[squid-users] acl maxconn and max_user_ip config help please

Amos Jeffries squid3 at treenet.co.nz
Mon Jul 18 05:14:57 UTC 2016


On 18/07/2016 11:49 a.m., B. Henry wrote:
> I want to limit max simultanious connections for any user in group foo, and also limit how may different IPs they can have devices logged in from at any 
> one time.
> 
> I've had squid3 working well with a very simple policy for years just allowing access from two different ip ranges, but now want to make my proxy server 
> available to others. 
> I have things working well with one group called foo listing some names, after using something very similar to the recommended minimum defaults. 
> 
> acl foo proxy_auth user1 dumbuser someoneelse
> 
> But when I add the lines below to try and set a limit for group fooI can not connect at all, get a connection denied error.
> acl foo maxconn 15
> acl foo max_user_ip -s 5

The name "foo" is being assigned to two distincly different types of ACL
action. Squid will not start with this mis-configuration.

You should have seen Squid reporting FATAL errors about that in your logs.

Pleasse read the FAQ entries:
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes>


> And these were the last httpaccess lines
> http_access deny !foo
> #http_access allow localnet
> 
> I am very new to anything other than some very basic configuration,
> so may be misunderstanding almost anything, so all help will be well
> received even if it just confirms something I thought.

If you are familiar with boolean logic it should not be hard to
understand. The FAQ reference above goes into examples.


> 
> Also if I want to make a more restrictive policy, i.e. fewer
> connections for folks not in group fooam I correct in thinking it
> would go before, the foo rule? I guess I'd either make another
> groupand give them access and change foo's access to allow insteal of
> deny, or is there a better way? Sometimes I think I understand the
> basic rules about order and such pretty weell, but feel confused at
> the moment...lol

To answer that fully you need to have an understanding of how ACLs and
access lists building blocks work. So lets come back to these after you
understand whats wrong with your initial 'foo' attempt

> 
> Actually my current working configuration has the allow localnet line
> above the foo acl line and these as the last acl and httpaccess
> lines http_access deny !foo At this point should I have an allow all

No. "allow all" permits the entire Internet community through your
proxy, to do anything they like. Which is very, very rarely a desirable
proxy behaviour (even rare for reverse-proxy / CDN configurations).


> line since the httpaccess line for foo is deny, or should the last
> line always be deny all?

Best Practice is to always use "deny all" for the last http_access line,
to make sure it is clear and obvious what will happen to any given
request. ie. if your custom rules above that line dont hande the request
it gets denied.

Omitting the final "deny all" is possible, but only safe if you have
advanced understanding Squid behaviour and actually want what will happen.


> 
> Thanks in advance for any and all help. BTW, I am stuck using 3.1.19
> I think it is as my server is running ubuntu 12.04 for a bit still,
> i.e. I know some options have changed a bit since squid3.1.
> 

Specific options have changed, and some useful ACL types been added. But
the logic of how to construct ACLs and access lists has not.

The default config file is included at:
 <http://wiki.squid-cache.org/Squid-3.1>
(you can copy-n-paste the entire thing as your squid.conf and it works
as-is).

There is a guide to the full set of directives and how they work
specifically in 3.1 available at:
<http://www.squid-cache.org/Versions/v3/3.1/cfgman/>

Amos



More information about the squid-users mailing list