Is it possible to apply squid delay pools on users/groups from AD ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Is it possible to apply squid delay pools on users/groups from AD ?

Bike dernikov1
Hi,
this is my second topic, i wouldn't wan to mix with first. I hope that is ok.
i hope that someone succeeded  to apply delay pools on users/groups from AD.
We are now using  delay pool  on whole 10.0.0.0/8, but that is a
problem as different users have different requirements.   We have 30
locations, and we can set different rules by ip, but than we would
need one rule for one location, we would need to use static ip,
network reconfiguration, but that solution would be nightmare for
administration, and we would like to avoid static ip-s for users.
Thanks for help.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is it possible to apply squid delay pools on users/groups from AD ?

Amos Jeffries
Administrator
On 16/11/17 01:43, Bike dernikov1 wrote:
> Hi,
> this is my second topic, i wouldn't wan to mix with first. I hope that is ok.
> i hope that someone succeeded  to apply delay pools on users/groups from AD.
> We are now using  delay pool  on whole 10.0.0.0/8, but that is a
> problem as different users have different requirements.   We have 30
> locations, and we can set different rules by ip, but than we would
> need one rule for one location, we would need to use static ip,
> network reconfiguration, but that solution would be nightmare for
> administration, and we would like to avoid static ip-s for users.

It depends on your Squid version.

The latest Squid with annotation support are capable of receiving
user/group names from the auth and external ACL helpers. These get
attached to the transaction and can be matched with the 'note' type ACL
in any later 'fast-category' access controls like delay_pools.

If your Squid is too old to use note ACL, or your helper(s) not
providing the relevant details to Squid (in Squid-3.4+ helper syntax).
Then no, sorry.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is it possible to apply squid delay pools on users/groups from AD ?

Bike dernikov1
Thanks for info, we searched for solution  but found that is not
possible to combine delay polls, and forum is our last hope, so far we
solved almost everything :)
We have: Squid Object Cache: Version 3.5.23, so it could  work.
Can you give us example, how to use it.  Colleague searched for
example but couldn't find it.
Thanks for help.

On Thu, Nov 16, 2017 at 9:02 AM, Amos Jeffries <[hidden email]> wrote:

> On 16/11/17 01:43, Bike dernikov1 wrote:
>>
>> Hi,
>> this is my second topic, i wouldn't wan to mix with first. I hope that is
>> ok.
>> i hope that someone succeeded  to apply delay pools on users/groups from
>> AD.
>> We are now using  delay pool  on whole 10.0.0.0/8, but that is a
>> problem as different users have different requirements.   We have 30
>> locations, and we can set different rules by ip, but than we would
>> need one rule for one location, we would need to use static ip,
>> network reconfiguration, but that solution would be nightmare for
>> administration, and we would like to avoid static ip-s for users.
>
>
> It depends on your Squid version.
>
> The latest Squid with annotation support are capable of receiving user/group
> names from the auth and external ACL helpers. These get attached to the
> transaction and can be matched with the 'note' type ACL in any later
> 'fast-category' access controls like delay_pools.
>
> If your Squid is too old to use note ACL, or your helper(s) not providing
> the relevant details to Squid (in Squid-3.4+ helper syntax). Then no, sorry.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is it possible to apply squid delay pools on users/groups from AD ?

Amos Jeffries
Administrator
On 17/11/17 03:40, Bike dernikov1 wrote:
> Thanks for info, we searched for solution  but found that is not
> possible to combine delay polls, and forum is our last hope, so far we
> solved almost everything :)
> We have: Squid Object Cache: Version 3.5.23, so it could  work.
> Can you give us example, how to use it.  Colleague searched for
> example but couldn't find it.
> Thanks for help.
>

An example for username would be:

  auth_param ...
  acl login proxy_auth REQUIRED
  http_access deny !login

  delay_pools 1
  delay_class 1 ...
  delay_parameters 1 ...

  acl slow note user Fred Bob
  delay_access 1 allow slow


For groups, the latest Kerberos auth helpers from Marcus Moeller are
sending the SID and group details back to Squid for this. The other
helpers bundled by Squid are not yet sending group names back.

(I was hoping to have that ready for Squid-4, but have not had the time.
Patches or github PR welcome if anyone wants to contribute).

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is it possible to apply squid delay pools on users/groups from AD ?

Bike dernikov1
On Fri, Nov 17, 2017 at 3:39 AM, Amos Jeffries <[hidden email]> wrote:

> On 17/11/17 03:40, Bike dernikov1 wrote:
>>
>> Thanks for info, we searched for solution  but found that is not
>> possible to combine delay polls, and forum is our last hope, so far we
>> solved almost everything :)
>> We have: Squid Object Cache: Version 3.5.23, so it could  work.
>> Can you give us example, how to use it.  Colleague searched for
>> example but couldn't find it.
>> Thanks for help.
>>
>
> An example for username would be:
>
>  auth_param ...
>  acl login proxy_auth REQUIRED
>  http_access deny !login
>
>  delay_pools 1
>  delay_class 1 ...
>  delay_parameters 1 ...
>
>  acl slow note user Fred Bob
>  delay_access 1 allow slow
>
>
> For groups, the latest Kerberos auth helpers from Marcus Moeller are sending
> the SID and group details back to Squid for this. The other helpers bundled
> by Squid are not yet sending group names back.

We have 3.04sq version (when started with debug -d option i got that
line in log)

From:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Simple-ACL-help-for-Kerberos-authenticated-sessions-td4683281.html,
can be found that only Squid 4 have this option, if i understand correctly ?

> (I was hoping to have that ready for Squid-4, but have not had the time.
> Patches or github PR welcome if anyone wants to contribute).

I would help, but I am not even a p from programmer, nearly average or
under average admin, as can be seen from questions.
Thank for info. We would spent days before or if we would find info.

> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users