[squid-users] limit number of simultaneous connections to a site

[Amos Jeffries]

On 18/11/18 12:58 AM, mzgmedia wrote:
> Hello
> 
> we want to restrict the access to a site to a certain number of simultanious
> connections
> 
> we have this config
> 
> acl badSite dstdom_regex ^(www\.)?SITE\.[\.a-z]{2,5}
> acl badSiteCon maxconn 33
> http_access deny badSite badSiteCon 
> 
> 
> but I don't know if this works 
> or 
> it will restrict anybody which has at least 33 connections in total to
> different sites and now tries to access the bad site
> 

The latter. The problem with what you are asking for is that HTTP is a
multiplexed and stateless protocol. Your restriction requires a
statefulness which does not exist.

* Request messages from a client on their connection(s) to Squid may be
for any domain.

 Squid cannot determine what connections will be used for in future.
Only what the current request message is doing, and things like this
client already having N connections total.


* Connections from Squid to a server can (and do) multiplex many
requests from multiple clients for the same domain.

 Use cache_peer to tell Squid that it needs to have certain behaviour on
connections to a particular server. The max-conn=N option of cache_peer
prevents Squid opening more than N connections to that peer. Those N
connections are still shared by all clients requesting from the
domain(s) served by that peer.


Amos