RE: [squid-users] max_user_ip

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 2 Dec 2005 08:47:06 -0900

> -----Original Message-----
> From: Scott Mayo [mailto:sgmayo@mail.bloomfield.k12.mo.us]
> Sent: Friday, December 02, 2005 6:11 AM
> To: squid
> Subject: [squid-users] max_user_ip
>
>
> If I want to make it to where each user can only be logged onto the
> internet from one workstation at a time, do I need to add:
>
> acl <domainusers> max_user_ip -s 1
>
> Is there anything else I need to change, like the athenticate_ttl?
> If so what should I set that to? If I set the authenticate_ttl to
> something like 5 hours, that just means that squid will keep the
> authentication for 5 hours when they are still logged onto the
> internet correct? If they actually close the web browser, they could
> go directly to another machine or open the browser back up on this
> machine and get back on, they would not have to wait 5 hours would
> they? If I read this correctly, then the 5 hours is just alive as
> along as that one instance of the web browser is open..or until the 5
> hours is up.
>
> Thanks.
>
> -- Scott Mayo

I'll quote squid.conf.default here as I think it lays it out pretty clearly:

# acl aclname max_user_ip [-s] number
# # This will be matched when the user attempts to log in from more
# # than <number> different ip addresses. The authenticate_ip_ttl
# # parameter controls the timeout on the ip entries.

and

# TAG: authenticate_ip_ttl
# If you use proxy authentication and the 'max_user_ip' ACL, this
# directive controls how long Squid remembers the IP addresses
# associated with each user. Use a small value (e.g., 60 seconds) if
# your users might change addresses quickly, as is the case with
# dialups. You might be safe using a larger value (e.g., 2 hours) in a
# corporate LAN environment with relatively static address assignments.

and

# TAG: authenticate_ttl
# The time a user & their credentials stay in the logged in user cache
# since their last request. When the garbage interval passes, all user
# credentials that have passed their TTL are removed from memory.

If your authentication mechanism is slow, bump up the authenticate_ttl. If your users hop computers often, keep authenticate_ip_tll low.

Chris
Received on Fri Dec 02 2005 - 10:47:11 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST