RE: [squid-users] max_user_ip

From: <sgmayo@dont-contact.us>
Date: Fri, 2 Dec 2005 17:25:43 -0600 (CST)

>>>> -----Original Message-----
>>>> From: Scott Mayo [mailto:sgmayo@mail.bloomfield.k12.mo.us]
>>>> Sent: Friday, December 02, 2005 6:11 AM
>>>> To: squid
>>>> Subject: [squid-users] max_user_ip
>>>>
>>>>
>>>> If I want to make it to where each user can only be logged onto the
>>>> internet from one workstation at a time, do I need to add:
>>>>
>>>> acl <domainusers> max_user_ip -s 1
>>>>
>>>> Is there anything else I need to change, like the athenticate_ttl?
>>>> If so what should I set that to? If I set the authenticate_ttl to
>>>> something like 5 hours, that just means that squid will keep the
>>>> authentication for 5 hours when they are still logged onto the
>>>> internet correct? If they actually close the web browser, they could
>>>> go directly to another machine or open the browser back up on this
>>>> machine and get back on, they would not have to wait 5 hours would
>>>> they? If I read this correctly, then the 5 hours is just alive as
>>>> along as that one instance of the web browser is open..or until the 5
>>>> hours is up.
>>>>
>>>> Thanks.
>>>>
>>>> -- Scott Mayo
>>>
>>> I'll quote squid.conf.default here as I think it lays it out pretty
>>> clearly:
>>>
>>> # acl aclname max_user_ip [-s] number
>>> # # This will be matched when the user attempts to log in from
>>> more
>>> # # than <number> different ip addresses. The
>>> authenticate_ip_ttl
>>> # # parameter controls the timeout on the ip entries.
>>>
>>> and
>>>
>>> # TAG: authenticate_ip_ttl
>>> # If you use proxy authentication and the 'max_user_ip' ACL, this
>>> # directive controls how long Squid remembers the IP addresses
>>> # associated with each user. Use a small value (e.g., 60
>>> seconds)
>>> if
>>> # your users might change addresses quickly, as is the case with
>>> # dialups. You might be safe using a larger value (e.g., 2 hours)
>>> in
>>> a
>>> # corporate LAN environment with relatively static address
>>> assignments.
>>>
>>> and
>>>
>>> # TAG: authenticate_ttl
>>> # The time a user & their credentials stay in the logged in user
>>> cache
>>> # since their last request. When the garbage interval passes, all
>>> user
>>> # credentials that have passed their TTL are removed from memory.
>>>
>>> If your authentication mechanism is slow, bump up the authenticate_ttl.
>>> If your users hop computers often, keep authenticate_ip_tll low.
>>>
>>> Chris
>>>
>>
>> This is what I had been reading. So from what it says, they will not be
>> able to open a 2nd browser until the authenticate_ttl is up.
>
> authenticate_ip_ttl, not authenticate_ttl. They are different.
>
>> That kind of
>> makes things tough, if it is set to so many hours, then they cannot open
>> a
>> 2nd browser up for quite a while once the 1st is closed, but if I set it
>> very low, then they could just be opening browsers up all over the place
>> (which is what I am trying to avoid).
>
> So set it somewhere in between. If you set authenticate_ip_ttl for 5
> minutes, then one login being shared on multiple computers would cause a
> fair bit of disruption: one computer would have exclusive access for 5
> minutes, the others would be denied. After 5 minutes access would be
> up-for-grabs and who ever got it would have exclusive access for 5
> minutes.
>
>>
>> It looks like it should clear the cache out out as soon as they log off
>> the browser and reset the ttl. I guess that is more what I am wanting
>> to
>> do. I'll go back through the squid.conf to see if I can find a way to
>> do
>> that.
>
> HTTP is a stateless protocol. There is no method of saying "Thanks, I'm
> done browsing now" other than session cookies. Using a cookie based
> authentication method is possible, but not trivial. Perhaps it is what
> you are looking for. It's a good deal more work but it's more flexible.
>
>>
>> Thanks.
>> Scott
>>
>>
>
> Chris
>

Thanks for the information. That is what I was needing to hear I guess.
I don't want students to be able to share passwords and be on the internet
at the same time, but I also, I run into the trouble, that a user may log
in and then move to a different computer within 30 seconds to a minute.
With what I was reading in the squid.conf.default, I saw no way to handle
this, which it looks like I cannot from what you say without some sort of
'session cookie'.

Thanks again, I will see what I can find on this.
Scott
Received on Fri Dec 02 2005 - 15:18:39 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST