RE: [squid-users] Disable user accounts

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 22 Mar 2010 23:05:42 +0000

On Mon, 22 Mar 2010 16:26:26 -0600, "David Parks" <davidparks21_at_yahoo.com>
wrote:
> So, if I understand correctly, squid has no way for me to force a user
> account to be expired or cleared prematurely. Setting the
> nonce_max_duration
> low wouldn't block a user with a constant stream of traffic, say
watching a
> video for example.

Even obsolete auth details won't block an existing stream.
The key word there is "prematurely".

>
> If the above statements are correct, then do you have any thoughts on
how

They are not quite.

> challenging a change like this would be at the code level? For example,
> having a command similar to "squid -k reconfigure" (e.g. "squid -r
> user_to_expire") in which case squid would simply expire the given
> credentials, thus "tricking" squid into re-authenticating on demand?

-k reconfigure and -k restart will break client connections in current
Squid.

>
> If user credentials are simply a table in memory this seems conceptually
> simple to accomplish. Though I'm a java developer and haven't touched
C/++
> in many years, so I'm not sure this is worth considering unless you
think
> it's as simple as it seems like it could be.

The user credentials are tagged data associated with each request. They
exist for as long as the request is ongoing. Some are also attached to
specific TCP connections and live as long as the connection or until new
auth data is received inside the connection.

I say you statements above are "not quite" because of this:
http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F

>
> Thanks!
> Dave
>
> p.s. my purpose in following this line of questioning is to monitor log
> files for per user traffic, and after a user exceeds their data transfer
> quota, I need to block further access. I don't want to slow access for
> users
> within their quota.
>

Real quota control is something that has long been wanted in Squid and the
groundwork has almost finished being laid into 3.2 but nobody yet has the
time to actually implement the feature.
http://wiki.squid-cache.org/Features/Quota

Amos
Received on Mon Mar 22 2010 - 23:05:48 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 23 2010 - 12:00:06 MDT