Hello Amos,
This seems to be a solved issue. With your advices, I have manage to limit all my user except those who had a login starting by cg_*. 1 - annotation of the "cg_*" 's flow : _# Comptes generiques_ acl userCgPrefix proxy_auth_regex ^cg_ acl markCgGroup annotate_transaction cgUsers=true _http_access allow userCgPrefix markCgGroup !all_ _http_access allow my_ldap_auth !emeraude_ 2 - fixed limits for all except "cg_*" users _acl cgen note cgUsers true_ acl userrgt src 10.0.0.0/8 reply_body_max_size 800 MB bureau !cgen userrgt request_body_max_size 5 MB delay_pools 1 delay_class 1 4 delay_access 1 allow bureau !cgen !emeraude _delay_parameters 1 -1/-1 -1/-1 -1/-1 512000/512000_ I will make some other tests later on with the "usual way" you also preconised : "The usual way to do that is with the authentication systems "group" functionality and a helper to fetch that." Thanks very much to you, David and Eliezer Regards, Eric Perrot Le 06/09/2022 20:46, Amos Jeffries a écrit : > On 6/09/22 00:56, PERROT Eric DNUM SDCAST BST SSAIM wrote: > >> Hello, We use directives "reply_body_max_size", "request_body_max_size" and >> "delay_access" to limit upload, download and passband in our infra. > > All of which are "fast" type. > >> This configuration existes since a while, but we have noticed that with >> squid v4.16, our delay pool didn't react as we wanted anymore. > > FYI, use of "slow" type ACLs in "fast" type checks is subject to what Squid > happens to have in its processing state information and available in caches > from previous traffic. > > Even if a config like this *appears* to work, it may not be actually working > for all transactions. The delicate balance may change at any time. > >> Can you tell me if what we want to do is still possible? Limiting >> upload/download/passband for all logged user except those starting by >> cg_*..?. > > You need to: > > 1) do authentication checks to http_access. > > 2) make the cg_* accounts part of a "group". > > The usual way to do that is with the authentication systems "group" > functionality and a helper to fetch that. > > However, in Squid-4+ you can also add a temporary "group" label as needed > based on other ACL checks (eg the username regex matching) like so: > > acl userCgPrefix proxy_auth_regex ^cg_ > acl markCgGroup annotate_transaction group=cgUsers > http_access allow userCgPrefix markCgGroup !all > > 3) check the 'group' annotation in fast type controls, not the username: > > acl userrgt note group cgUsers > > reply_body_max_size 800 MB userrgt > deny_access 1 deny userrgt > > FTR; the above should work on any Squid-4 or later. So you can revert to the > v4 Squid install which was otherwise working for you. > > HTH > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users [1] Links: ------ [1] http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
