Re: [squid-users] Rate limiting inbound requests in squid conf

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 25 Nov 2012 02:06:37 +1300

On 24/11/2012 2:18 a.m., Sekar Duraisamy wrote:
> Hi Amos,
>
> Could you help me on this?

Just to point you at the same things Eliezer already pointed out.

Why are you asking this question? Rate limiting on a proxy goes against
the very principles of what proxies are created to do. Which is to serve
as much traffic as fast as possible and reduce the load on upstream
servers at the same time.

So, what problem exactly are you trying to cope with?

>> Hi Elizer,
>>
>> Ok. I can try with external_acl ... I need to configure the domain
>> based dropping / min /sec..
>>
>> Could you please give me an examples ?

Examples on how to configure Squid with helpers are common. If you test
every requests using an external_acl_type helper all you need to do to
add rate-limiting on your clients response rate is to write one which
rate-limits the responses it sends back to Squid. eg Squid cannot
service the client request until after that ACL has responded. It can
either respond slowly, or respond with a reject for over-limit requests.
  As Eliezer already mentioned, this is a pretty terrible way to do it
though. Squid can be configured to respond with "deny_info TCP_RESET
yourACL", or a regular Access Denied page (the default). But both of
those ways screws up the client connection rather than just limiting speed.

We cannot just give you an example of a helper because yoru needs will
not be the same as anyone elses, even if lots of people want "rate
limiting" the details of what your network is doing, what clients to
limit, when and how much are different everywhere. I can write one just
for you, but since it would not be of use to anyone else I do not do
that for free. (I charge $70 per hour for coding work. Contact me
offline if you want to pay.)

Probably easier to do it yourself though. You can make a script to do
the work in any scripting languge you are familar with.
http://www.squid-cache.org/Doc/config/external_acl_type/
http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29

It is *definitely* better to do rate limiting at the packet level.

Amos

>>
>> It would be very great help.
>>
>> Thanks,
>> Sekar
>>
>> On Fri, Nov 23, 2012 at 5:52 PM, Eliezer Croitoru <eliezer_at_ngtech.co.il> wrote:
>>> Hey Sekar,
>>>
>>> Basic IPTABLES setup should be able to do that for you.
>>> it's better to do it in IPTABLES level then doing it in the upper level of
>>> the application such as squid.
>>> It will allow the request to be rejected\close properly in the network level
>>> while what squid will prefer or will send error page instead of the content
>>> which I dont really like.
>>>
>>> If you are willing to sacrifice some performance you can use external_acl to
>>> count the requests per sec per ip and to allow or deny by that the request
>>> and present to the client a deny_info.
>>>
>>> Regards,
>>> Eliezer
>>>
>>>
>>> On 11/23/2012 1:55 PM, Sekar Duraisamy wrote:
>>>> Hi Team,
>>>>
>>>> Can we limit the inbound request rate in Squid configuration like 30
>>>> request/min , 10 request/sec like this regardless of the size.
>>>>
>>>> Thanks,
>>>> Sekar
>>>>
>>> --
>>> Eliezer Croitoru
>>> https://www1.ngtech.co.il
>>> sip:ngtech_at_sip2sip.info
>>> IT consulting for Nonprofit organizations
>>> eliezer <at> ngtech.co.il
Received on Sat Nov 24 2012 - 13:07:00 MST

This archive was generated by hypermail 2.2.0 : Sat Nov 24 2012 - 12:00:04 MST