[squid-users] Squid delay_access with external acl

Alex Rousskov rousskov at measurement-factory.com
Mon Mar 4 17:54:01 UTC 2024 

On 2024-03-04 06:31, Szilárd Horváth wrote:

> Thank you so much your answer but this solution isn't work.

Please note that I did not (try to) offer a solution. I only tried to 
correct a specific problem in a specific configuration statement.

I hope that Francesco will continue to guide you towards the solution 
that works in your environment. It may be useful to know what exactly 
does not work at this point (e.g., the transaction never gets a 
limited=yes annotation, which you can check by logging %note to 
access.log, OR the transaction is annotated as expected but is not 
delayed as expected).


Good luck,

Alex.



> Please check 
> my config maybe i made a mistake. Or maybe have you any other solution?
> I can use proxy users from QUOTA_EXCEEDED_USERS.acl which contain e-mail 
> address or get from ldap with external_acl_type overkvota 
> children-max=10 children-startup=10 ttl=600 negative_ttl=600 %LOGIN 
> /usr/lib/squid/ext_ldap_group_acl -Z -v 3 -P -p 389 -h ldapm1.xxxxx.hu 
> -s sub -D cn=squid_proxy,o=services -W /etc/squid/secret -b o=xxxx -f 
> "(&(mail=%u)(objectclass=InetorgPerson)(InternetUser=true)(QuotaExceeded=true))"
> *acl QUOTA_EXCEEDED_USERS ext_user "/etc/squid/QUOTA_EXCEEDED_USERS.acl"*
> *acl markAsLimited annotate_transaction limited=yes*
> *acl markedAsLimited note limited yes*
> *http_access allow QUOTA_EXCEEDED_USERS markAsLimited !all
> *
> *delay_pools 1
> delay_class 1 1
> delay_parameters 1 32000/32000
> delay_access 1 allow markedAsLimited
> delay_access 1 deny all*
> br,
> Szilard
> 
> 
>>>> Alex Rousskov <rousskov at measurement-factory.com> 02/20/2024, 04:52 PM >>>
> On 2024-02-20 03:14, Francesco Chemolli wrote:
> 
>  > acl users ext_user foo bar gazonk
>  > http_access allow users all # always allow
> 
> The above does not always allow. What you meant it probably this:
> 
> # This rule never matches. It is used for its side effect:
> # The rule evaluates users ACL, caching evaluation result.
> http_access allow users !all
> 
> 
>  > delay_access 3 allow users
>  >
>  > should do the trick
> 
> ... but sometimes will not. Wiki recommendation to "exploit caching" is
> an ugly outdated hack that should be avoided. The correct solution these
> days is to use annotate_transaction ACL to mark the transaction
> accordingly. Here is an untested sketch:
> 
> acl fromUserThatShouldBeLimited ext_user ...
> acl markAsLimited annotate_transaction limited=yes
> acl markedAsLimited note limited yes
> 
> # This rule never matches; used for its annotation side effect.
> http_access allow fromUserThatShouldBeLimited markAsLimited !all
> 
> delay_access 3 allow markedAsLimited
> 
> HTH,
> 
> Alex.
> 
> 
> 
>  > On Tue, Feb 20, 2024 at 2:15 PM Szilárd Horváth wrote:
>  >
>  > Good Day!
>  >
>  > I try to make limitation bandwidth for some user group. I have an
>  > external acl which get the users from ldap database server. In the
>  > old version of config we blocked the internet with http_access deny
>  > GROUP, but now i try to allow the internet which has limited
>  > bandwidth. I know that the delay_access work with only fast ACL and
>  > external acl or proxy_auth acl are slow. I already tried some
>  > opportunity but i couldn't solve.
>  >
>  > Maybe have you any solution for this? Or any idea how can limitation
>  > the bandwidth for some user? I need use the username (e-mail address
>  > format) because that use to login to the proxy.
>  >
>  > Version: Squid Cache: Version 5.6
>  >
>  > Thank you so much and i am waiting for your answer!
>  >
>  > Have a good day!
>  >
>  > Br,
>  > Szilard Horvath
>  >
>  > _______________________________________________
>  > squid-users mailing list
>  > squid-users at lists.squid-cache.org
>  > <mailto:squid-users at lists.squid-cache.org>
>  > https://lists.squid-cache.org/listinfo/squid-users
>  > <https://lists.squid-cache.org/listinfo/squid-users>
>  >
>  >
>  >
>  > --
>  > Francesco
>  >
>  > _______________________________________________
>  > squid-users mailing list
>  > squid-users at lists.squid-cache.org
>  > https://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list