[squid-users] delay pools and ident access lists.

From: Oleg Sharoiko <[email protected]>
Date: Wed, 12 Oct 2005 23:12:13 +0400 (MSD)

Hello!

I'd like to setup separate delay pools for different users of multi-user
box. Does delay_pools supposed to work with ident acls? I tried following
setup:

---
acl sunray2 src 195.208.251.171
acl user01 ident user01
ident_lookup_access allow sunray2
ident_lookup_access deny all
http_access allow sunray2 user01
delay_class 2 1
delay_access 2 allow sunray2 user01
delay_parameters 2 16384/16384
---
And it doesn't work. If I change delay_access 2 to be
delay_access 2 allow sunray2
then all traffic for sunray2 is limited to 16Kbps. So it looks like acl 
user01 doesn't work. But usernames are being logged in access log:
1129142174.297   5437 195.208.251.171 TCP_MISS/200 3014657 GET http://ftp.rsu.ru/pub/FreeBSD/releases/i386/ISO-IMAGES/5.4/5.4-RELEASE-i386-disc1.iso user01 DIRECT/195.208.245.253 application/octet-stream
Enabling debug gives me this:
2005/10/12 18:36:08| aclCheck: checking 'http_access allow sunray2 user01'
2005/10/12 18:36:08| aclMatchAclList: checking sunray2
2005/10/12 18:36:08| aclMatchAcl: checking 'acl sunray2 src 195.208.251.171'
2005/10/12 18:36:08| aclMatchIp: '195.208.251.171' found
2005/10/12 18:36:08| aclMatchAclList: checking user01
2005/10/12 18:36:08| aclMatchAcl: checking 'acl user01 ident user01'
2005/10/12 18:36:08| aclMatchAclList: returning 0
2005/10/12 18:36:08| aclCheck: Doing ident lookup
2005/10/12 18:36:08| aclCheck: checking 'http_access allow sunray2 user01'
2005/10/12 18:36:08| aclMatchAclList: checking sunray2
2005/10/12 18:36:08| aclMatchAcl: checking 'acl sunray2 src 195.208.251.171'
2005/10/12 18:36:08| aclMatchIp: '195.208.251.171' found
2005/10/12 18:36:08| aclMatchAclList: checking user01
2005/10/12 18:36:08| aclMatchAcl: checking 'acl user01 ident user01'
2005/10/12 18:36:08| aclMatchUser: user is user01, case_insensitive is 0
2005/10/12 18:36:08| Top is 0x820e8e0, Top->data is user01
2005/10/12 18:36:08| aclMatchUser: returning 1,Top is 0x820e8e0, Top->data is user01
2005/10/12 18:36:08| aclMatchAclList: returning 1
2005/10/12 18:36:08| aclCheck: match found, returning 1
2005/10/12 18:36:08| aclCheckCallback: answer=1
2005/10/12 18:36:08| aclCheckFast: list: 0x827e830
2005/10/12 18:36:08| aclMatchAclList: checking sunray2
2005/10/12 18:36:08| aclMatchAcl: checking 'acl sunray2 src 195.208.251.171'
2005/10/12 18:36:08| aclMatchIp: '195.208.251.171' found
2005/10/12 18:36:08| aclMatchAclList: checking user01
2005/10/12 18:36:08| aclMatchAcl: checking 'acl user01 ident user01'
2005/10/12 18:36:08| aclMatchAclList: returning 0
2005/10/12 18:36:08| aclCheckFast: no matches, returning: 0
As far as I can understand 1st is http_access check and 2nd is 
delay_access check. I did a quick look at sources and found that 
delay_pools call only aclCheckFast which checks ident access lists only if 
result of ident loockup already exists. I was hoping that forcing ident 
loockup with http_access will cache username somewhere but this doesn't 
seem to work either. :( Am I doing something wrong or this setup will not 
work by design?
-- 
Oleg Sharoiko.
Software and Network Engineer
Computer Center of Rostov State University.
Received on Wed Oct 12 2005 - 13:12:15 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:04 MST