[squid-users] [squid][v5.6] : problem with "slow" or "fast" acl

PERROT Eric DNUM SDCAST BST SSAIM eric.perrot at interieur.gouv.fr
Fri Sep 16 09:45:32 UTC 2022 

 

Hello Amos, 

This seems to be a solved issue. With your advices, I have manage to
limit all my user except those who had a login starting by cg_*. 

1 - annotation of the "cg_*" 's flow :
_# Comptes generiques_
acl userCgPrefix proxy_auth_regex ^cg_
acl markCgGroup annotate_transaction cgUsers=true 

_http_access allow userCgPrefix markCgGroup !all_
_http_access allow my_ldap_auth !emeraude_ 

 2 - fixed limits for all except "cg_*" users 

_acl cgen note cgUsers true_
acl userrgt src 10.0.0.0/8
reply_body_max_size 800 MB bureau !cgen userrgt
request_body_max_size 5 MB
delay_pools 1
delay_class 1 4
delay_access 1 allow bureau !cgen !emeraude
_delay_parameters 1 -1/-1 -1/-1 -1/-1 512000/512000_ 

I will make some other tests later on with the "usual way" you also
preconised :
"The usual way to do that is with the authentication systems "group"
functionality and a helper to fetch that." 

Thanks very much to you, David and Eliezer 
Regards, 

Eric Perrot 

Le 06/09/2022 20:46, Amos Jeffries a écrit : 

> On 6/09/22 00:56, PERROT Eric DNUM SDCAST BST SSAIM wrote:
> 
>> Hello, We use directives "reply_body_max_size", "request_body_max_size" and "delay_access" to limit upload, download and passband in our infra.
> 
> All of which are "fast" type.
> 
>> This configuration existes since a while, but we have noticed that with squid v4.16, our delay pool didn't react as we wanted anymore.
> 
> FYI, use of "slow" type ACLs in "fast" type checks is subject to what Squid happens to have in its processing state information and available in caches from previous traffic.
> 
> Even if a config like this *appears* to work, it may not be actually working for all transactions. The delicate balance may change at any time.
> 
>> Can you tell me if what we want to do is still possible? Limiting upload/download/passband for all logged user except those starting by cg_*..?.
> 
> You need to:
> 
> 1) do authentication checks to http_access.
> 
> 2) make the cg_* accounts part of a "group".
> 
> The usual way to do that is with the authentication systems "group" functionality and a helper to fetch that.
> 
> However, in Squid-4+ you can also add a temporary "group" label as needed based on other ACL checks (eg the username regex matching) like so:
> 
> acl userCgPrefix proxy_auth_regex ^cg_
> acl markCgGroup annotate_transaction group=cgUsers
> http_access allow userCgPrefix markCgGroup !all
> 
> 3) check the 'group' annotation in fast type controls, not the username:
> 
> acl userrgt note group cgUsers
> 
> reply_body_max_size 800 MB userrgt
> deny_access 1 deny userrgt
> 
> FTR; the above should work on any Squid-4 or later. So you can revert to the v4 Squid install which was otherwise working for you.
> 
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users [1]
 

Links:
------
[1] http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220916/964db83d/attachment.htm>

More information about the squid-users mailing list