Re: [squid-users] limiting connections

On 27.03.2012 10:13, Carlos Manuel Trepeu Pupo wrote:
> On Sat, Mar 24, 2012 at 6:31 PM, Amos Jeffries <squid3_at_treenet.co.nz>
> wrote:
>> On 25/03/2012 7:23 a.m., Carlos Manuel Trepeu Pupo wrote:
>>
>>> On Thu, Mar 22, 2012 at 10:00 PM, Amos Jeffries wrote:
>>>>
>>>> On 23/03/2012 5:42 a.m., Carlos Manuel Trepeu Pupo wrote:
>>>>>
>>>>> I need to block each user to make just one connection to download
>>>>> specific extension files, but I dont know how to tell that can
>>>>> make
>>>>> just one connection to each file and not just one connection to
>>>>> every
>>>>> file with this extension.
>>>>>
>>>>> i.e:
>>>>> www.google.com #All connection that required
>>>>> www.any.domain.com/my_file.rar #just one connection to that file
>>>>> www.other.domain.net/other_file.iso #just connection to this file
>>>>> www.other_domain1.com/other_file1.rar #just one connection to
>>>>> that file
>>>>>
>>>>> I hope you understand me and can help me, I have my boss hurrying
>>>>> me !!!
>>>>
>>>>
>>>> There is no easy way to test this in Squid.
>>>>
>>>> You need an external_acl_type helper which gets given the URI and
>>>> decides
>>>> whether it is permitted or not. That decision can be made by
>>>> querying
>>>> Squid
>>>> cache manager for the list of active_requests and seeing if the
>>>> URL
>>>> appears
>>>> more than once.
>>>
>>> Hello Amos, following your instructions I make this
>>> external_acl_type
>>> helper:
>>>
>>> #!/bin/bash
>>> result=`squidclient -h 192.168.19.19 mgr:active_requests | grep -c
>>> "$1"`
>>> if [ $result -eq 0 ]
>>> then
>>> echo 'OK'
>>> else
>>> echo 'ERR'
>>> fi
>>>
>>> # If I have the same URI then I denied. I make a few test and it
>>> work
>>> for me. The problem is when I add the rule to the squid. I make
>>> this:
>>>
>>> acl extensions url_regex "/etc/squid3/extensions"
>>> external_acl_type one_conn %URI /home/carlos/script
>>> acl limit external one_conn
>>>
>>> # where extensions have:
>>>
>>>
>>> \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|mpg|wma|ogg|wmv|asx|asf|deb|rpm|exe|zip|tar|tgz|rar|ppt|doc|tiff|pdf)$
>>>
>>> http_access deny extensions limit
>>>
>>>
>>> So when I make squid3 -k reconfigure the squid stop working
>>>
>>> What can be happening ???
>>
>>
>> * The helper needs to be running in a constant loop.
>> You can find an example
>>
>> http://bazaar.launchpad.net/~squid/squid/3.2/view/head:/helpers/url_rewrite/fake/url_fake_rewrite.sh
>> although that is re-writer and you do need to keep the OK/ERR for
>> external
>> ACL.
>
> Sorry, this is my first helper, I do not understand the meaning of
> running in a constant loop, in the example I see something like I do.
> Making some test I found that without this line :
> result=`squidclient -h 192.168.19.19 mgr:active_requests | grep -c
> "$1"`
> the helper not crash, dont work event too, but do not crash, so i
> consider this is in some way the problem.

Squid starts helpers then uses the STDIN channel to pass it a series of
requests, reading STDOUt channel for the results. The helper once
started is expected to continue until a EOL/close/terminate signal is
received on its STDIN.

Your helper is exiting without being asked to be Squid after only one
request. That is logged by Squid as a "crash".

>
>>
>> * "eq 0" - there should always be 1 request matching the URL. Which
>> is the
>> request you are testing to see if its >1 or not. You are wanting to
>> deny for
>> the case where there are *2* requests in existence.
>
> This is true, but the way I saw was: "If the URL do not exist, so
> can't be duplicate", I think isn't wrong !!

It can't not exist. Squid is already servicing the request you are
testing about.

Like this:

  receive HTTP request -> (count=1)
   - test ACL (count=1 -> OK)
   - done (count=0)

  receive a HTTP request (count-=1)
  - test ACL (count=1 -> OK)
  receive b HTTP request (count=2)
   - test ACL (count=2 -> ERR)
   - reject b (count=1)
  done a (count=0)

>
>>
>> * ensure you have manager requests form localhost not going through
>> the ACL
>> test.
>
> I was making this wrong, the localhost was going through the ACL, but
> I just changed !!! The problem persist, What can I do ???

which problem?

Amos
Received on Mon Mar 26 2012 - 21:45:07 MDT