[squid-users] Limit large downloads to autenticated users

Amos Jeffries squid3 at treenet.co.nz
Tue Jul 28 13:21:23 UTC 2020


On 28/07/20 8:41 am, Service MV wrote:
> Hi everybody!
> I read in the squid mailing lists that delay_pools doesn't work in v4.x,
> but in the documentation I don't see anything about it.

* Delay pools is a fairly major feature.

* "Dont work" is a very vague claim.

* mailing list threads are typically started by people who don't know
how to use a feature properly and having trouble because of that
misunderstanding.

* 4.x is an entire series of releases with many bug fixes across the
(ongoing) year(s) long lifecycle.

Draw your own conclusion about the accuracy of such statement on the
mailing list.



> I would like to know if in my SQUID 4.11 configuration with Kerberos +
> LDAP authentication I can setup a delay_pools to limit large downloads
> of any authenticated user.
> 

Yes. That should be entirely possible.


> This is my test configuration that I try to do, but I cannot limit the
> downloads.
> 
> squid.conf
...
> acl auth proxy_auth REQUIRED
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 64000/64000 64000/64000

> delay_access 1 allow auth

The first problem is here. proxy_auth ACL is a "slow" type and
delay_access only supports "fast" types.

Squid-4 provides transaction annotations feature that can bridge this
gap. It is a fast type ACL that checks for annotations set by helper
lookups etc.

  acl hasUsername note user
  delay_access 1 allow hasUser
  delay_access 1 deny all



> http_access allow auth

This should be down just above the "http_access deny all"


> acl SSL_ports port 443
> acl Safe_ports port 80
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> 
> http_access deny all
> 
> 

Amos


More information about the squid-users mailing list