Re: [squid-users] limiting connections

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 25 Mar 2012 11:31:39 +1300

On 25/03/2012 7:23 a.m., Carlos Manuel Trepeu Pupo wrote:
> On Thu, Mar 22, 2012 at 10:00 PM, Amos Jeffries wrote:
>> On 23/03/2012 5:42 a.m., Carlos Manuel Trepeu Pupo wrote:
>>> I need to block each user to make just one connection to download
>>> specific extension files, but I dont know how to tell that can make
>>> just one connection to each file and not just one connection to every
>>> file with this extension.
>>>
>>> i.e:
>>> www.google.com #All connection that required
>>> www.any.domain.com/my_file.rar #just one connection to that file
>>> www.other.domain.net/other_file.iso #just connection to this file
>>> www.other_domain1.com/other_file1.rar #just one connection to that file
>>>
>>> I hope you understand me and can help me, I have my boss hurrying me !!!
>>
>> There is no easy way to test this in Squid.
>>
>> You need an external_acl_type helper which gets given the URI and decides
>> whether it is permitted or not. That decision can be made by querying Squid
>> cache manager for the list of active_requests and seeing if the URL appears
>> more than once.
> Hello Amos, following your instructions I make this external_acl_type helper:
>
> #!/bin/bash
> result=`squidclient -h 192.168.19.19 mgr:active_requests | grep -c "$1"`
> if [ $result -eq 0 ]
> then
> echo 'OK'
> else
> echo 'ERR'
> fi
>
> # If I have the same URI then I denied. I make a few test and it work
> for me. The problem is when I add the rule to the squid. I make this:
>
> acl extensions url_regex "/etc/squid3/extensions"
> external_acl_type one_conn %URI /home/carlos/script
> acl limit external one_conn
>
> # where extensions have:
> \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|mpg|wma|ogg|wmv|asx|asf|deb|rpm|exe|zip|tar|tgz|rar|ppt|doc|tiff|pdf)$
>
> http_access deny extensions limit
>
>
> So when I make squid3 -k reconfigure the squid stop working
>
> What can be happening ???

* The helper needs to be running in a constant loop.
You can find an example
http://bazaar.launchpad.net/~squid/squid/3.2/view/head:/helpers/url_rewrite/fake/url_fake_rewrite.sh
although that is re-writer and you do need to keep the OK/ERR for
external ACL.

* "eq 0" - there should always be 1 request matching the URL. Which is
the request you are testing to see if its >1 or not. You are wanting to
deny for the case where there are *2* requests in existence.

* ensure you have manager requests form localhost not going through the
ACL test.

Amos
Received on Sat Mar 24 2012 - 22:31:44 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 27 2012 - 12:00:03 MDT