Re: [squid-users] Time based Video Streaming Access

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 20 Jun 2012 14:23:17 +1200

On 19.06.2012 23:57, Anonymous wrote:
> Hello Respected All,
>
> I want to setup Time based Video Streaming Access for different IPs
> (same subnet), few IPs are allowed every time video/you tube
> streaming
> access, while other IPs (IPs list in file as SRC) are only allowed in
> set time duration any other IPs are not allowed to access Video/You
> tube access. Here's setup:
> -------------------
> Ubuntu 12.04
> Squid 3.1.x
> Two Groups of IPs
> G-1 = Allowd Everytime
> G-2 = Time Restriction (09:00-14:59)
> G-3 = Everybody, Deny Access to Video/You tube streaming every time.
> ------------------------------
> acl OpenIPs src "/etc/squid3/AlwaysOpenIPs. txt" # G-1= List of IPs
> allowed for Video Streaming Everytime.
> acl TimedTubed src "/etc/squid3/TimeBasedIPs.txt" # G-2 = List of IPs
> allowed for set time duration.
> acl NoTubeTime time SMTWHFA 08:30-14:59 # Time duration when you
> access to Time based IPs.
> acl deny_rep_mime_flashvideo rep_mime_type video/x-flv # ACL to Deny
> Video Straming for everyone else.
> http_reply_access allow OpenIPs TimedTubed NoTubeTime

This above line can only allow the IPs which are listed in *both*
OpenIPs and TimedTubed.
It will allow them only during NoTubeTime.

If I'm reading your policy description above correctly you actually
want:

   # G-1 policy = Allowed Everytime
   http_reply_access allow OpenIPs

   # G-2 policy = Time Restriction (09:00-14:59)
   http_reply_access allow TimedTubed NoTubeTime

> http_reply_access deny TimedTubed

That above line seems wrong according to your stated policies. It will
block TimedTubed IPs from going to non-YouTube content.

   # G-3 policy = Deny Access to Video/You tube streaming every time.
> http_reply_access deny deny_rep_mime_flashvideo

   http_reply_access allow all

> ------------------------------ -----------------------
> Above mentioned ACLs are not working properly, General Internet
> Access (http_access) is also denied when used with "http_reply_access
> deny" I want to only deny video streaming/you tube in set time
> duration and allow internet access.
>
> Thank you in advance.

One thing to note here. Blocking in http_reply_access means the video
is already arriving when you decide not to deliver it. squid id forced
to do one of two things:

  a) close the server connection and wait out the TCP reset timouts (15
minutes) before re-using the socket. Not a major issue on networks with
low web traffic, but can be a major problem if you are needing to use
those sockets again fast.

  b) read in the entire video from the server and discard it before
re-using the socket. Avoids TCP timeouts, but provides wastes bandwidth
and may on some videos take longer than a 15-min TCP reset would have.

NOTE: You also need to consider an http_access or miss_access ACL block
to prevent people not allowed to view videos from even making a request
to the video site in the first place. This front-line block is where the
bandwidth and speed savings will come from. The http_reply_access can be
used as an inefficient but more accurate block only for those requests
which get past your front-line blocking.

Amos
Received on Wed Jun 20 2012 - 02:23:21 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 20 2012 - 12:00:04 MDT