Re: [squid-users] 答复: [squid-users] 答复: [squid-users] 答复: [squid-users] How to set different maxconn number of proxy_auth user from default maxconn?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 06 Mar 2012 17:57:53 +1300

On 06.03.2012 16:40, Jiang Wen Dong wrote:
> I can't make it work :(
>

Lets get the point about the popup clear.

   Getting the browser *never* to popup is impossible. The browser can
decide to popup at any time, based on any kind of auth-related problems
it has. If the user decides to clear their password managers storage, it
will popup. If the user is on a machine without good connectivity to the
login server, it will popup. There is nothing you can do to prevent it.

   In order to use login tests Squid is required to ask the browser for
login at least once. If the browser has *no* login or cannot find one
available for use it *will* make use of the popup at that point in order
to ask the user for one.

   *IF* the browser has access to some credentials already *AND* they
are of a type your Squid is offering to accept, it will send those and
no popup happens. This is where the ACL workaround in Squid take effect,
preventing Squid from asking a second time. Normally the browser only
has one set of credentials and a second question will encourage its
decision to use the popup.

   That is why and how Squid can have a hack for avoiding popups.

Understand?

Second point. VERY important.

  In HTTP logins are not per-user. They are per *request*. The first
request on a new connection usually does not have any credentials, even
if the user is sending credentials on many other connections already.

  Also, the modern browsers usually have an optimization that after they
successfully send some credentials to re-use them for later requests.
This is a *maybe*, we can usually rely on it for pipelined requests on
one connection, but not always and we cannot rely on credentials being
sent already on a brand new connection.

   This will cause you problems with your 20cc rules section...

> What I want is this:
>
>
> #----------------------------------------------------------------------------------------------------------------
>
> acl 100cc maxconn 100
> acl 50cc maxconn 50
> acl 20cc maxconn 20
>
> acl ip_dst dst ...
> acl website dstdom ...
>
> acl ip_src src ...
> acl user proxy ...
> acl login proxy_auth REQUIRED
>

Also, every proxy_auth ACL you have can trigger Squid to ask for
credentials.

  - "login" ACL
  - "user" ACL ?

>
> #----------------------------------------------------------------------------------------------------------------
>
> # This part must set before any http_access of proxy_auth, so auth
> window never popup to !proxy_auth user
> # This part limit maxconn=20 to !proxy_auth user only, no effect to
> proxy_auth user
>
> http_access deny 20cc <!proxy_auth user only>
> http_access allow ip_dst
> http_access allow website

You did not mention the 20cc limit earlier.

Since 20cc is smaller than 100cc and 50cc it *will* be matching when
they are supposed to be permitting access. In order to use it before
them and the auth section you will have to make these "allow" lines. A
few tricks with '!' and test order can allow your website and ip_dst
permissions to be the deciding factor whether 20cc matters.

Like so:

   # allow if less than 20 connections AND going to website
   http_access allow !20cc website

   # allow if less than 20 connections AND going to ip_dst
   http_access allow !20cc ip_dst

>
>
> #----------------------------------------------------------------------------------------------------------------
>
> # Special IP or login user limit maxconn=100
> http_access deny 100cc
> http_access allow login ip_src
> http_access allow user
>
> # Common login user limit maxconn=50
> http_access deny 50cc
> http_access allow login
>
> http_access deny all
>

Amos
Received on Tue Mar 06 2012 - 04:57:58 MST

This archive was generated by hypermail 2.2.0 : Tue Mar 06 2012 - 12:00:02 MST