[squid-users] Squid delay_access with external acl

Szilárd Horváth shorvath at npsh.hu
Mon Mar 4 11:31:29 UTC 2024


Hi Alex,
 
Thank you so much your answer but this solution isn't work. Please check
my config maybe i made a mistake. Or maybe have you any
other solution? 
 
I can use proxy users from QUOTA_EXCEEDED_USERS.acl which contain e-mail
address or get from ldap with external_acl_type overkvota
children-max=10 children-startup=10 ttl=600 negative_ttl=600 %LOGIN
/usr/lib/squid/ext_ldap_group_acl -Z -v 3 -P -p 389 -h
ldapm1.xxxxx.hu -s sub -D cn=squid_proxy,o=services -W /etc/squid/secret
-b o=xxxx -f
"(&(mail=%u)(objectclass=InetorgPerson)(InternetUser=true)(QuotaExceeded=true))"
 
acl QUOTA_EXCEEDED_USERS ext_user "/etc/squid/QUOTA_EXCEEDED_USERS.acl"
acl markAsLimited annotate_transaction limited=yes
acl markedAsLimited note limited yes
http_access allow QUOTA_EXCEEDED_USERS markAsLimited !all

 
delay_pools 1
delay_class 1 1
delay_parameters 1 32000/32000
delay_access 1 allow markedAsLimited
delay_access 1 deny all
 
br,
Szilard


>>> Alex Rousskov <rousskov at measurement-factory.com> 02/20/2024, 04:52
PM >>>
On 2024-02-20 03:14, Francesco Chemolli wrote:

> acl users ext_user foo bar gazonk
> http_access allow users all # always allow

The above does not always allow. What you meant it probably this:

# This rule never matches. It is used for its side effect:
# The rule evaluates users ACL, caching evaluation result.
http_access allow users !all


> delay_access 3 allow users
>
> should do the trick

... but sometimes will not. Wiki recommendation to "exploit caching" is
an ugly outdated hack that should be avoided. The correct solution these
days is to use annotate_transaction ACL to mark the transaction
accordingly. Here is an untested sketch:

acl fromUserThatShouldBeLimited ext_user ...
acl markAsLimited annotate_transaction limited=yes
acl markedAsLimited note limited yes

# This rule never matches; used for its annotation side effect.
http_access allow fromUserThatShouldBeLimited markAsLimited !all

delay_access 3 allow markedAsLimited

HTH,

Alex.



> On Tue, Feb 20, 2024 at 2:15 PM Szilárd Horváth wrote:
>
> Good Day!
>
> I try to make limitation bandwidth for some user group. I have an
> external acl which get the users from ldap database server. In the
> old version of config we blocked the internet with http_access deny
> GROUP, but now i try to allow the internet which has limited
> bandwidth. I know that the delay_access work with only fast ACL and
> external acl or proxy_auth acl are slow. I already tried some
> opportunity but i couldn't solve.
>
> Maybe have you any solution for this? Or any idea how can limitation
> the bandwidth for some user? I need use the username (e-mail address
> format) because that use to login to the proxy.
>
> Version: Squid Cache: Version 5.6
>
> Thank you so much and i am waiting for your answer!
>
> Have a good day!
>
> Br,
> Szilard Horvath
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>
>
>
>
> --
> Francesco
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240304/9a2a4fb0/attachment.htm>


More information about the squid-users mailing list