<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Hello Amos,</p>
<p>This seems to be a solved issue. With your advices, I have manage to limit all my user except those who had a login starting by cg_*.</p>
<p>1 - annotation of the "cg_*" 's flow :<br /><span style="font-size: x-small;"><em># Comptes generiques</em></span><br /><span style="font-size: x-small;"><em>acl userCgPrefix proxy_auth_regex ^cg_<br />acl markCgGroup annotate_transaction cgUsers=true</em></span></p>
<p><span style="font-size: x-small;"><em>http_access allow userCgPrefix markCgGroup !all</em></span><br /><span style="font-size: x-small;"><em>http_access allow my_ldap_auth !emeraude</em></span></p>
<p> 2 - fixed limits for all except "cg_*" users</p>
<p><em><span style="font-size: x-small;">acl cgen note cgUsers true</span></em><br /><em><span style="font-size: x-small;">acl userrgt src 10.0.0.0/8<br /></span></em><em style="font-size: 10pt;"><span style="font-size: x-small;">reply_body_max_size 800 MB bureau !cgen userrgt<br /></span></em><em><span style="font-size: x-small;">request_body_max_size 5 MB<br /></span></em><em><span style="font-size: x-small;">delay_pools 1<br /></span></em><em><span style="font-size: x-small;">delay_class 1 4<br /></span></em><em><span style="font-size: x-small;">delay_access 1 allow bureau !cgen !emeraude<br /></span></em><em><span style="font-size: x-small;">delay_parameters 1 -1/-1 -1/-1 -1/-1 512000/512000</span></em></p>
<p>I will make some other tests later on with the "usual way" you also preconised :<br />"The usual way to do that is with the authentication systems "group" functionality and a helper to fetch that."</p>
<p>Thanks very much to you, David and Eliezer<span style="font-size: 10pt;"> </span></p>
<div>Regards,</div>
<div> </div>
<div>Eric Perrot</div>
<p>Le 06/09/2022 20:46, Amos Jeffries a écrit :</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">
<pre>On 6/09/22 00:56, PERROT Eric DNUM SDCAST BST SSAIM wrote:</pre>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">Hello, We use directives "reply_body_max_size", "request_body_max_size" and "delay_access" to limit upload, download and passband in our infra.</blockquote>
<pre>All of which are "fast" type.</pre>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">This configuration existes since a while, but we have noticed that with squid v4.16, our delay pool didn't react as we wanted anymore.</blockquote>
<pre>FYI, use of "slow" type ACLs in "fast" type checks is subject to what Squid happens to have in its processing state information and available in caches from previous traffic.
Even if a config like this *appears* to work, it may not be actually working for all transactions. The delicate balance may change at any time.</pre>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">Can you tell me if what we want to do is still possible? Limiting upload/download/passband for all logged user except those starting by cg_*..?.</blockquote>
<pre>You need to:
1) do authentication checks to http_access.
2) make the cg_* accounts part of a "group".
The usual way to do that is with the authentication systems "group" functionality and a helper to fetch that.
However, in Squid-4+ you can also add a temporary "group" label as needed based on other ACL checks (eg the username regex matching) like so:
acl userCgPrefix proxy_auth_regex ^cg_
acl markCgGroup annotate_transaction group=cgUsers
http_access allow userCgPrefix markCgGroup !all
3) check the 'group' annotation in fast type controls, not the username:
acl userrgt note group cgUsers
reply_body_max_size 800 MB userrgt
deny_access 1 deny userrgt
FTR; the above should work on any Squid-4 or later. So you can revert to the v4 Squid install which was otherwise working for you.
HTH
Amos
_______________________________________________
squid-users mailing list
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><span style="font-family: Verdana, Geneva, sans-serif;"><span style="font-size: 13.3333px; white-space: normal;">
</span></span></pre>
</blockquote>
</body></html>