[squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?
Thank you. But there's still a problem, !proxy_auth user will see a auth dialog window, that is not what I want. I want !proxy_auth user pass trough, without auth dialog window. Jiang Wendong (姜文栋) IT Dept. Tel: 010-5822-3486/3481 Mobile: 13811249966 E-Mail: wendong.ji...@td-tech.com / jiangwend...@huawei.com -邮件原件- 发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 发送时间: 2012年3月5日 17:11 收件人: squid-users@squid-cache.org 主题: Re: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn? On 5/03/2012 8:33 p.m., Jiang Wen Dong wrote: This is not what I want. I want proxy_auth user maxconn=100, others maxconn=50. Yes. That is what the config I wrote does. # if user has connections = 100, deny even if logged in # else if user is logged in, allow (up to 100) # else if connections = 50, deny more than 50 connections (extra lines are for good security, allowing random person on The Internet 50 connections is not good) # else other local clients, allow # else deny Amos -邮件原件- 发件人: Amos Jeffries On 05.03.2012 14:16, Jiang Wen Dong wrote: My English is not good, hope you can understand what I'm saying. I want to set default maxconn=50, and maxconn=100 for proxy_auth user. If I set default maxconn before proxy_auth, then proxy_auth user get maxconn=50, not maxconn=100. If I set default maxconn after proxy_auth, every user get a auth dialog window, which I do not want it show for !proxy_auth user. How to set different maxconn number of proxy_auth user from default maxconn? You are thinking about this backwards. Place the widest everybody limitations first. Then the highest privileged allow permissions. Then repeat as you gradually restrict things. Like this: acl login proxy_auth REQUIRED acl 100cc maxconn 100 acl 50cc maxconn 50 # nobody allowed more than 100 connections http_access deny 100cc # login users the only ones allowed more than 50 http_access allow login http_access deny 50cc # then other LAN clients... http_access allow localnet # everything not permitted yet is not trusted for any access. http_access deny all Amos CAUTION: This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, distribution or reproduction of this message is prohibited. If you have received this message in error please notify the sender of this message immediately. ( ©TD Tech Co.,Ltd) 重要提示:此邮件及附件具保密性质,包含商业秘密、受法律保护不得泄露。如果您意外收到此邮件,特此提醒您此邮件的机密性,请立即通知我们并从您的系统中删除此邮件及附件。如果您不是此邮件应当的收件人,请注意不可对此邮件及其附件进行利用、复制或向他人透露其内容。 ( ©TD Tech Co.,Ltd)
Re: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?
On 5/03/2012 10:38 p.m., Jiang Wen Dong wrote: Thank you. But there's still a problem, !proxy_auth user will see a auth dialog window, that is not what I want. I want !proxy_auth user pass trough, without auth dialog window. Dialog window is a browser feature. Nothing to do with Squid. You can use this workaround to prevent Squid asking for credentials: http_access allow login all But then you have no way to perform login. You could change this part: http_access allow login http_access deny 50cc to: http_access deny 50cc login so login popup only appears after 50 connections is reached. Users who can login get the extra connections, users who cant get an annoying popup each time the try to go past 50. Amos Jiang Wendong (姜文 栋) IT Dept. Tel: 010-5822-3486/3481 Mobile: 13811249966 E-Mail: wendong.ji...@td-tech.com / jiangwend...@huawei.com -邮件原件- 发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 发送时间: 2012年3 月5日 17:11 收件人: squid-users@squid-cache.org 主题: Re: [squid- users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn? On 5/03/2012 8:33 p.m., Jiang Wen Dong wrote: This is not what I want. I want proxy_auth user maxconn=100, others maxconn=50. Yes. That is what the config I wrote does. # if user has connections = 100, deny even if logged in # else if user is logged in, allow (up to 100) # else if connections = 50, deny more than 50 connections (extra lines are for good security, allowing random person on The Internet 50 connections is not good) # else other local clients, allow # else deny Amos -邮件原件- 发件人: Amos Jeffries On 05.03.2012 14:16, Jiang Wen Dong wrote: My English is not good, hope you can understand what I'm saying. I want to set default maxconn=50, and maxconn=100 for proxy_auth user. If I set default maxconn before proxy_auth, then proxy_auth user get maxconn=50, not maxconn=100. If I set default maxconn after proxy_auth, every user get a auth dialog window, which I do not want it show for !proxy_auth user. How to set different maxconn number of proxy_auth user from default maxconn? You are thinking about this backwards. Place the widest everybody limitations first. Then the highest privileged allow permissions. Then repeat as you gradually restrict things. Like this: acl login proxy_auth REQUIRED acl 100cc maxconn 100 acl 50cc maxconn 50 # nobody allowed more than 100 connections http_access deny 100cc # login users the only ones allowed more than 50 http_access allow login http_access deny 50cc # then other LAN clients... http_access allow localnet # everything not permitted yet is not trusted for any access. http_access deny all Amos CAUTION: This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, distribution or reproduction of this message is prohibited. If you have received this message in error please notify the sender of this message immediately. ( ©TD Tech Co.,Ltd) 重要提示: 此邮件及附件具保密性质,包含商业秘密、受法律保护不得泄露。如果您意外收 到此邮件,特此提醒您此邮件的机密性,请立即通知我们并 从您的系统中删除 此邮件及附件。如果您不是此邮件应当的收件人,请注意不可对此邮件及其附件 进行利用、复制或向他人透露其内容。 ( ©TD Tech Co.,Ltd)
[squid-users] 答复: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?
I can't make it work :( What I want is this: # acl 100cc maxconn 100 acl 50cc maxconn 50 acl 20cc maxconn 20 acl ip_dst dst ... acl website dstdom ... acl ip_src src ... acl user proxy ... acl login proxy_auth REQUIRED # # This part must set before any http_access of proxy_auth, so auth window never popup to !proxy_auth user # This part limit maxconn=20 to !proxy_auth user only, no effect to proxy_auth user http_access deny 20cc !proxy_auth user only http_access allow ip_dst http_access allow website # # Special IP or login user limit maxconn=100 http_access deny 100cc http_access allow login ip_src http_access allow user # Common login user limit maxconn=50 http_access deny 50cc http_access allow login http_access deny all Jiang Wendong (姜文栋) IT Dept. Tel: 010-5822-3486/3481 Mobile: 13811249966 E-Mail: wendong.ji...@td-tech.com / jiangwend...@huawei.com -邮件原件- 发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 发送时间: 2012年3月5日 17:51 收件人: squid-users@squid-cache.org 主题: Re: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn? On 5/03/2012 10:38 p.m., Jiang Wen Dong wrote: Thank you. But there's still a problem, !proxy_auth user will see a auth dialog window, that is not what I want. I want !proxy_auth user pass trough, without auth dialog window. Dialog window is a browser feature. Nothing to do with Squid. You can use this workaround to prevent Squid asking for credentials: http_access allow login all But then you have no way to perform login. You could change this part: http_access allow login http_access deny 50cc to: http_access deny 50cc login so login popup only appears after 50 connections is reached. Users who can login get the extra connections, users who cant get an annoying popup each time the try to go past 50. Amos Jiang Wendong (姜文 栋) IT Dept. Tel: 010-5822-3486/3481 Mobile: 13811249966 E-Mail: wendong.ji...@td-tech.com / jiangwend...@huawei.com -邮件原件- 发件人: Amos Jeffries [mailto:squ...@treenet.co.nz] 发送时间: 2012年3 月5日 17:11 收件人: squid-users@squid-cache.org 主题: Re: [squid- users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn? On 5/03/2012 8:33 p.m., Jiang Wen Dong wrote: This is not what I want. I want proxy_auth user maxconn=100, others maxconn=50. Yes. That is what the config I wrote does. # if user has connections = 100, deny even if logged in # else if user is logged in, allow (up to 100) # else if connections = 50, deny more than 50 connections (extra lines are for good security, allowing random person on The Internet 50 connections is not good) # else other local clients, allow # else deny Amos -邮件原件- 发件人: Amos Jeffries On 05.03.2012 14:16, Jiang Wen Dong wrote: My English is not good, hope you can understand what I'm saying. I want to set default maxconn=50, and maxconn=100 for proxy_auth user. If I set default maxconn before proxy_auth, then proxy_auth user get maxconn=50, not maxconn=100. If I set default maxconn after proxy_auth, every user get a auth dialog window, which I do not want it show for !proxy_auth user. How to set different maxconn number of proxy_auth user from default maxconn? You are thinking about this backwards. Place the widest everybody limitations first. Then the highest privileged allow permissions. Then repeat as you gradually restrict things. Like this: acl login proxy_auth REQUIRED acl 100cc maxconn 100 acl 50cc maxconn 50 # nobody allowed more than 100 connections http_access deny 100cc # login users the only ones allowed more than 50 http_access allow login http_access deny 50cc # then other LAN clients... http_access allow localnet # everything not permitted yet is not trusted for any access. http_access deny all Amos CAUTION: This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, distribution or reproduction of this message is prohibited. If you have received this message in error please notify the sender of this message immediately. ( ©TD Tech Co.,Ltd) 重要提示: 此邮件及附件具保密性质,包含商业秘密、受法律保护不得泄露。如果您意外收 到此邮件,特此提醒您此邮件的机密性,请立即通知我们并 从您的系统中删除 此邮件及附件。如果您不是此邮件应当的收件人,请注意不可对此邮件及其附件 进行利用、复制或向他人透露其内容。 ( ©TD Tech Co.,Ltd) CAUTION: This message may contain privileged and confidential information intended only for the use of the addressee named above. If you
Re: [squid-users] 答复: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?
On 06.03.2012 16:40, Jiang Wen Dong wrote: I can't make it work :( Lets get the point about the popup clear. Getting the browser *never* to popup is impossible. The browser can decide to popup at any time, based on any kind of auth-related problems it has. If the user decides to clear their password managers storage, it will popup. If the user is on a machine without good connectivity to the login server, it will popup. There is nothing you can do to prevent it. In order to use login tests Squid is required to ask the browser for login at least once. If the browser has *no* login or cannot find one available for use it *will* make use of the popup at that point in order to ask the user for one. *IF* the browser has access to some credentials already *AND* they are of a type your Squid is offering to accept, it will send those and no popup happens. This is where the ACL workaround in Squid take effect, preventing Squid from asking a second time. Normally the browser only has one set of credentials and a second question will encourage its decision to use the popup. That is why and how Squid can have a hack for avoiding popups. Understand? Second point. VERY important. In HTTP logins are not per-user. They are per *request*. The first request on a new connection usually does not have any credentials, even if the user is sending credentials on many other connections already. Also, the modern browsers usually have an optimization that after they successfully send some credentials to re-use them for later requests. This is a *maybe*, we can usually rely on it for pipelined requests on one connection, but not always and we cannot rely on credentials being sent already on a brand new connection. This will cause you problems with your 20cc rules section... What I want is this: # acl 100cc maxconn 100 acl 50cc maxconn 50 acl 20cc maxconn 20 acl ip_dst dst ... acl website dstdom ... acl ip_src src ... acl user proxy ... acl login proxy_auth REQUIRED Also, every proxy_auth ACL you have can trigger Squid to ask for credentials. - login ACL - user ACL ? # # This part must set before any http_access of proxy_auth, so auth window never popup to !proxy_auth user # This part limit maxconn=20 to !proxy_auth user only, no effect to proxy_auth user http_access deny 20cc !proxy_auth user only http_access allow ip_dst http_access allow website You did not mention the 20cc limit earlier. Since 20cc is smaller than 100cc and 50cc it *will* be matching when they are supposed to be permitting access. In order to use it before them and the auth section you will have to make these allow lines. A few tricks with '!' and test order can allow your website and ip_dst permissions to be the deciding factor whether 20cc matters. Like so: # allow if less than 20 connections AND going to website http_access allow !20cc website # allow if less than 20 connections AND going to ip_dst http_access allow !20cc ip_dst # # Special IP or login user limit maxconn=100 http_access deny 100cc http_access allow login ip_src http_access allow user # Common login user limit maxconn=50 http_access deny 50cc http_access allow login http_access deny all Amos