[squid-users] [squid][v5.6] : problem with "slow" or "fast" acl
Amos Jeffries
squid3 at treenet.co.nz
Tue Sep 6 18:46:29 UTC 2022
On 6/09/22 00:56, PERROT Eric DNUM SDCAST BST SSAIM wrote:
> Hello,
>
> We use directives "reply_body_max_size", "request_body_max_size" and
> "delay_access" to limit upload, download and passband in our infra.
>
All of which are "fast" type.
> This configuration existes since a while, but we have noticed that with
> squid v4.16, our delay pool didn't react as we wanted anymore.
FYI, use of "slow" type ACLs in "fast" type checks is subject to what
Squid happens to have in its processing state information and available
in caches from previous traffic.
Even if a config like this *appears* to work, it may not be actually
working for all transactions. The delicate balance may change at any time.
> Can you tell me if what we want to do is still possible? Limiting
> upload/download/passband for all logged user except those starting by
> cg_*..?.
You need to:
1) do authentication checks to http_access.
2) make the cg_* accounts part of a "group".
The usual way to do that is with the authentication systems "group"
functionality and a helper to fetch that.
However, in Squid-4+ you can also add a temporary "group" label as
needed based on other ACL checks (eg the username regex matching) like so:
acl userCgPrefix proxy_auth_regex ^cg_
acl markCgGroup annotate_transaction group=cgUsers
http_access allow userCgPrefix markCgGroup !all
3) check the 'group' annotation in fast type controls, not the username:
acl userrgt note group cgUsers
reply_body_max_size 800 MB userrgt
deny_access 1 deny userrgt
FTR; the above should work on any Squid-4 or later. So you can revert to
the v4 Squid install which was otherwise working for you.
HTH
Amos
More information about the squid-users
mailing list