[squid-users] acl maxconn and max_user_ip config help please

Amos Jeffries squid3 at treenet.co.nz
Mon Jul 18 07:15:48 UTC 2016 

On 18/07/2016 6:23 p.m., B. Henry wrote:
> First, thanks for answering.
> Second, I have read the entire default conf file, yes, once made the mistake of reading one for a different squid version than mine, but then got a fresh 
> copy of the one for my exact version.
> I've also read the FAQ, and most all the configuration guide, but if I had not I certainly would be greatful for the links.
> My misunderstanding then is now in how to apply a rule that will only effect group foo with out reusing the name.
> Would I first name the group as I have and then make a maxconn line, e.g.
> acl foo_MC maxconn 15
> and then
>  http_access allow foo
>  http_access foo_MC
> 
> and if this is correct, 

It is not correct as-is. The allow/deny action is missing on the foo_MC
line. (Plus the logic mistake explained below.)

> is it just the ordering there that means that this maxconn will only apply to group foo?

No. The above config means the opposite of that.

Top-to-bottom, left-to-right boolean conditions.

 # if foo, then Allow
 http_access allow foo

 # else if foo_MC, then ???
 http_access ??? foo_MC

 # else if true, then deny
 http_access deny all

foo_MC test will never be reached (and so not applied) for anything
which is already Allow'ed by the "foo" ACL test.

So logically, the foo_MC rule is applied (only) to non-"foo" traffic.


> If not, how do I make the rule only apply to group foo?


One would usually construct the access lists to enforce a logically
arranged policy something like this:

 # 0) default security rules preventing various attacks
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

 # 1) prevent foo from using more that 15 TCP connections to the proxy
 http_access deny foo foo_MC

 # 2) allow foo (with 15 or les connections) to use the proxy
 http_access allow foo

 # 3) allow LAN clients (not in group foo) to use the proxy
 http_access allow locanet

 # 4) deny other (external / non-LAN) traffic
 http_access deny all


Any http_access line which contains 'foo' ACL can only match when that
test of foo is a match, so that action on it by definition applies only
to the set of transactions where foo is matched/true.

Any http_access line which matches completely will halt http_access
processing. So a line which contains only "foo" ACL and the action, will
prevent any following lines being used for that group.

The above two points/details are why the "deny foo foo_MC" line is
ordered above the "allow foo" line in the above example config.
 --> If they were the other way around the "allow foo" would end the
processing for "foo" group with an allow action. The any line containign
"foo" after that would never be a match for anything that could reach it.



PS. there is a gotcha with the maxconn ACL in HTTP/1.1 traffic that you
need to be aware of. Particularly when using the -s flag.

 If a client opens more than maxconn limit number of TCP connections.
Then *any* HTTP request received from that client on *any* of those
connections will see a true/match for the maxconn test. So will be
denied until one of the connections is closed.

 maxconn was designed for use in HTTP/1.0 traffic where each TCP
connection carried only one HTTP request, then gets closed. So the deny
action would directly result in -1 TCP connections and other requests
possibly being allowed.

 HTTP/1.1 connections (eg Squid-3.1 and later) are by default
persistent, so can carry multiple requests. The denial response does not
trigger a -1 TCP connection like HTTP/.0 did. So HTTP/1.1 connections
can stay open and triggering denial for a long while after the client
hits the limit. Traffic where maxconn works well is becoming rare.

Amos

More information about the squid-users mailing list