[squid-users] Re: maxconn acl with acl_uses_indirect_client

From: Oguz Yilmaz <oguzyilmazlist_at_gmail.com>
Date: Fri, 28 Jan 2011 14:57:25 +0200

I think: I have found client_db:
It verifies that client_db includes "client address" not "indirect
client address" even if "acl_uses_indirect_client=on":

 mgr:client_list

HTTP/1.0 200 OK
Server: squid/3.1.9
Mime-Version: 1.0
Date: Fri, 28 Jan 2011 12:57:35 GMT
Content-Type: text/plain
Expires: Fri, 28 Jan 2011 12:57:35 GMT
Last-Modified: Fri, 28 Jan 2011 12:57:35 GMT
X-Cache: MISS from localhost.localdomain
X-Cache-Lookup: MISS from localhost.localdomain:3129
Via: 1.0 localhost.localdomain (squid/3.1.9)
Connection: close

Cache Clients:
Address: 127.0.0.1
Name: localhost.localdomain
Currently established connections: 36
    ICP Requests 0
    HTTP Requests 217
        TCP_MISS 216 100%
        TCP_DENIED 1 0%

TOTALS
ICP : 0 Queries, 0 Hits ( 0%)
HTTP: 217 Requests, 0 Hits ( 0%)

Squid is (squid/3.1.9)
Provious proxy is Dansguardian and users has proxy configuration
dansguardian port.

--
Oguz YILMAZ
On Fri, Jan 28, 2011 at 2:52 PM, Oguz Yilmaz <oguzyilmazlist_at_gmail.com> wrote:
> To sum up, I think maxconn acl directive does not rely on indirect
> client addresses in case of "acl_uses_indirect_client=on".
>
>
> follow_x_forwarded_for allow all
> acl_uses_indirect_client on
> client_db on
> acl maxconn-per-client maxconn 2
> acl client-192.168.0.1 src 192.168.0.1/32
> http_access deny maxconn-per-client client-192.168.0.1
>
>
> In such configuration When I debug squid through cache.log, it returns
> true for 192.168.0.1 (that is acl_uses_indirect_client works), but
> never returns "acl maxconn-per-client maxconn 2" true even when it
> should.
>
> To attest I added "client_ip_max_connections 2" just after "client_db on" line.
>
> In the log I see
>
> 2011/01/28 14:44:41| WARNING: 127.0.0.1:35383 attempting more than 2
> connections.
> 2011/01/28 14:44:41| httpAccept: FD 13: accept failure: (0) Success
>
> To attest I get mgr:info
>        Number of clients accessing cache:      1
> (network is about 25 PCs)
>
> This makes me think, that client_db has client information as
> 127.0.0.1 previous proxy IP even if I enabled
> acl_uses_indirect_client.
>
> 1- Is it true?
> 2- How can I see client_db database
> 3- How can I apply per "indirect client" connection limiting in squid.
>
>
> Note:
> This configuration correctly works for indirect client ip address. So
> I assume "acl_uses_indirect_client on" is working.
> follow_x_forwarded_for allow all
> acl_uses_indirect_client on
> client_db on
> acl oguz src 192.168.0.170/255.255.255.255
> tcp_outgoing_address 172.16.1.1 oguz
>
> Best Regards,
>
> --
> Oguz YILMAZ
>
Received on Fri Jan 28 2011 - 12:57:53 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 28 2011 - 12:00:04 MST