Re: [squid-users] limiting connection not working 3.1.4

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 06 Dec 2011 11:13:19 +1300

 On Mon, 5 Dec 2011 14:18:51 +0000, J. Webster wrote:
> I have squid 3.1.4 but using this conf, the rate limiting to 1Mbps
> does not seem to work.

 Please consider an upgrade to 3.1.18. There are a lot of important bugs
 resolved since 3.1.4.

> What can I change in the conf / delay parameters?
>

 The default in delay pools is not to limit. You must has an explicit
 "delay_access allow" line defining what gets collected into each pool.

 ie:

> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 125000/125000

 Add:
   delay_access allow all

> auth_param basic realm Myname proxy server
> auth_param basic credentialsttl 2 hours
> auth_param basic program /usr/lib/squid/ncsa_auth
> /etc/squid/squid_passwd
> authenticate_cache_garbage_interval 1 hour
> authenticate_ip_ttl 2 hours
> acl all src 0.0.0.0/0.0.0.0

 Erase the "acl all" line in squid-3. It is defined by default to a
 different value. This will silence several warnings.

 <snip>
> http_access deny manager
> http_access allow ncsa_users

 So all logged in users have unlimited access?

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access deny maxuser

 These deny rules are placed below the allow rule letting ALL logged in
 users through.
 This means that for all machines on the Internet which can supply one
 of your users insecure plain-text logins:
  * the safe_ports rule preventing viral and P2P abuse relaying through
 Squid has no effect
  * the CONNECT rule preventing blind binary tunneling of data to any
 protocol port through Squid has no effect.
  * you maxuser policy has no effect.

> http_access allow localhost
> http_access deny all
> icp_access allow all
> http_port 8080
> http_port xx.xx.xx.xx:80

 And what are you expecting to arrive over port 80?
 That port is reserved for reverse-proxy and origin server traffic.

 It seems like you intended reverse-proxy or interception but have a
 wrong config for it.

 <snip>
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

 Drop this QUERY stuff.

> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%    1440

 Add:
   refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern .               0    20%     4320
 <snip>

> visible_hostname MyNameProxyServer

 Funny domain name. I hope that is obfuscated for the post not in the
 config.
 This is the domain name used in URLs your clients get told to use for
 Squid error and FTP page icons. If it does not resolve back to this or
 another Squid your clients will be facing page load problems on those
 generated responses.

 HTH
 Amos
Received on Mon Dec 05 2011 - 22:13:23 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 06 2011 - 12:00:03 MST