I have a Squid proxy server that controls all internet traffic for my network.

I need a way to stop users from downloading big files (say >50MB) in my network. I banned some famous ports (e.g. torrent) but some downloads are possible by HTTP port. Obviously I cannot ban port 80!

A simple solution is limiting maxmimum number of the simultaneous connections for each IP (e.g. 3 connections). It's possible in Squid with this config:

acl ACCOUNTSDEPT 192.168.5.0/24
acl limitusercon maxconn 3
http_access deny ACCOUNTSDEPT limitusercon

But this solution has really bad impact in web browsing, because any smart browser get different parts of a website by several connections simultaneously to speedup web browsing. But if we have a maximum number of connections, the browsers will fail to get some parts and the website will be shown partially and some parts/images/frames will not be shown.

So, can we limit maximum number of persist connections? I think this policy will works: Specify Maximum number of connections that is alive for 10 seconds But Number of simultaneous connections for every IP is unlimited

But how can we implement this policy when Squid? With which config?

UPDATE:

artifex and Tom Newton offered using a bandwidth-limiting approach to fight against downloaders.

But bandwidth-limiting in Squid has a shortcoming: It's static and cannot dynamically change. So a person has a limited bandwidth not matter how many people are using internet (maybe nobody!)

Also, this solution cannot help to stop people from downloading. They still can download but in a lower speed.

But if we find a way to terminate persist connections (or any connection that is alive more than a specific time), downloading big files will be almost impossible (always there is some way!)


Solution 1:

This wont solve the problem the way you purpose. But in a different way, limiting each host to a certain bandwith (not per request, but per host)

example taken from http://wiki.squid-cache.org/Features/DelayPools

acl only128kusers src 192.168.1.0/24
delay_pools 1
delay_class 1 3
delay_access 1 allow only128kusers
delay_access 1 deny all
delay_parameters 1 64000/64000 -1/-1 16000/64000

this specify that all clients have 512kbits to share but a single ip can only use 128kbits.

note that the values for delay_parameters above are in BYTES and not BITS.