Re: [squid-users] Maxconn and Indirect client

Mon, 16 Apr 2012 16:34:59 -0700 

On 17.04.2012 03:37, FredB wrote:


maxconn is a inbound connection limit. Squid cannot reasonably
control
TCP connections which are made by other software to DG since Squid
has
no part in those connections. There is simply no relevance limiting
maxconn on anything except the real TCP/IP details.



Yes, but like there is a way with delay pools



Delay pools are a completely different concept. They only apply to a 
connection for the duration of a single requests passing through it. 
maxconn applies to an entire connection based on the first request 
passing through it.




Something like:
acl my_ldap_auth proxy_auth REQUIRED
delay_access 1 allow my_ldap_auth
delay_access 1 deny all
delay_parameters 1 -1/-1 -1/-1 -1/-1 128000/128000

So I hoped that maybe there was a way to make the same thing with
maxconn, user jdoe -> 20 requests/s for example

maxconn only considers direct TCP links and it can't using
acl_uses_indirect_client, there is a reason for that ?



The reason is that "user" and "client" are different concepts and very 
different things in networking.


In your stated use case *DG* is the client. "johndoe" is the user.

 Now alice, bob, chantell, and john *users* all connect to DG 
simultaneously and their requests are relayed to Squid. Squid still only 
has 1 client => DG.



A -->|
B -->|-->DG-->Squid
C -->|
J -->|

How many _connections_ does Squid have inbound?  1. From client DG.

How many _users_ does Squid have inbound?  4. From A,B,C,J via client 
DG.



A -->|
B -->|-->DG--->|-->Squid
C -->|     \-->|
J -->|


How many _connections_ does Squid have inbound?  2. From DG.

How many _users_ does Squid have inbound?  4. From A,B,C,J via client 
DG.



Then things get tricky... say J was a HTTP/1.1 client with pipelining 
and Squid was not pipelining...


J-->DG--->|-->Squid
      \-->|


How many _connections_ does Squid have inbound?  2. From DG.
How many _users_ does Squid have inbound?  1. From J via client DG.


The ACL is max*conn* not max*user*.


To limit user name/labels by their IP address, use max_user_ip. To 
limit anything about other their-end TCP connections use DG 
configuration.


Amos























					Reply via email to