Limit large downloads to autenticated users

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Limit large downloads to autenticated users

neok
Hi everybody!
I read in the squid mailing lists that delay_pools doesn't work in v4.x, but in the documentation I don't see anything about it.
I would like to know if in my SQUID 4.11 configuration with Kerberos + LDAP authentication I can setup a delay_pools to limit large downloads of any authenticated user.

This is my test configuration that I try to do, but I cannot limit the downloads.

squid.conf
visible_hostname debian-proxy.mydomain.local
http_port 3128 require-proxy-header
acl haproxy src 10.10.8.213
proxy_protocol_access allow haproxy
debug_options ALL, 1 33, 2 28, 9
maximum_object_size 8192 KB
error_directory /opt/squid411/share/errors/es-ar
shutdown_lifetime 0 seconds
forwarded_for transparent
auth_param negotiate program /usr/local/bin/squid_kerb_auth -i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on
auth_param basic program /opt/squid411/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=local" -D "cn=ldap,cn=Users,dc=mydomain,dc=local" -W /opt/squid411/etc/ldappass.txt -f sAMAccountName=%s -h dc1.mydomain.local
auth_param basic children 30
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 4 hour
acl auth proxy_auth REQUIRED
delay_pools 1
delay_class 1 2
delay_parameters 1 64000/64000 64000/64000
#delay_parameters 1 1310720/1966080 917504/1310720
delay_access 1 allow auth
http_access allow auth
acl SSL_ports port 443
acl Safe_ports port 80
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access deny all


squid -v
Squid Cache: Version 4.11
Service Name: squid

This binary uses OpenSSL 1.0.2u  20 Dec 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/opt/squid411' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--localstatedir=/opt/squid411/var' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--enable-inline' '--enable-async-io' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-digest-auth-helpers' '--enable-negotiate-auth-helpers' '--enable-auth-ntlm' '--enable-arp-acl' '--enable-esi--disable-translation' '--with-logdir=/var/log/squid411' '--with-pidfile=/var/run/squid411.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' '--enable-ltdl-convenience' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd'

Thanks in advance for any help!
Best regards,

Gabriel

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Limit large downloads to autenticated users

Amos Jeffries
Administrator
On 28/07/20 8:41 am, Service MV wrote:
> Hi everybody!
> I read in the squid mailing lists that delay_pools doesn't work in v4.x,
> but in the documentation I don't see anything about it.

* Delay pools is a fairly major feature.

* "Dont work" is a very vague claim.

* mailing list threads are typically started by people who don't know
how to use a feature properly and having trouble because of that
misunderstanding.

* 4.x is an entire series of releases with many bug fixes across the
(ongoing) year(s) long lifecycle.

Draw your own conclusion about the accuracy of such statement on the
mailing list.



> I would like to know if in my SQUID 4.11 configuration with Kerberos +
> LDAP authentication I can setup a delay_pools to limit large downloads
> of any authenticated user.
>

Yes. That should be entirely possible.


> This is my test configuration that I try to do, but I cannot limit the
> downloads.
>
> squid.conf
...
> acl auth proxy_auth REQUIRED
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 64000/64000 64000/64000

> delay_access 1 allow auth

The first problem is here. proxy_auth ACL is a "slow" type and
delay_access only supports "fast" types.

Squid-4 provides transaction annotations feature that can bridge this
gap. It is a fast type ACL that checks for annotations set by helper
lookups etc.

  acl hasUsername note user
  delay_access 1 allow hasUser
  delay_access 1 deny all



> http_access allow auth

This should be down just above the "http_access deny all"


> acl SSL_ports port 443
> acl Safe_ports port 80
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access deny all
>
>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Limit large downloads to autenticated users

neok
Thank you, Amos, for the clarification.
After making time for me to test some more with fast acl's I noticed that it still didn't work. So after some more research I found out that the problem is already reported as "Bug 4913 - Delay Pools don't work for Tunneled traffic" which is exactly the problem I was having. HTTP traffic is correctly limited in my tests.
For the time being I will see if I can limit it in another way until I can fix it.

Best regards
Gabriel


El mar., 28 de jul. de 2020 a la(s) 10:26, Amos Jeffries ([hidden email]) escribió:
On 28/07/20 8:41 am, Service MV wrote:
> Hi everybody!
> I read in the squid mailing lists that delay_pools doesn't work in v4.x,
> but in the documentation I don't see anything about it.

* Delay pools is a fairly major feature.

* "Dont work" is a very vague claim.

* mailing list threads are typically started by people who don't know
how to use a feature properly and having trouble because of that
misunderstanding.

* 4.x is an entire series of releases with many bug fixes across the
(ongoing) year(s) long lifecycle.

Draw your own conclusion about the accuracy of such statement on the
mailing list.



> I would like to know if in my SQUID 4.11 configuration with Kerberos +
> LDAP authentication I can setup a delay_pools to limit large downloads
> of any authenticated user.
>

Yes. That should be entirely possible.


> This is my test configuration that I try to do, but I cannot limit the
> downloads.
>
> squid.conf
...
> acl auth proxy_auth REQUIRED
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 64000/64000 64000/64000

> delay_access 1 allow auth

The first problem is here. proxy_auth ACL is a "slow" type and
delay_access only supports "fast" types.

Squid-4 provides transaction annotations feature that can bridge this
gap. It is a fast type ACL that checks for annotations set by helper
lookups etc.

  acl hasUsername note user
  delay_access 1 allow hasUser
  delay_access 1 deny all



> http_access allow auth

This should be down just above the "http_access deny all"


> acl SSL_ports port 443
> acl Safe_ports port 80
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access deny all
>
>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users