Re: [squid-users] help with acl max_user_ip from Amos Jeffries on 2012-06-19 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 20 Jun 2012 13:50:14 +1200

On 20.06.2012 03:48, Diego Maciel Gomes wrote:
> Hi all!
>
> This is my first post. I have one doubt about how to use this acl
> max_user_ip
>
> Well, I put it in my squid.conf, look:
>
> acl max_user max_user_ip -s 1
> http_access deny max_user
>
> Im running squid 3.0 stable25

Please consider an upgrade. Seriously out of date software (2+ years
expired) exposes you to many problems.
As of this writing the currently supported version is 3.1, with the
latest bug fix update release being 3.1.20. The last major security
vulnerability was fixed in 3.1.15.

>
> I saw that max_user_ip doesnt show to me in yellow font. Is it a
> problem? Maybe my squid version doesnt support this feature? Maybe it
> isnt a problem, whatever.

Font colour has nothing to do with Squid.
Your editor is missing some highlight feature support?

"squid -k parse" will tell you what config your version does (or not)
support.

>
> My ACL and my deny for ACL is the first thing after "auth_param basic
> credentialsttl 2 hours"

credentialsttl is related to how often the basic auth helper gets
re-checked.

http://www.squid-cache.org/Versions/v3/3.0/cfgman/acl.html states that
authenticate_ip_ttl is the relevant timeout for the user-vs-IP pairs.

The minimum of the two timeouts applies to max_user_ip. As user:IP
pairs get discarded on authenticate_ip_ttl, and user + all IPs might get
discarded on credentialsttl.

>
> So, i guess it is OK.
>

"max_user_ip" only counts the user/IP pairs which the username
credentials have been tested as valid logins and linked to the request
by a proxy_auth ACL.

You can imagine this as max_user_ip operating on the output of a
successful proxy_auth test. Skipping proxy_auth test, not having run it
yet, or the user failing to login correctly will result in max_user_ip
counting this request as having no user at all (thus not a match).

> I did a test and I can use proxy with my user in two machines... The
> rule should allow only 1, right?

*IF* tested in the right order with proxy_auth, yes.

I think from your vague description that you are not testing proxy_auth
at all, or are testing it after max_user_ip is checked.

Amos
Received on Wed Jun 20 2012 - 01:50:18 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 20 2012 - 12:00:04 MDT