RE: [squid-users] max_user_ip

From: <sgmayo@dont-contact.us>
Date: Fri, 2 Dec 2005 15:21:42 -0600 (CST)

>> -----Original Message-----
>> From: Scott Mayo [mailto:sgmayo@mail.bloomfield.k12.mo.us]
>> Sent: Friday, December 02, 2005 6:11 AM
>> To: squid
>> Subject: [squid-users] max_user_ip
>>
>>
>> If I want to make it to where each user can only be logged onto the
>> internet from one workstation at a time, do I need to add:
>>
>> acl <domainusers> max_user_ip -s 1
>>
>> Is there anything else I need to change, like the athenticate_ttl?
>> If so what should I set that to? If I set the authenticate_ttl to
>> something like 5 hours, that just means that squid will keep the
>> authentication for 5 hours when they are still logged onto the
>> internet correct? If they actually close the web browser, they could
>> go directly to another machine or open the browser back up on this
>> machine and get back on, they would not have to wait 5 hours would
>> they? If I read this correctly, then the 5 hours is just alive as
>> along as that one instance of the web browser is open..or until the 5
>> hours is up.
>>
>> Thanks.
>>
>> -- Scott Mayo
>
> I'll quote squid.conf.default here as I think it lays it out pretty
> clearly:
>
> # acl aclname max_user_ip [-s] number
> # # This will be matched when the user attempts to log in from
> more
> # # than <number> different ip addresses. The authenticate_ip_ttl
> # # parameter controls the timeout on the ip entries.
>
> and
>
> # TAG: authenticate_ip_ttl
> # If you use proxy authentication and the 'max_user_ip' ACL, this
> # directive controls how long Squid remembers the IP addresses
> # associated with each user. Use a small value (e.g., 60 seconds)
> if
> # your users might change addresses quickly, as is the case with
> # dialups. You might be safe using a larger value (e.g., 2 hours) in
> a
> # corporate LAN environment with relatively static address
> assignments.
>
> and
>
> # TAG: authenticate_ttl
> # The time a user & their credentials stay in the logged in user
> cache
> # since their last request. When the garbage interval passes, all
> user
> # credentials that have passed their TTL are removed from memory.
>
> If your authentication mechanism is slow, bump up the authenticate_ttl.
> If your users hop computers often, keep authenticate_ip_tll low.
>
> Chris
>

This is what I had been reading. So from what it says, they will not be
able to open a 2nd browser until the authenticate_ttl is up. That kind of
makes things tough, if it is set to so many hours, then they cannot open a
2nd browser up for quite a while once the 1st is closed, but if I set it
very low, then they could just be opening browsers up all over the place
(which is what I am trying to avoid).

It looks like it should clear the cache out out as soon as they log off
the browser and reset the ttl. I guess that is more what I am wanting to
do. I'll go back through the squid.conf to see if I can find a way to do
that.

Thanks.
Scott
Received on Fri Dec 02 2005 - 13:14:38 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST