[squid-users] Problem with Squid-3.0.STABLE1 and ICAP
Hello All, I am in the process of integrating squid-3.0.STABLE1 with Python based ICAP Server. Here, i am not able to get the response modification. ICAP related configurations given are: icap_enable on icap_send_client_ip on icap_service content respmod_precache 0 icap://:1344/respmod icap_class class_1 content icap_access class_1 allow all I am not seeing any error messages in the ICAP Server side. Squid also behaves normally except the following message in cache.log "essential ICAP service is invalidated by reconfigure: icap://Address>:1344/respmod [down,gone,!opt]". But when i perform some web access through ICAP enabled squid proxy, empty page is displayed (the browser displays nothing). The same setup with squid-2.5.STABLE13 works properly (the page is displayed). What could be the problem? Thanks for your assistance. Thanks Selvi
Re: [squid-users] Problem with Squid-3.0.STABLE1 and ICAP
Hi Christos, Thanks for your reply. I am posting the squid-icap server conversation and also the debug messages here. Christos Tsantilas wrote: Hi Selvi, selvi wrote: Hello All, I am in the process of integrating squid-3.0.STABLE1 with Python based ICAP Server. Here, i am not able to get the response modification. Is it a custom ICAP server? I am using the Python based ICAP Server. ICAP related configurations given are: icap_enable on icap_send_client_ip on icap_service content respmod_precache 0 icap://:1344/respmod icap_class class_1 content icap_access class_1 allow all I am not seeing any error messages in the ICAP Server side. Squid also behaves normally except the following message in cache.log "essential ICAP service is invalidated by reconfigure: icap://:1344/respmod [down,gone,!opt]". But when i perform some web access through ICAP enabled squid proxy, empty page is displayed (the browser displays nothing). This message means that the squid tried to send an options request to the ICAP server and the ICAP server answer was not correct (or just did not like to the squid) I am suggesting to enable debug for ICAP client in squid3: debug_options 93,9 0,9 And search in debug messages to see what they say about. You can also post the debug messages here. Also grabbing the conversation between squid and ICAP server using wireshark or similar tool will be helpful... Regards, Christos A snapshot of the conversation between squid and ICAP server is given below (using tcpdump). 11:04:02.978996 IP squid225.kovaiteam.com.60111 > squid225.kovaiteam.com.1344: S 2637131307:2637131307(0) win 32767 16396,sackOK,timestamp 1238745316 0,nop,wscale 8> E..<[EMAIL PROTECTED]@.0 [EMAIL PROTECTED]/[EMAIL PROTECTED] I... 11:04:02.979009 IP squid225.kovaiteam.com.1344 > squid225.kovaiteam.com.60111: S 2632376145:2632376145(0) ack 2637131308 win 32767 E..<[EMAIL PROTECTED]@[EMAIL PROTECTED]/n,[EMAIL PROTECTED] I...I... 11:04:02.979020 IP squid225.kovaiteam.com.60111 > squid225.kovaiteam.com.1344: . ack 1 win 128 1238745316 1238745316> [EMAIL PROTECTED]@[EMAIL PROTECTED]/n,...R.A. I...I... 11:04:02.981160 IP squid225.kovaiteam.com.60111 > squid225.kovaiteam.com.1344: P 1:752(751) ack 1 win 128 [EMAIL PROTECTED]@[EMAIL PROTECTED]/n,...R^.. I...I...RESPMOD icap://172.16.1.225:1344/respmod ICAP/1.0 Host: 172.16.1.225:1344 Date: Fri, 04 Jan 2008 05:34:02 GMT Encapsulated: req-hdr=0, res-hdr=277, res-body=546 Allow: 204 X-Client-IP: 172.16.1.34 GET http://172.16.1.225:8088/gui/test.html HTTP/1.0 Accept: */* Accept-Language: en-us Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 172.16.1.225:8088 Proxy-Connection: Keep-Alive Authorization: Basic dmljYWNoZTp2aWNhY2hl HTTP/1.1 200 OK Date: Fri, 04 Jan 2008 05:34:02 GMT Server: Apache/2.0.52 (Red Hat) Last-Modified: Fri, 04 Jan 2008 05:25:31 GMT ETag: "64cce8-1d-442debd2f28c0" Accept-Ranges: bytes Content-Length: 29 Connection: close Content-Type: text/html; charset=UTF-8 11:04:02.981170 IP squid225.kovaiteam.com.1344 > squid225.kovaiteam.com.60111: . ack 752 win 128 1238745318 1238745318> [EMAIL PROTECTED]@[EMAIL PROTECTED]/q..N. I...I... 11:04:02.982351 IP squid225.kovaiteam.com.60111 > squid225.kovaiteam.com.1344: P 752:792(40) ack 1 win 128 [EMAIL PROTECTED]@./[EMAIL PROTECTED]/qR\1. I...I...1d Hello Selvi 0 11:04:02.982360 IP squid225.kovaiteam.com.1344 > squid225.kovaiteam.com.60111: . ack 792 win 128 1238745319 1238745319> [EMAIL PROTECTED]@..)[EMAIL PROTECTED]/qC.$. I...I... 11:04:02.987875 IP squid225.kovaiteam.com.1344 > squid225.kovaiteam.com.60111: P 1:429(428) ack 792 win 128 [EMAIL PROTECTED]@[EMAIL PROTECTED]/qC].. I...I...ICAP/1.0 200 OK Date: Fri, 04 Jan 2008 05:34:02 GMT Encapsulated: res-hdr=0 res-body=269 Server: ICAP-Server-Software/1.0 HTTP/1.0 200 OK Content-Length: 29 Accept-Ranges: bytes Server: Apache/2.0.52 (Red Hat) Last-Modified: Fri, 04 Jan 2008 05:25:31 GMT Connection: close ETag: "64cce8-1d-442debd2f28c0" Date: Fri, 04 Jan 2008 05:34:02 GMT Content-Type: text/html; charset=UTF-8 Hello Selvi 11:04:02.987889 IP squid225.kovaiteam.com.60111 > squid225.kovaiteam.com.1344: . ack 429 win 128 1238745325 1238745325> [EMAIL PROTECTED]@.0 [EMAIL PROTECTED]/qC.l. I...I... 11:04:02.988074 IP squid225.kovaiteam.com.1344 > squid225.kovaiteam.com.60111: F 429:429(0) ack 792 win 128 [EMAIL PROTECTED]@[EMAIL PROTECTED]/qC.k. I...I... 11:04:02.993135 IP squid225.kovaiteam.com.60111 > squid225.kovaiteam.com.1344: F 792:792(0) ack 430 win 128 [EMAIL PROTECTED]@[EMAIL PROTECTED]/qC.e. I...I... 11:04:02.993148 IP squid225.kovaiteam.com.1344 > squid225.kovaiteam.com.60111: . ack 793 win 128 1238745330 1238745330> [EMAI
Re: [squid-users] Problem with Squid-3.0.STABLE1 and ICAP
Hi Christos, Thanks for the reply. Christos Tsantilas wrote: Hi Selvi, selvi wrote: I am using the Python based ICAP Server. Is the icap-server from the following location? http://sourceforge.net/projects/icap-server/ I try to use it some months ago with squid3 but I had problems too. Yes the same one.. I had fixed that problem in the ICAP Server. But still some exception appears and the page is not displayed. Currently i am analysing on that. Will c-icap server help me better in this case? Is that suitable for production use? >From the debug messages I am seeing that at least one response from the ICAP server is wrong. The Encapsulated Header at the ICAP server response has wrong syntax, must be: Encapsulated: res-hdr=0, res-body=269 2008/01/05 15:19:41.425| ICAPModXact remains final [FD 14;RrB/w icapx1] 2008/01/05 15:19:41.425| ICAP/ICAPModXact.cc(574) have 428 bytes to parse [FD 14;RrB/w icapx1] 2008/01/05 15:19:41.425| ICAP/ICAPModXact.cc(575) ICAP/1.0 200 OK^M Date: Sat, 05 Jan 2008 09:49:41 GMT^M Encapsulated: res-hdr=0 res-body=269^M Here missing a "," ^ Server: ICAP-Server-Software/1.0^M ^M HTTP/1.0 200 OK^M Content-Length: 29^M Accept-Ranges: bytes^M Server: Apache/2.0.52 (Red Hat)^M Last-Modified: Sat, 05 Jan 2008 07:22:49 GMT^M Connection: close^M ETag: "64cce7-1d-442f47e85e440"^M Connection: close^M ETag: "64cce7-1d-442f47e85e440"^M Date: Sat, 05 Jan 2008 09:49:41 GMT^M Content-Type: text/html; charset=UTF-8^M ^M Hello Selvi ^M 2008/01/05 15:19:41.426| ICAP/ICAPModXact.cc(653) parse ICAP headers 2008/01/05 15:19:41.426| ICAP/ICAPModXact.cc(882) have 428 head bytes to .... Thanks Selvi
[squid-users] Patching Squid 2.6 icap patch with Squid-2.6.STABLE10 - problem
Hello All, I am in the process of patching Squid 2.6 icap with Squid-2.6.STABLE10 version. Squid 2.6 icap patch is taken from http://devel.squid-cache.org/cgi-bin/diff2/icap-2_6.patch I had one rejection in client_side.c and i had done that change manually. But when i issue the command 'make', i am getting the following errors. I would like to know whether the icap-patch i am using is correct or not. http.c: In function âhttpAppendBodyâ: http.c:649: warning: passing argument 2 of âicapRespModAddBodyDataâ discards qualifiers from pointer target type http.c:661: warning: passing argument 2 of âicapRespModAddBodyDataâ discards qualifiers from pointer target type http.c: In function âhttpSendCompleteâ: http.c:1144: error: incompatible type for argument 2 of âstoreCreateEntryâ http.c:1144: error: incompatible type for argument 3 of âstoreCreateEntryâ http.c:1144: error: too few arguments to function âstoreCreateEntryâ make[3]: *** [http.o] Error 1 make[3]: Leaving directory `/usr/local/squid/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/local/squid/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/usr/local/squid/src' make: *** [all-recursive] Error 1 Thanks in advance, Selvi
Re: [squid-users] Patching Squid 2.6 icap patch with Squid-2.6.STABLE10 - problem
Yes, I had already tried that. But since, i had heard that Squid 2.6 version had better performance than Squid 3.0, i would like to try that also as a backup. Thanks Selvi Amos Jeffries wrote: selvi wrote: Hello All, I am in the process of patching Squid 2.6 icap with Squid-2.6.STABLE10 version. Have you tried Squid 3.0 stable 1 ? It incorporates ICAP natively amongst other improvements. Amos
[squid-users] Squidguard deny status in squid access log
Hello All, Whenever squidguard blocks a page, the squid access.log reports the status as "TCP_MISS/200". Is this the default behaviour? Is there any way that i can change "TCP_MISS/200" status to "TCP_DENIED/403" for reporting purposes? Thanks Selvi
[squid-users] ICAP Issue - ICAP Protocol Error
Hi, I am working in the process of patching ICAP for different squid versions and testing the same with icap option enabled. I had patched Squid-2.5.STABLE-13 source with the ICAP patch found from http://devel.squid-cache.org/cgi-bin/diff2/nt-2_5.patch?s2_5. I had built the squid after running "bootstrap.sh" from the squid source directory ICAP Server used : Python Based icap-server-1.2.1 found from http://sourceforge.net ICAP option is enabled in squid. Using this setup, i am able to access the web pages most of the times. But sometimes, I am facing, "ICAP Protocol Error". This error occurs because Squid is sending null-body in its Encapsulated header. [ Ex: Encapsulated: req-hdr=0, res-hdr=465, null-body=649']. Why does this inconsistency happens? Please advice me. Thanks Selvi
[squid-users] ICAP Issue - ICAP Protocol Error
Hi, I am working in the process of patching ICAP for different squid versions and testing the same with icap option enabled. I had patched Squid-2.5.STABLE-13 source with the ICAP patch found from http://devel.squid-cache.org/cgi-bin/diff2/nt-2_5.patch?s2_5. I had built the squid after running "bootstrap.sh" from the squid source directory ICAP Server used : Python Based icap-server-1.2.1 found from http://sourceforge.net ICAP option is enabled in squid. Using this setup, i am able to access the web pages most of the times. But sometimes, I am facing, "ICAP Protocol Error". This error occurs because Squid is sending null-body in its Encapsulated header. [ Ex: Encapsulated: req-hdr=0, res-hdr=465, null-body=649']. Why does this inconsistency happens? Please advice me. Thanks Selvi
[squid-users] Load Balancing in ICAP - reg
Hi All, I am just checking the Load balancing feature available in squid-icap setup. I had defined the icap related acls like below and ICAP server is running is both the machines described icap_enable on icap_service service_1 respmod_precache 0 icap://172.16.1.35:1344/respmod icap_service service_1 respmod_precache 0 icap://172.16.1.53:1344/respmod icap_class class_1 service_1 icap_access class_1 allow all In this setup, the requests are always handled by the first machine defined in service_1, in this case, 172.16.1.35. When 172.16.1.35 is down, then the requests are handled by 172.16.1.53. When the load is very high, will both the machines will balance the load? Thanks, Selvi
Re: [squid-users] Load Balancing in ICAP - reg
Hi, Currently i am using Squid-2.x patched with ICAP. Thanks, Selvi - Original Message - From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Selvi" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, February 14, 2007 3:57 AM Subject: Re: [squid-users] Load Balancing in ICAP - reg
[squid-users] Problem with debug_options with ICAP enabled
Hi, I am using Squid-2.5.STABLE13 version patched with ICAP. ICAP related configurations in squid is done as follows: icap_enable on icap_service service_1 respmod_precache 0 icap://:1344/respmod icap_class class_1 service_1 icap_access class_1 allow all In this scenario, I found a strange behaviour when debug_options is set to different values. For example, when the debug_options are "ALL,1" and "ALL,2", the full page is not displayed in the browser (Only half/quarter page is displayed). When the debug_options are set to ALL,3 [or ALL,4 or ALL,5 or ALL,6 or ALL,7 or ALL,8 or ALL9], I am able to view the full page in the browser. debug_options are used only for debugging, right? Why does this happens to me? Am i missing something here? Please help me in resolving this. Thanks, Selvi
[squid-users] username on squid custom denied error pages
Hi, I am using Squid-2.5.STABLE-13 version with LDAP Authentication. In the custom deny info page, i would like to have the display of usernames. [The same way as the hostnames are displayed using %i in the custom error page]. I had gone through this http://www.squid-cache.org/mail-archive/squid-users/200212/0480.html and found that there is no such option available. Is there a way to achieve this? Thanks Selvi
[squid-users] Bypassing 403 and 404 status to ICAP using icap_access
Hello All, I am in the process of configuring Squid3-STABLE1 with the ICAP Server (Python Based). Here, i don't want the 403 and 404 status to be sent to the ICAP Server. I had tried icap_access with http_status but that didn't work for me. ICAP configurations used: acl HS http_status 404 icap_enable on icap_preview_enable off icap_persistent_connections off icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_service vicontent respmod_precache 0 icap://172.16.1.225:1344/respmod icap_class class_1 vicontent icap_access class_1 deny HS icap_access class_1 allow all Any thoughts to achieve this? Thanks Selvi
Re: [squid-users] Bypassing 403 and 404 status to ICAP using icap_access
Hello Alex, Thanks for the reply. I had submitted a bug report. I am just placing few lines from the debug log here for your reference. 2008/04/03 14:24:58.788| ACLChecklist::preCheck: 0x604dfdc8 checking 'icap_access class_1 deny HS' 2008/04/03 14:24:58.788| ACLList::matches: checking HS 2008/04/03 14:24:58.788| ACL::checklistMatches WARNING: 'HS' ACL is used but there is no HTTP reply -- not matching. 2008/04/03 14:24:58.788| ACLList::matches: result is false Please let me know if you have some input on this. Thanks Selvi On 3/19/08, Alex Rousskov <[EMAIL PROTECTED]> wrote: > On Tue, 2008-03-18 at 11:42 +0530, selvi nandu wrote: > > > Here, i don't want the 403 and 404 status to be sent to the ICAP Server. > > > > I had tried icap_access with http_status but that didn't work for me. > > > > ICAP configurations used: > > > > acl HS http_status 404 > > > > icap_enable on > > icap_preview_enable off > > icap_persistent_connections off > > icap_send_client_ip on > > icap_send_client_username on > > icap_client_username_header X-Authenticated-User > > icap_service vicontent respmod_precache 0 icap://172.16.1.225:1344/respmod > > icap_class class_1 vicontent > > icap_access class_1 deny HS > > icap_access class_1 allow all > > > > Any thoughts to achieve this? > > I do not see any problem with your configuration. If you do not receive > better responses, please file a bug and attach cache.log with ALL,9 > debug_options enabled when 404 transaction is being processed. > > Thank you, > > Alex. > > >
Re: [squid-users] Bypassing 403 and 404 status to ICAP using icap_access
Hello Alex, Thanks for the quick reply and the fix.. Selvi On 4/3/08, Alex Rousskov <[EMAIL PROTECTED]> wrote: > On Thu, 2008-04-03 at 12:00 +0530, selvi nandu wrote: > > > Thanks for the reply. I had submitted a bug report. I am just placing > > few lines from the debug log here for your reference. > > > > 2008/04/03 14:24:58.788| ACLChecklist::preCheck: 0x604dfdc8 > > checking 'icap_access class_1 deny HS' > > 2008/04/03 14:24:58.788| ACLList::matches: checking HS > > 2008/04/03 14:24:58.788| ACL::checklistMatches WARNING: 'HS' ACL is > > used but there is no HTTP reply -- not matching. > > 2008/04/03 14:24:58.788| ACLList::matches: result is false > > > > Please let me know if you have some input on this. > > A possible fix has been added to your bug report. Please test and > followup there: http://www.squid-cache.org/bugs/show_bug.cgi?id=2294 > > Thank you, > > Alex. > > > > > On 3/19/08, Alex Rousskov <[EMAIL PROTECTED]> wrote: > > > On Tue, 2008-03-18 at 11:42 +0530, selvi nandu wrote: > > > > > > > Here, i don't want the 403 and 404 status to be sent to the ICAP Server. > > > > > > > > I had tried icap_access with http_status but that didn't work for me. > > > > > > > > ICAP configurations used: > > > > > > > > acl HS http_status 404 > > > > > > > > icap_enable on > > > > icap_preview_enable off > > > > icap_persistent_connections off > > > > icap_send_client_ip on > > > > icap_send_client_username on > > > > icap_client_username_header X-Authenticated-User > > > > icap_service vicontent respmod_precache 0 > > > > icap://172.16.1.225:1344/respmod > > > > icap_class class_1 vicontent > > > > icap_access class_1 deny HS > > > > icap_access class_1 allow all > > > > > > > > Any thoughts to achieve this? > > > > > > I do not see any problem with your configuration. If you do not receive > > > better responses, please file a bug and attach cache.log with ALL,9 > > > debug_options enabled when 404 transaction is being processed. > > > > > > Thank you, > > > > > > Alex. > > > > > > > > > > >
[squid-users] using rep_mime_type in icap_access
Hello, One more relevant questions like this. Is rep_mime_type if only for http_reply_access restrictions? I only want the responses with the mime-types starting with text or application or multipart to enter the icap server. My squid config says: acl mimeblockp rep_mime_type ^text acl mimeblockp rep_mime_type ^application acl mimeblockp rep_mime_type ^multipart icap_enable on icap_service service_resp respmod_precache 0 icap://172.16.1.225:1344/respmod icap_class class_resp service_resp icap_access class_resp !mimeblockp icap_access class_resp allow all When i access the responses of type image/jpeg, still the response goes to the icap server. What could be the problem? Thanks in advance Selvi On 4/3/08, selvi nandu <[EMAIL PROTECTED]> wrote: > Hello Alex, > > Thanks for the quick reply and the fix.. > > Selvi > > On 4/3/08, Alex Rousskov <[EMAIL PROTECTED]> wrote: > > On Thu, 2008-04-03 at 12:00 +0530, selvi nandu wrote: > > > > > Thanks for the reply. I had submitted a bug report. I am just placing > > > few lines from the debug log here for your reference. > > > > > > 2008/04/03 14:24:58.788| ACLChecklist::preCheck: 0x604dfdc8 > > > checking 'icap_access class_1 deny HS' > > > 2008/04/03 14:24:58.788| ACLList::matches: checking HS > > > 2008/04/03 14:24:58.788| ACL::checklistMatches WARNING: 'HS' ACL is > > > used but there is no HTTP reply -- not matching. > > > 2008/04/03 14:24:58.788| ACLList::matches: result is false > > > > > > Please let me know if you have some input on this. > > > > A possible fix has been added to your bug report. Please test and > > followup there: http://www.squid-cache.org/bugs/show_bug.cgi?id=2294 > > > > Thank you, > > > > Alex. > > > > > > > > > On 3/19/08, Alex Rousskov <[EMAIL PROTECTED]> wrote: > > > > On Tue, 2008-03-18 at 11:42 +0530, selvi nandu wrote: > > > > > > > > > Here, i don't want the 403 and 404 status to be sent to the ICAP > > > > > Server. > > > > > > > > > > I had tried icap_access with http_status but that didn't work for me. > > > > > > > > > > ICAP configurations used: > > > > > > > > > > acl HS http_status 404 > > > > > > > > > > icap_enable on > > > > > icap_preview_enable off > > > > > icap_persistent_connections off > > > > > icap_send_client_ip on > > > > > icap_send_client_username on > > > > > icap_client_username_header X-Authenticated-User > > > > > icap_service vicontent respmod_precache 0 > > > > > icap://172.16.1.225:1344/respmod > > > > > icap_class class_1 vicontent > > > > > icap_access class_1 deny HS > > > > > icap_access class_1 allow all > > > > > > > > > > Any thoughts to achieve this? > > > > > > > > I do not see any problem with your configuration. If you do not receive > > > > better responses, please file a bug and attach cache.log with ALL,9 > > > > debug_options enabled when 404 transaction is being processed. > > > > > > > > Thank you, > > > > > > > > Alex. > > > > > > > > > > > > > > > > >
[squid-users] problem with purge
Hi All, I am trying to use purge to view and delete the objects from the diskcache. I had taken the tar file from http://www.wa.apana.org.au/~dean/squidpurge/. I am facing some problems when i try to use the same in itanium 64 (ia64) architecture. I am not able to build successfully. When i try to download the developer version (with revision control tree and all sources checked in) in http://www.wa.apana.org.au/~dean/sources/purge-20040201-all.tar.gz , this link no longer exists. Please help me to resolve the problem. Thanks Selvi
[squid-users] Byte Hit Ratio since last restart
Hi, I would like to know the Byte Hit Ratio (Ratio of total amount of bytes which are hits to the total amount of bytes transferred) since the squid last restart. Is there a way in snmp to find this? Thanks for your help here. Thanks Selvi
[squid-users] Configuring Delay Pools in Squid
Hi, I am using squid-2.5.STABLE-13 version built with delay pools. I am having some doubts in configuring delay pools. 1. Is it possible to use LDAP group based authentication with delay pools (meaning :- assigning LDAP group acls with delay pools already configured)? If so, which delay class (1 or 2 or 3) can be used? 2. To limit bandwidth to the network and also to the individual users, delay class 3 can be used, right? Here can i use A class network or only B class network should be used? And can i use the mixture of both A class and B class networks? Thanks for your help. Thanks Selvi
Re: [squid-users] Configuring Delay Pools in Squid
Hi Hendrik, On 4/12/07, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: tor 2007-04-12 klockan 11:34 -0700 skrev selvi nandu: > 1. Is it possible to use LDAP group based authentication with delay > pools (meaning :- assigning LDAP group acls with delay pools already > configured)? If so, which delay class (1 or 2 or 3) can be used? Should work most of the time, provided the same acl is also evaluated in http_access. Applies to all classes. > 2. To limit bandwidth to the network and also to the individual users, > delay class 3 can be used, right? Yes, class 2 or 3 required depending on your network size. > Here can i use A class network or > only B class network should be used? And can i use the mixture of both > A class and B class networks? A class 3 delay pool assigns individual limits based on the last 16 bits of the IP address. Two users in different networks but having the same last 16 bits will share the same pool. A class 2 delay pool assigns individual pools based on the last 8 bits of the IP address. Thanks for your help. I need few more clarifications. 1. In our setup, different users are accessing the net from different networks. For ex, the acl file for the setA users (setA.txt) contains the following. 100.10.1.2 # user1 100.10.2.5 # user2 100.11.2.3 # user3 100.11.1.5 # user4 We want to give 64 kbps for this group of users as a whole and 8 kpbs for the individual users. Is this possible and will our below given squid.conf entries solve our purpose? acl SETA src setA.txt delay_pools 1 delay_class 1 3 delay_parameters 1 -1/-1 8000/8000 1000/1000 delay_access 1 allow SETA delay_access deny all 2. If we go for LDAP, all the above said users (user1, user2, user3 , user4) will be identified by a LDAP group called SETA. In that situation can we achieve the same restriction as using 64 kbps for the entire group and 8 kbps for the individual users using the same delay parameters given above? Thanks Selvi Regards Henrik