[squid-users] [squid][v5.6] : problem with "slow" or "fast" acl
PERROT Eric DNUM SDCAST BST SSAIM
eric.perrot at interieur.gouv.fr
Fri Sep 16 07:11:58 UTC 2022
Hello Elizer and David,
Sorry for the delay, I have been monopolized by another subject...
I am not sur to understand how note acl could help me. If the idear of
"note acl" is similar to the one proposed by Amos (creating a group with
annotate acl).
My requirement is to have special limitation for logged users, except
for those with a login starting by cg_*.
I have been using proxy_auth acl to identify my users, but this acl is
slow and is not recommended with limitation directive
("reply_body_max_size", "request_body_max_size" and "delay_access").
I am testing to create groups today and I'll come back to you
Thank you for your thinking,
Eric
Le 06/09/2022 20:10, ngtech1ltd at gmail.com a écrit :
> Hey Eric and David,
>
> I am thinking about the best place to put a note acl.
>
> What is the actual requirement?
> Do you want to limit a specific client or all of them?
> I have not used delay pools for a very long time so I am not sure about what you want these to do.
>
> Eliezer
>
> ----
>
> Eliezer Croitoru
>
> NgTech, Tech Support
>
> Mobile: +972-5-28704261
>
> Email: ngtech1ltd at gmail.com
>
> Web: https://ngtech.co.il/ [2]
>
> My-Tube: https://tube.ngtech.co.il/ [3]
>
> FROM: squid-users <squid-users-bounces at lists.squid-cache.org> ON BEHALF OF David Touzeau
> SENT: Tuesday, 6 September 2022 18:45
> TO: squid-users at lists.squid-cache.org
> SUBJECT: Re: [squid-users] [squid][v5.6] : problem with "slow" or "fast" acl
>
> Hi Eric.
>
> We had the same restrictions with the fast or slow ACLs.
> Have you thought about creating a squid helper that calculates your needs?
> So maybe you can get around this by using the acl "note" acl note xxx xxx which turns your helper results (slow) into "fast".
>
> Le 05/09/2022 à 14:56, PERROT Eric DNUM SDCAST BST SSAIM a écrit :
>
>> Hello,
>>
>> We use directives "reply_body_max_size", "request_body_max_size" and "delay_access" to limit upload, download and passband in our infra.
>>
>> This configuration existes since a while, but we have noticed that with squid v4.16, our delay pool didn't react as we wanted anymore. We were excpeting improvment upgrading squid to v5.6. But it got worth :
>> - restriction still didn't work
>> - and squid had a segmentation fault each time some acl where used
>>
>> Thanks to Alex Rousskov (bug 5231), after some investigation, it appears that we used "slow" acl (proxy_auth an time acl) where only "fast" acl where authorized...). The bug is still open as squid has not flagged the problem in cache logs,
>>
>> My email, is to show you our configuration and the behaviour we espect, and the behaviour we finally have.
>> 1 - squd v4.12 : we expect to limit downlod/upload and passband during working time for all login except those starting with cg_*
>> "
>> ###### Gestion de bande passante ##########
>> acl bureau time 09:00-12:00
>> acl bureau time 14:00-17:00
>> # Comptes generiques
>> acl my_ldap_auth proxy_auth REQUIRED
>> acl cgen proxy_auth_regex cg_
>> reply_body_max_size 800 MB BUREAU !CGEN
>> request_body_max_size 5 MB
>> # La limite de bande passante ne fonctionne plus avec le BUMP
>> # A tester ...
>> delay_pools 1
>> # Pendant time sauf cgen, emeraude
>> delay_class 1 4
>> delay_access 1 allow MY_LDAP_AUTH !CGEN !emeraude
>> delay_access 1 deny all
>> # 512000 = 5120 kbits/user 640 ko
>> # 307200 = 3072 kbits/user 384 ko
>> delay_parameters 1 -1/-1 -1/-1 -1/-1 107200/107200
>> ##################################################
>> "
>> => with this configuration, the delay pool seemed not to work anymore, so we upgraded squid to v5.6. Which caused the squid segmentation fault...
>>
>> 2 - squid v5.6 : to solve the segmentation fault, we had to take off my_ldap_auth/cgen (proxy_auth acl) and bureau (time acl). The limitation work again, but we are no more able to limit restriction during working time, or for spécific login...
>> "
>> ###### Gestion de bande passante ##########
>> acl bureau time 09:00-12:00
>> acl bureau time 14:00-17:00
>> # Comptes generiques
>> acl userrgt src 10.0.0.0/8
>> acl my_ldap_auth proxy_auth REQUIRED
>> acl cgen proxy_auth_regex cg_
>> reply_body_max_size 800 MB USERRGT
>> request_body_max_size 5 MB
>> # La limite de bande passante ne fonctionne plus avec le BUMP
>> # A tester ...
>> delay_pools 1
>> # Pendant time sauf cgen, emeraude
>> delay_class 1 4
>> delay_access 1 allow!emeraude
>> delay_access 1 deny all
>> # 512000 = 5120 kbits/user 640 ko
>> # 307200 = 3072 kbits/user 384 ko
>> delay_parameters 1 -1/-1 -1/-1 -1/-1 107200/107200
>> ##################################################
>> "
>>
>> Can you tell me if what we want to do is still possible? Limiting upload/download/passband for all logged user except those starting by cg_*..?.
>>
>> Thank you for the time reading, and thank you for your answers.
>>
>> Regards,
>>
>> Eric Perrot
>>
>> Pour une administration exemplaire, préservons l'environnement.
>>
>> N'imprimons que si nécessaire.
>>
>> _______________________________________________
>>
>> squid-users mailing list
>>
>> squid-users at lists.squid-cache.org
>>
>> http://lists.squid-cache.org/listinfo/squid-users [1]
>
> --
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users [1]
Links:
------
[1] http://lists.squid-cache.org/listinfo/squid-users
[2] https://ngtech.co.il/
[3] https://tube.ngtech.co.il/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220916/aa07da5d/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10699 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220916/aa07da5d/attachment-0001.png>
More information about the squid-users
mailing list