[squid-users] External acl on delay_access directive

Luca Savarino lsavarino at olfeo.com
Thu Jan 17 16:13:55 UTC 2019 

Hello,


     Having recently upgraded from squid 3.4.8 to squid 4.4, I stumbled 
into an issue that I tried to simplify the most I could through the 
attached configuration files and the explanation below.

     I would like to use an external acl to set bandwidth limitations 
for my different users. So in squid 3.4.8, I would do something like 
(that's just a very simple example) :


             delay_pools 1

             delay_class 1 3

             external_acl_type ip_user_helper %SRC 
/usr/lib/squid3/ext_file_userip_acl -f /etc/squid/ips.conf
             acl ip_list external ip_user_helper test


             delay_access 1 allow ip_list
             delay_access 1 deny all

             delay_parameters 1 80000/80000 80000/80000 80000/80000


     with /tmp/ips.conf containing something like :


             10.1.0.55 ALL


     If the ip I want to limit the bandwidth of is 10.1.0.55. In squid 
4.4 however, I can't get it to work properly : the user can access her 
page but she is not limited as expected and I get the following message 
multiple times in my cache.log file :


             WARNING: ip_list ACL is used in context without an ALE 
state. Assuming mismatch.


     I believe it is related but I am not sure (or maybe I just did 
something wrong). You can find a minimal configuration file attached to 
reproduce.


     Thanks in advance for your help,


Regards,


Luca

-------------- next part --------------
acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost

http_port 3128

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

delay_pools 1
delay_class 1 3

external_acl_type ip_user_helper %SRC /usr/lib/squid3/ext_file_userip_acl -f /etc/squid/ips.conf

acl ip_list external ip_user_helper test

http_access allow ip_list

delay_access 1 allow ip_list
delay_access 1 deny all

delay_parameters 1 80000/80000 80000/80000 80000/80000

More information about the squid-users mailing list