[squid-users] acl maxconn and max_user_ip config help please

B. Henry burt1iband at gmail.com
Mon Jul 18 06:23:46 UTC 2016 

First, thanks for answering.
Second, I have read the entire default conf file, yes, once made the mistake of reading one for a different squid version than mine, but then got a fresh 
copy of the one for my exact version.
I've also read the FAQ, and most all the configuration guide, but if I had not I certainly would be greatful for the links.
My misunderstanding then is now in how to apply a rule that will only effect group foo with out reusing the name.
Would I first name the group as I have and then make a maxconn line, e.g.
acl foo_MC maxconn 15
and then
 http_access allow foo
http_access foo_MC

and if this is correct, is it just the ordering there that means that this maxconn will only apply to group foo?
If not, how do I make the rule only apply to group foo?
And I read the posts that came up in the archive before askig as well. 
> > line since the httpaccess line for foo is deny, or should the last
> > line always be deny all?
> 
> Best Practice is to always use "deny all" for the last http_access line,
> to make sure it is clear and obvious what will happen to any given
> request. ie. if your custom rules above that line dont hande the request
snip
Good, that's what made sense to me, but one statement in the documentation, don't remember exactly where, had me doubting myself.
Regards,    
  
-- 
     B.H.
   Registerd Linux User 521886


  Amos Jeffries wrote:
Mon, Jul 18, 2016 at 05:14:57PM +1200

> On 18/07/2016 11:49 a.m., B. Henry wrote:
> > I want to limit max simultanious connections for any user in group foo, and also limit how may different IPs they can have devices logged in from at any 
> > one time.
> > 
> > I've had squid3 working well with a very simple policy for years just allowing access from two different ip ranges, but now want to make my proxy server 
> > available to others. 
> > I have things working well with one group called foo listing some names, after using something very similar to the recommended minimum defaults. 
> > 
> > acl foo proxy_auth user1 dumbuser someoneelse
> > 
> > But when I add the lines below to try and set a limit for group fooI can not connect at all, get a connection denied error.
> > acl foo maxconn 15
> > acl foo max_user_ip -s 5
> 
> The name "foo" is being assigned to two distincly different types of ACL
> action. Squid will not start with this mis-configuration.
> 
> You should have seen Squid reporting FATAL errors about that in your logs.
> 
> Pleasse read the FAQ entries:
> <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes>
> 
> 
> > And these were the last httpaccess lines
> > http_access deny !foo
> > #http_access allow localnet
> > 
> > I am very new to anything other than some very basic configuration,
> > so may be misunderstanding almost anything, so all help will be well
> > received even if it just confirms something I thought.
> 
> If you are familiar with boolean logic it should not be hard to
> understand. The FAQ reference above goes into examples.
> 
> 
> > 
> > Also if I want to make a more restrictive policy, i.e. fewer
> > connections for folks not in group fooam I correct in thinking it
> > would go before, the foo rule? I guess I'd either make another
> > groupand give them access and change foo's access to allow insteal of
> > deny, or is there a better way? Sometimes I think I understand the
> > basic rules about order and such pretty weell, but feel confused at
> > the moment...lol
> 
> To answer that fully you need to have an understanding of how ACLs and
> access lists building blocks work. So lets come back to these after you
> understand whats wrong with your initial 'foo' attempt
> 
> > 
> > Actually my current working configuration has the allow localnet line
> > above the foo acl line and these as the last acl and httpaccess
> > lines http_access deny !foo At this point should I have an allow all
> 
> No. "allow all" permits the entire Internet community through your
> proxy, to do anything they like. Which is very, very rarely a desirable
> proxy behaviour (even rare for reverse-proxy / CDN configurations).
> 
> 
> > line since the httpaccess line for foo is deny, or should the last
> > line always be deny all?
> 
> Best Practice is to always use "deny all" for the last http_access line,
> to make sure it is clear and obvious what will happen to any given
> request. ie. if your custom rules above that line dont hande the request
> it gets denied.
> 
> Omitting the final "deny all" is possible, but only safe if you have
> advanced understanding Squid behaviour and actually want what will happen.
> 
> 
> > 
> > Thanks in advance for any and all help. BTW, I am stuck using 3.1.19
> > I think it is as my server is running ubuntu 12.04 for a bit still,
> > i.e. I know some options have changed a bit since squid3.1.
> > 
> 
> Specific options have changed, and some useful ACL types been added. But
> the logic of how to construct ACLs and access lists has not.
> 
> The default config file is included at:
>  <http://wiki.squid-cache.org/Squid-3.1>
> (you can copy-n-paste the entire thing as your squid.conf and it works
> as-is).
> 
> There is a guide to the full set of directives and how they work
> specifically in 3.1 available at:
> <http://www.squid-cache.org/Versions/v3/3.1/cfgman/>
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list