[squid-users] max_user_ip not work

Sun Jun 24 05:39:40 UTC 2018

On 23/06/18 08:48, Masih Nazari wrote:
> hello 
> why max_user_ip not work ?
> when i change my ip for test still able to access squid
> squid : 3.5.20
> os : centos 7  64 bit
> squid installed by yum 
> i use radius server and its work fine
> this is my config 

Could be several reasons;
 how are you sending test requests?
 are they http:// or https:// URLs?
 and what tool(s) are you using to fetch them?

> 
> 
> cache deny all
> acl LocalOpenvpnPort port 80# openvpn
> acl LocalOpenvpn dst 127.0.0.1# openvpn
> http_access allow LocalOpenvpn LocalOpenvpnPort # openvpn

You should know this, but stating it for completeness anyway:

Any traffic allowed by the above lines does not get authenticated at
all. So it cannot have this ACL applied. If your tests URLs resolve to
127.0.0.1:80 then they will always "fail" tests about user related
things due to this "allow".

> auth_param basic program /usr/lib64/squid/basic_radius_auth -f
> /etc/squid/radius_config
> auth_param basic children 5
> auth_param basic realm Web-Proxy
> auth_param basic credentialsttl 5 minute
> auth_param basic casesensitive off
> authenticate_cache_garbage_interval 5 minute
> authenticate_ttl 5 minute
> authenticate_ip_ttl 1 minute

>From the documentation for this directive:
"
 Use a small value (e.g., 60 seconds)
 if your users might change addresses
 quickly, as is the case with dialup.
"

The above line configures Squid to *ignore* (and discard/replace) IP
address info about a user login if it was added more than 1 minute earlier.

If you want IP to be fixed for long periods, *definitely* set that to a
longer time. I suggest much longer than the discard timer on the
credentials themselves (currently 5min).

(I don't recall right now if it updates/restarts that TTL timer on IP
info for every request related to it. You test result suggests that it
probably does not).

> acl radius_auth proxy_auth REQUIRED
> acl maxuser max_user_ip -s 1> deny_info ERR_MAX_IP maxuser
> http_access deny maxuser
> http_access allow radius_auth
> http_access deny all
> http_port 7080
> debug_options "ALL,9"
> 
> 
> 
> 
> this is my squid info :
> 
> 
> Squid Cache: Version 3.5.20
> Service Name: squid
...
> '--enable-ssl-crtd' '--with-openssl'
Not related to your question, but important:

This is using OpenSSL support with an outdated Squid version (more than
1 year). The TLS environment and code in Squid is *very* volatile, and
the code in versions older than 3.5.24 has known security
vulnerabilities. Please upgrade. The current 3.5 release is 3.5.27.

(You may also want to check your OpenSSL library version is up to date
first.)

Amos