[squid-users] How to terminate (close) the active CONNECT connection when matching ACL.
Alex Rousskov
rousskov at measurement-factory.com
Wed May 10 17:07:21 UTC 2017
On 05/10/2017 08:27 AM, yuriang wrote:
> How to terminate (close) the active CONNECT connection when matching ACL.
> I deny to prohibit the user to continue the connection after having
> consumed its quota
This is not quite what is happening. You are denying a user _request_,
not closing the user _connection_. In general, the user is free to send
more requests on the same connection (and they will be denied as well).
The difference between "request" and "connection" is usually minor in
this context, but it becomes important in case of any long-lived HTTP
transactions, including CONNECT tunnels.
The entire CONNECT tunnel is a single HTTP transaction from a
(non-bumping) Squid point of view. Your http_access rules allowed it.
> My question: Is there a way to terminate (close) the user's active
> HTTPS connection after matching the proxy_auth ACL (quota_end).
The question is somewhat wrong because Squid does not evaluate any ACLs
after it starts servicing a CONNECT tunnel. You may interpret that as a
"no" answer, but that would be somewhat misleading.
Your options include:
1. Use delay pools instead of access controls to enforce quota.
Delay pools should be consulted throughout transaction lifetime.
2. Abruptly terminate long-lived CONNECT tunnels (time quota).
This will hurt innocent users while preventing gross abuse.
3. Enforce quota outside of Squid (possibly, with Squid's help).
A Squid helper can associate connections with users so that an
external program can terminate connections as needed.
Some of the above options may require experimentation and/or Squid
enhancements.
HTH,
Alex.
P.S. Please note that copy-pasting corrupted your configuration.
> # - TO AUTHENTICATE
> Acl authentication proxy_auth REQUIRED
>
> # - (quota_end) Contains the users who consumed the assigned quota, it is used to deny the
> # - browsing these users and displaying the quota page exceeded.
> Acl quota_end proxy_auth "/ etc / squid / users / quota_end"
>
> # ---- NETWORKS
> Acl ip_ucm src "/etc/squid/redes_permitidas/ip_ucm.txt"
> Acl mac_ucm arp "/ etc / squid / allowed_networks / mac_ucm.txt"
>
> # ---- CONNECTION PORTS PERMITTED
> Acl SSL_ports port 443 # https |
> Acl SSL_ports port 563 # snews |
> Acl SSL_ports port 873 # rsync |
> Acl SSL_ports port 2187 # Iluminate |
> Acl Safe_ports port 80 # http |
> Acl Safe_ports port 21 # ftp |
> Acl Safe_ports port 443 # https |
> Acl Safe_ports port 70 # gopher |
> Acl Safe_ports port 210 # wais |
> Acl Safe_ports port 1025-65535 # unregistered ports
> Acl Safe_ports port 280 # http-mgmt |
> Acl Safe_ports port 488 # gss-http |
> Acl Safe_ports port 591 # filemaker |
> Acl Safe_ports port 777 # multilingual http
> Acl Safe_ports port 631 # cups |
> Acl Safe_ports port 873 # rsync |
> Acl Safe_ports port 901 # SWAT |
> Acl Safe_ports port 8888 # IRC |
> Acl Safe_ports port 2187 # Iluminate |
> Acl Safe_ports port 25 # smtp |
> Acl Safe_ports port 110 # pop3 |
>
> Acl CONNECT method CONNECT
>
> # Deny requests to certain unsafe ports
> Http_access deny! Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> Http_access deny CONNECT! SSL_ports
>
> # Only allow cachemgr access from localhost
> Http_access allow localhost manager
> Http_access deny manager
>
> # ----- DENY USERS EXHEDED YOUR QUOTA
> Http_access deny quota_end
>
> # - ALLOW USERS
> Http_access allow ip_ucm mac_ucm authentication! Quota_end
>
> # And finally deny all other access to this proxy
> Http_access deny all
More information about the squid-users
mailing list