, Vi preghiamo di comunicarlo senza indugio al mittente e di cancellarne ogni evidenza dai Vostri supporti. 
This message is intended only for the named recipient and may contain confidential, proprietary or legally privileged information. Unauthorized persons are not permitted access to this information. Any dissemination, distribution or copying of this information is strictly prohibited. If you have received this message in error, please advise the sender by reply e-mail and delete this message and any attachments.


-----Messaggio originale-----
Da: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Per conto di Amos Jeffries
Inviato: lunedì 26 ottobre 2015 22:43
A: squid-users at lists.squid-cache.org
Oggetto: Re: [squid-users] delay pools

On 27/10/2015 7:42 a.m., De Lazzari Matteo wrote:
> 
> Hi, is it possible to use Active directory groups in delay pools 
> configuration?

Yes. Although to do it easily will require a Squid-3.4 or later where transaction annotations are available. Also a helper that sends back the group=X to Squid about what group(s) the user is in (could be auth helper or external ACL helper).
 So far only the kerberos auth helper does that and it sends the SSID value as the group=X value for all the groups listed in the Kerberos token.

With a helper returning the group names to Squid, a "note" type ACL can be used to check the group=X annotation values in any access control rules. Including delay_access.


> And someone can tell me an example about how to use class 5 delay 
> pool?
> 

That delay pool requires that an external_acl_type helper is being used and sending some tag=X back to Squid to attach 'tag' each request / transaction.

That helper has to be tested on one of the *_access rules where async / slow group lookups will work. The delay_access rules will *not* work since they are a fast-group check. http_access is the usual place and the heper decides both whether to allow use of Squid and what to tag the request with.


You define the pool to be of class 5 with a Bytes/sec rate:
  delay_pools 1 1
  delay_parameters 1 5 20480

You define delay_access to match for the requests that are to have that pools traffic rate limit applied:
  delay_access 1 allow localnet

Squid will automatically arrange so each unique tag=X value the helper assigns to those pooled requests will have a pool. All requests to which the helper replies 'tag=ZZ' will share a one pool, but requests the helper replies with 'tag=YY' will have a different pool. etc.
 Requests not having a tag at all share one pool (I think, havent checked that).

That is it.

The difficult bits are that only one tag= value can be assigned to a transaction, attempts to repeat or alter one assigned wont work, and that detail about the async/slow access lists being the only ones where the helper can be checked.


HTH
Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list