RE: [squid-users] max_user_ip

From: Chris Robertson <[email protected]>
Date: Fri, 2 Dec 2005 11:37:44 -0900

>>> -----Original Message-----
>>> From: Scott Mayo [mailto:sgmayo@mail.bloomfield.k12.mo.us]
>>> Sent: Friday, December 02, 2005 6:11 AM
>>> To: squid
>>> Subject: [squid-users] max_user_ip
>>>
>>>
>>> If I want to make it to where each user can only be logged onto the
>>> internet from one workstation at a time, do I need to add:
>>>
>>> acl <domainusers> max_user_ip -s 1
>>>
>>> Is there anything else I need to change, like the athenticate_ttl?
>>> If so what should I set that to? If I set the authenticate_ttl to
>>> something like 5 hours, that just means that squid will keep the
>>> authentication for 5 hours when they are still logged onto the
>>> internet correct? If they actually close the web browser, they could
>>> go directly to another machine or open the browser back up on this
>>> machine and get back on, they would not have to wait 5 hours would
>>> they? If I read this correctly, then the 5 hours is just alive as
>>> along as that one instance of the web browser is open..or until the 5
>>> hours is up.
>>>
>>> Thanks.
>>>
>>> -- Scott Mayo
>>
>> I'll quote squid.conf.default here as I think it lays it out pretty
>> clearly:
>>
>> # acl aclname max_user_ip [-s] number
>> # # This will be matched when the user attempts to log in from
>> more
>> # # than <number> different ip addresses. The authenticate_ip_ttl
>> # # parameter controls the timeout on the ip entries.
>>
>> and
>>
>> # TAG: authenticate_ip_ttl
>> # If you use proxy authentication and the 'max_user_ip' ACL, this
>> # directive controls how long Squid remembers the IP addresses
>> # associated with each user. Use a small value (e.g., 60 seconds)
>> if
>> # your users might change addresses quickly, as is the case with
>> # dialups. You might be safe using a larger value (e.g., 2 hours) in
>> a
>> # corporate LAN environment with relatively static address
>> assignments.
>>
>> and
>>
>> # TAG: authenticate_ttl
>> # The time a user & their credentials stay in the logged in user
>> cache
>> # since their last request. When the garbage interval passes, all
>> user
>> # credentials that have passed their TTL are removed from memory.
>>
>> If your authentication mechanism is slow, bump up the authenticate_ttl.
>> If your users hop computers often, keep authenticate_ip_tll low.
>>
>> Chris
>>
>
> This is what I had been reading. So from what it says, they will not be
> able to open a 2nd browser until the authenticate_ttl is up.

authenticate_ip_ttl, not authenticate_ttl. They are different.

> That kind of
> makes things tough, if it is set to so many hours, then they cannot open a
> 2nd browser up for quite a while once the 1st is closed, but if I set it
> very low, then they could just be opening browsers up all over the place
> (which is what I am trying to avoid).

So set it somewhere in between. If you set authenticate_ip_ttl for 5 minutes, then one login being shared on multiple computers would cause a fair bit of disruption: one computer would have exclusive access for 5 minutes, the others would be denied. After 5 minutes access would be up-for-grabs and who ever got it would have exclusive access for 5 minutes.

>
> It looks like it should clear the cache out out as soon as they log off
> the browser and reset the ttl. I guess that is more what I am wanting to
> do. I'll go back through the squid.conf to see if I can find a way to do
> that.

HTTP is a stateless protocol. There is no method of saying "Thanks, I'm done browsing now" other than session cookies. Using a cookie based authentication method is possible, but not trivial. Perhaps it is what you are looking for. It's a good deal more work but it's more flexible.

>
> Thanks.
> Scott
>
>

Chris
Received on Fri Dec 02 2005 - 13:37:46 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST