subject:"\[squid\-users\] R\: delay pools"

Re: [squid-users] R: delay pools

2015-10-27 Thread Amos Jeffries

On 28/10/2015 2:47 a.m., De Lazzari Matteo wrote:
> Or better, something like this can work?
> 
> external_acl_type internetfullthrottle_grp children=20 ttl=3600  
> negative_ttl=3600 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g 
> InternetFullThrottle -D xxx
> acl internetfullthrottle external internetfullthrottle_grp
> 
> delay_pools 1
> delay_class 1 1
> delay_parameters 1 125/125
> delay_access 1 allow internetfullthrottle
> delay_access 1 deny all
> 



Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] R: delay pools

2015-10-27 Thread De Lazzari Matteo

Or better, something like this can work?

external_acl_type internetfullthrottle_grp children=20 ttl=3600  
negative_ttl=3600 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g 
InternetFullThrottle -D xxx
acl internetfullthrottle external internetfullthrottle_grp

delay_pools 1
delay_class 1 1
delay_parameters 1 125/125
delay_access 1 allow internetfullthrottle
delay_access 1 deny all

PS: I'm using ext_kerberos_ldap_group_acl to assing an internet "profile" to 
users, using groups in active directory.

Thanks a lot!

CLASSIFICATION: PUBLIC [ ]  CONFIDENTIAL [X]  RESTRICT [ ]

Matteo De Lazzari
Information Technology

PREVINET S.p.A.
Via E. Forlanini, 24 - 31022 Preganziol (TV) - ITALY
tel +39 - 0422 1745279
matteo.delazz...@previnet.it

Ai sensi del D.Lgs. 196/2003 sulla tutela dei dati personali, la presente 
comunicazione e ogni suo allegato e' destinata esclusivamente al soggetto 
indicato quale destinatario o ad eventuali altri soggetti autorizzati a 
riceverla. L'utilizzo non autorizzato e' vietato e potrebbe costituire reato. 
Essa contiene informazioni strettamente confidenziali e riservate, la cui 
comunicazione o diffusione a terzi e' proibita, salvo che non sia stata 
espressamente autorizzata. Se avete ricevuto questa e-mail per errore, Vi 
preghiamo di comunicarlo senza indugio al mittente e di cancellarne ogni 
evidenza dai Vostri supporti. 
This message is intended only for the named recipient and may contain 
confidential, proprietary or legally privileged information. Unauthorized 
persons are not permitted access to this information. Any dissemination, 
distribution or copying of this information is strictly prohibited. If you have 
received this message in error, please advise the sender by reply e-mail and 
delete this message and any attachments.

-Messaggio originale-
Da: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Per conto di 
Amos Jeffries
Inviato: lunedì 26 ottobre 2015 22:43
A: squid-users@lists.squid-cache.org
Oggetto: Re: [squid-users] delay pools

On 27/10/2015 7:42 a.m., De Lazzari Matteo wrote:
> 
> Hi, is it possible to use Active directory groups in delay pools 
> configuration?

Yes. Although to do it easily will require a Squid-3.4 or later where 
transaction annotations are available. Also a helper that sends back the 
group=X to Squid about what group(s) the user is in (could be auth helper or 
external ACL helper).
 So far only the kerberos auth helper does that and it sends the SSID value as 
the group=X value for all the groups listed in the Kerberos token.

With a helper returning the group names to Squid, a "note" type ACL can be used 
to check the group=X annotation values in any access control rules. Including 
delay_access.

> And someone can tell me an example about how to use class 5 delay 
> pool?
> 

That delay pool requires that an external_acl_type helper is being used and 
sending some tag=X back to Squid to attach 'tag' each request / transaction.

That helper has to be tested on one of the *_access rules where async / slow 
group lookups will work. The delay_access rules will *not* work since they are 
a fast-group check. http_access is the usual place and the heper decides both 
whether to allow use of Squid and what to tag the request with.

You define the pool to be of class 5 with a Bytes/sec rate:
  delay_pools 1 1
  delay_parameters 1 5 20480

You define delay_access to match for the requests that are to have that pools 
traffic rate limit applied:
  delay_access 1 allow localnet

Squid will automatically arrange so each unique tag=X value the helper assigns 
to those pooled requests will have a pool. All requests to which the helper 
replies 'tag=ZZ' will share a one pool, but requests the helper replies with 
'tag=YY' will have a different pool. etc.
 Requests not having a tag at all share one pool (I think, havent checked that).

That is it.

The difficult bits are that only one tag= value can be assigned to a 
transaction, attempts to repeat or alter one assigned wont work, and that 
detail about the async/slow access lists being the only ones where the helper 
can be checked.

HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] R: delay pools

2015-10-27 Thread De Lazzari Matteo

Thank you very much amos.
May I use a thing like this for Kerberos auth?
external_acl_type internetfullthrottle_grp children=20 ttl=3600  
negative_ttl=3600 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g 
InternetFullThrottle -D xxx

CLASSIFICATION: PUBLIC [ ]  CONFIDENTIAL [X]  RESTRICT [ ]

Matteo De Lazzari
Information Technology

PREVINET S.p.A.
Via E. Forlanini, 24 - 31022 Preganziol (TV) - ITALY
tel +39 - 0422 1745279
matteo.delazz...@previnet.it

Ai sensi del D.Lgs. 196/2003 sulla tutela dei dati personali, la presente 
comunicazione e ogni suo allegato e' destinata esclusivamente al soggetto 
indicato quale destinatario o ad eventuali altri soggetti autorizzati a 
riceverla. L'utilizzo non autorizzato e' vietato e potrebbe costituire reato. 
Essa contiene informazioni strettamente confidenziali e riservate, la cui 
comunicazione o diffusione a terzi e' proibita, salvo che non sia stata 
espressamente autorizzata. Se avete ricevuto questa e-mail per errore, Vi 
preghiamo di comunicarlo senza indugio al mittente e di cancellarne ogni 
evidenza dai Vostri supporti. 
This message is intended only for the named recipient and may contain 
confidential, proprietary or legally privileged information. Unauthorized 
persons are not permitted access to this information. Any dissemination, 
distribution or copying of this information is strictly prohibited. If you have 
received this message in error, please advise the sender by reply e-mail and 
delete this message and any attachments.

-Messaggio originale-
Da: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Per conto di 
Amos Jeffries
Inviato: lunedì 26 ottobre 2015 22:43
A: squid-users@lists.squid-cache.org
Oggetto: Re: [squid-users] delay pools

On 27/10/2015 7:42 a.m., De Lazzari Matteo wrote:
> 
> Hi, is it possible to use Active directory groups in delay pools 
> configuration?

Yes. Although to do it easily will require a Squid-3.4 or later where 
transaction annotations are available. Also a helper that sends back the 
group=X to Squid about what group(s) the user is in (could be auth helper or 
external ACL helper).
 So far only the kerberos auth helper does that and it sends the SSID value as 
the group=X value for all the groups listed in the Kerberos token.

With a helper returning the group names to Squid, a "note" type ACL can be used 
to check the group=X annotation values in any access control rules. Including 
delay_access.

> And someone can tell me an example about how to use class 5 delay 
> pool?
> 

That delay pool requires that an external_acl_type helper is being used and 
sending some tag=X back to Squid to attach 'tag' each request / transaction.

That helper has to be tested on one of the *_access rules where async / slow 
group lookups will work. The delay_access rules will *not* work since they are 
a fast-group check. http_access is the usual place and the heper decides both 
whether to allow use of Squid and what to tag the request with.

You define the pool to be of class 5 with a Bytes/sec rate:
  delay_pools 1 1
  delay_parameters 1 5 20480

You define delay_access to match for the requests that are to have that pools 
traffic rate limit applied:
  delay_access 1 allow localnet

Squid will automatically arrange so each unique tag=X value the helper assigns 
to those pooled requests will have a pool. All requests to which the helper 
replies 'tag=ZZ' will share a one pool, but requests the helper replies with 
'tag=YY' will have a different pool. etc.
 Requests not having a tag at all share one pool (I think, havent checked that).

That is it.

The difficult bits are that only one tag= value can be assigned to a 
transaction, attempts to repeat or alter one assigned wont work, and that 
detail about the async/slow access lists being the only ones where the helper 
can be checked.

HTH
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] R: delay pools

[squid-users] R: delay pools

[squid-users] R: delay pools

3 matches

Site Navigation

Mail list logo

Footer information