On Mon, 04 Apr 2011 22:44:11 +0200, Dr. Tilmann Bubeck wrote:
> Hello!
>
> please find attached a patch for a new external_acl helper to limit
> access time to squid.
>
> The main purpose is for parental control to limit access to the
> internet for children. You can configure something like "littlejoe
> 1h/1d" which means, that littlejoe has a time quota of 1 hour every
> day.
>
> The helper must be used together with proxy_auth or ident
> authentication, so that the identity of the user is proved. It comes
> with a detailled manual page which I converted to text and included
> below to get an idea of the stuff.
>
> Please integrate this helper into the squid distribution. The license
> is GPL2+.
>
> The patch is against Squid3
> (http://bzr.squid-cache.org/bzr/squid3/trunk).
>
> I appreciate any feedback and I am willing to support the helper in
> the future.
>
Thank you.
ext_time_quota_acl.8:
* I don't think we need to mention the parental controls use-case in
the manual. That is likely to be a minor use, the more common usages
will be likely corporate "lunch-time" allocations and wifi portal
pay-per-minute installations.
* Please mention for -l that the default is to use stderr for logging
to Squids main cache.log.
* the section on setting up authentication can also go. Along with the
SEE ALSO reference to the specific NCSA helper.
Username is just a unique key value. Any of the external_acl_type
format tags can be substituted in its place. %EXT_TAG, %LOGIN, %IDENT,
%EXT_USER, %SRC and the %SRCEUI* ones are all likely to be popular. The
wiki ConfigExamples or Feature auth section can be referenced instead of
re-writing.
* Your error message makes use of the name "key" as in "key too long".
This should be reflected in the manual page mentioning that the %LOGIN
etc is the relevant key.
NP: making mention of those above tags as options for the "key" also
removes the need for the paragraph on IDENT starting "For Unix
machines" (which is wrong, all modern OS have IDENT available in one way
or another).
* the section on defining the quotas config file should go under
"CONFIGURATION".
* under "IMPLEMENTATION" you state the helper is "called once every
minute". This is wrong. Please mention instead that the ttl=N parameter
determines this time period, the example config uses 1 minute TTL. The
interaction is that Squid will only call the helper on new requests *if*
there has been more than TTL seconds passed since last check. So the
correct description is: "at most once per TTL period".
It would also be worth mentioning that TTL creates an amount of
slippage outside the quota by whatever amount. TTL can be set as short
as desired, down to and including zero. Though values of 1 or more are
recommended due to a quota resolution of one second.
ext_time_quota_acl.cc:
* Please document that "-h" is available for command line help. In
both the manual and the usage() display.
* Accepting '-?' option as an alternative to -h is not necessary. If
used it will default.
* Please add the "-d" option setting a global "int debug_enabled" to
enable/disable debugging level information in the log.
* Please place the program_name before the FATAL/ERROR/WARNING label.
What it should look like in the log is:
<timestamp> ext_time_quota_acl| ERROR: blah...
* The '-b' option can be made optional by passing a default database
path from the Makefile.am like this:
DEFS += -DDEFAULT_QUOTA_DB=\"$(localstatedir)/ext_time_quota.db\"
Which makes the string macro DEFAULT_QUOTA_DB available in the .cc
Extra ideas:
* Since we last spoke I've been thinking about the pauseLength. I have
come to the conclusion that this should be made configurable from the
command line. 300 is reasonable as a default, but may not always suit.
Please add that.
* If you want to emit the remaining time like this:
SEND_OK("message=\"Remaining quota: 35 seconds\""); we can separately
update the cachemgr reports to display the ACL cache contents and get a
report of the quotas values.
Amos
Received on Tue Apr 05 2011 - 02:01:17 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 05 2011 - 12:00:04 MDT