[squid-users] Limit large downloads to autenticated users

Service MV service.mv at gmail.com
Sun Aug 23 15:51:37 UTC 2020 

Thank you, Amos, for the clarification.
After making time for me to test some more with fast acl's I noticed that
it still didn't work. So after some more research I found out that the
problem is already reported as "Bug 4913 - Delay Pools don't work for
Tunneled traffic" which is exactly the problem I was having. HTTP traffic
is correctly limited in my tests.
For the time being I will see if I can limit it in another way until I can
fix it.

Best regards
Gabriel


El mar., 28 de jul. de 2020 a la(s) 10:26, Amos Jeffries (
squid3 at treenet.co.nz) escribió:

> On 28/07/20 8:41 am, Service MV wrote:
> > Hi everybody!
> > I read in the squid mailing lists that delay_pools doesn't work in v4.x,
> > but in the documentation I don't see anything about it.
>
> * Delay pools is a fairly major feature.
>
> * "Dont work" is a very vague claim.
>
> * mailing list threads are typically started by people who don't know
> how to use a feature properly and having trouble because of that
> misunderstanding.
>
> * 4.x is an entire series of releases with many bug fixes across the
> (ongoing) year(s) long lifecycle.
>
> Draw your own conclusion about the accuracy of such statement on the
> mailing list.
>
>
>
> > I would like to know if in my SQUID 4.11 configuration with Kerberos +
> > LDAP authentication I can setup a delay_pools to limit large downloads
> > of any authenticated user.
> >
>
> Yes. That should be entirely possible.
>
>
> > This is my test configuration that I try to do, but I cannot limit the
> > downloads.
> >
> > squid.conf
> ...
> > acl auth proxy_auth REQUIRED
> > delay_pools 1
> > delay_class 1 2
> > delay_parameters 1 64000/64000 64000/64000
>
> > delay_access 1 allow auth
>
> The first problem is here. proxy_auth ACL is a "slow" type and
> delay_access only supports "fast" types.
>
> Squid-4 provides transaction annotations feature that can bridge this
> gap. It is a fast type ACL that checks for annotations set by helper
> lookups etc.
>
>   acl hasUsername note user
>   delay_access 1 allow hasUser
>   delay_access 1 deny all
>
>
>
> > http_access allow auth
>
> This should be down just above the "http_access deny all"
>
>
> > acl SSL_ports port 443
> > acl Safe_ports port 80
> > acl CONNECT method CONNECT
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> >
> > http_access deny all
> >
> >
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200823/28afee55/attachment.htm>

More information about the squid-users mailing list