maximum number of connections Squid

traffic-shaping squid connections network-management

I have a Squid proxy server that controls all internet traffic for my network.

I need a way to stop users from downloading big files (say >50MB) in my network. I banned some famous ports (e.g. torrent) but some downloads are possible by HTTP port. Obviously I cannot ban port 80!

A simple solution is limiting maxmimum number of the simultaneous connections for each IP (e.g. 3 connections). It's possible in Squid with this config:

acl ACCOUNTSDEPT 192.168.5.0/24
acl limitusercon maxconn 3
http_access deny ACCOUNTSDEPT limitusercon

But this solution has really bad impact in web browsing, because any smart browser get different parts of a website by several connections simultaneously to speedup web browsing. But if we have a maximum number of connections, the browsers will fail to get some parts and the website will be shown partially and some parts/images/frames will not be shown.

So, can we limit maximum number of persist connections? I think this policy will works: Specify Maximum number of connections that is alive for 10 seconds But Number of simultaneous connections for every IP is unlimited

But how can we implement this policy when Squid? With which config?

UPDATE:

artifex and Tom Newton offered using a bandwidth-limiting approach to fight against downloaders.

But bandwidth-limiting in Squid has a shortcoming: It's static and cannot dynamically change. So a person has a limited bandwidth not matter how many people are using internet (maybe nobody!)

Also, this solution cannot help to stop people from downloading. They still can download but in a lower speed.

But if we find a way to terminate persist connections (or any connection that is alive more than a specific time), downloading big files will be almost impossible (always there is some way!)


Solution 1:

This wont solve the problem the way you purpose. But in a different way, limiting each host to a certain bandwith (not per request, but per host)

example taken from http://wiki.squid-cache.org/Features/DelayPools

acl only128kusers src 192.168.1.0/24
delay_pools 1
delay_class 1 3
delay_access 1 allow only128kusers
delay_access 1 deny all
delay_parameters 1 64000/64000 -1/-1 16000/64000

this specify that all clients have 512kbits to share but a single ip can only use 128kbits.

note that the values for delay_parameters above are in BYTES and not BITS.

Related

Replace 2000 domain controller
Can haproxy load-balance by referrer URL? (filtering a Slashdot scenario)
followsymlinks on apache why is it a security risk
Decent 1gb switch (16-24 port) for rack
Display the number of I/O to disk (reads/writes) since the last boot on CentOS
Apache memory issues
Nginx - basic http authentication on PHP-script
Port forwarding to virtual machine
Exclude a specific query parameter from being logged in Nginx?
CentOS 7 ISO Kickstart Installation - "Pane is dead"
Is it possible to use WPA Enterprise Mode without having to use or issue certificates?
Is KVM stable enough for production use in 2011?