[squid-users] delay-pool based on authentication

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 27 03:18:02 UTC 2018 

On 27/03/18 02:46, vvv25 at gmx.net wrote:
> Dear Yuri,
> 
> thank you for your quick reply.
> I spend weekend trying and testing some options.
> 
> My problem is, i cannot separate authenticated users from not
> authenticated.
> 

This is because
 a) nobody is allowed to even use the proxy unless they are
authenticated, and
 b) pool #2 affects all clients.


> Here in detail:
> if I try to do something like this
> ---- cut ----
> acl users proxy_auth "/etc/squid/users"
> http_access allow users
> 
> delay_pools 2
> 
> delay_class 1 1
> delay_parameters 1 -1/-1 # no limit
> 

This wastes a lot of CPU time and memory. It also does not set "no
limit". It sets this pool to unlimited bytes. Other pools can and will
limit these same clients.

To actually set "no limit" remove this pool, and use deny lines to
exclude the relevant transactions from having the other pools applied.


> delay_access 1 allow users
> delay_access 1 deny all
> 
> delay_class 2 3
> delay_parameters 2 -1/-1 -1/-1 196608/786432    # no limit, no limit,
> 1.5 Mbit/s per user 6.0 Mbis/s once
> 
> delay_access 2 allow all

Use:
 delay_access 2 deny !users all


> ---- cut ----
> 
> then every user is asked for authentication. If they cancel that, they
> cannot access nothing.

This behaviour is what you configured with "http_access allow users".

If that is incorrect, skip the pools for a while and get your
http_access rules working first.

> 
> if I try to start with the restricted delay pool
> ---- cut ----
> delay_pools 2
> 
> delay_class 1 1
> delay_parameters 1 -1/-1 # no limit
> 
> delay_access 1 allow users
> delay_access 1 deny all
> 
> delay_class 2 3
> delay_parameters 2 -1/-1 -1/-1 196608/786432    # no limit, no limit,
> 1.5 Mbit/s per user 6.0 Mbis/s once
> 
> delay_access 2 allow all
> 
> acl users proxy_auth "/etc/squid/users"
> http_access allow users
> ---- cut ----
> than every user is restricted and no query for authentication occurs.
> 
> How can I separate not authenticated users from authenticated?
> I cannot use IPs because all IPs are in the same range.

Depends on your Squid version.

This trick works with all Squid to deny non-authenticated users, but
only when used in the "slow" type access controls:

 acl loggedIn proxy_auth REQUIRED
 http_access deny !loggedIn all


The latest Squid versions retain a username annotation that can be
tracked independent of performing authentication and works anywhere
after authentication is checked:

 acl foo note user .*
 http_access deny !foo


Amos

More information about the squid-users mailing list