[squid-users] Limit large downloads to autenticated users

Amos Jeffries squid3 at treenet.co.nz
Tue Jul 28 13:21:23 UTC 2020

On 28/07/20 8:41 am, Service MV wrote:
> Hi everybody!
> I read in the squid mailing lists that delay_pools doesn't work in v4.x,
> but in the documentation I don't see anything about it.

* Delay pools is a fairly major feature.

* "Dont work" is a very vague claim.

* mailing list threads are typically started by people who don't know
how to use a feature properly and having trouble because of that

* 4.x is an entire series of releases with many bug fixes across the
(ongoing) year(s) long lifecycle.

Draw your own conclusion about the accuracy of such statement on the
mailing list.

> I would like to know if in my SQUID 4.11 configuration with Kerberos +
> LDAP authentication I can setup a delay_pools to limit large downloads
> of any authenticated user.

Yes. That should be entirely possible.

> This is my test configuration that I try to do, but I cannot limit the
> downloads.
> squid.conf
> acl auth proxy_auth REQUIRED
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 64000/64000 64000/64000

> delay_access 1 allow auth

The first problem is here. proxy_auth ACL is a "slow" type and
delay_access only supports "fast" types.

Squid-4 provides transaction annotations feature that can bridge this
gap. It is a fast type ACL that checks for annotations set by helper
lookups etc.

  acl hasUsername note user
  delay_access 1 allow hasUser
  delay_access 1 deny all

> http_access allow auth

This should be down just above the "http_access deny all"

> acl SSL_ports port 443
> acl Safe_ports port 80
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all


More information about the squid-users mailing list