Re: [squid-users] Squid allow only 2 max connections per IP

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 10 Aug 2007 12:55:09 -0800

eXtremer wrote:
> Here is my config:
>
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563 444
> acl Safe_ports port 80 # http
> #acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> #acl Safe_ports port 70 # gopher
> #acl Safe_ports port 210 # wais
> #acl Safe_ports port 1025-65535 # unregistered ports
> #acl Safe_ports port 280 # http-mgmt
> #acl Safe_ports port 488 # gss-http
> #acl Safe_ports port 591 # filemaker
> #acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #-------------Conectiuni maxime per IP-------------
> acl maxcon maxconn 2
>
> #--------------Reteaua 145------------------
> acl 145a src "/etc/squid/allow/145a.allow"
> acl 145b src "/etc/squid/allow/145b.allow"
>
> acl 145c src 192.168.41.200/32
>
> #-----------------------Restrictions-----------------------
>
> #---Restrictie ptr conectiuni maxime----
> http_access deny maxcon all
>

The "all" here should be the first acl referenced on the line or it will
prevent your deny_info message from being shown.

e.g. "http_access deny all maxcon"

> deny_info ERR_MAXCON maxcon
>
> #---Restrictie ptr toti in afara de sala 145---
> http_access deny all !145a !145b !145c !localhost
>
> #Recommended minimum configuration:
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports !SSL_ports
> http_access deny CONNECT !SSL_ports
> ------------------------------------------------------------------
>
> This is a part of my squid.conf
> I don't know but maxcon is not working in my case.
> If it's like this : http_access deny maxcon all <= then not even one
> connection is allowed.
>

Hmmm... Have you tested this with a single connection downloader (such
as squid-client) or by using a browser to download a non-referencing
object (such as an image file)? This looks like the proper usage of the
maxconn acl. You might try upping the debugging (see the debug_options
on squid.conf), and watch what your cache.log reports).

> If it's like this: http_access allow all !maxcon <= then all connection are
> allowed.
>

This would not be such a good idea given the way your http_access lines
are set up, as it would prevent any of the Safe_port and SSL_port checks
later in the list.

> Somebody tell me how to configure in such a way that maxconn feature will
> wrk in my case,
> waiting for a reply, 10x in advance.
>
> P.S.: client_db is ON.
>

Chris
Received on Fri Aug 10 2007 - 14:55:25 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT