Download limits in Squid3
 

Hi..everybody,
I am running squid-3.1.11 on ubuntu 11.04 as transparent proxy. I need rules in which there is no restrictions in size for some authorized PCs even during office hours and there is no restrictions in size to others after office hours. First I tried
This is restricting also authorized IPs while downloading who are already able to access restricted sites. Then I commented out above rule and tried
Now none of sites(even google) are opening from the clients. So please help me to add rules to restrict downloads to everyone apart from some authorized IPs which is more than 100 MB.

try this

if you want to give access to few machines you can use their MAC address
or their IP address

Hi..Deepak, Thanks for the reply.
If I put above rule, now everyone is able to download even large files and there is no limitation to any of the user.
I don't want this, I want 2 rules
1) I want to allow download upto only 100 MB for everyone during 9AM to 6PM. After 6PM to 9AM everyone should be able download large files even it is more than 100MB in size.
2) There should not be any download limitation for some authorized PCs even during office hours and these authorized PCs should be able to download even more than 100MB files at any time.
If I try this below
restarted the service and got this error
I also tried deny instead of allow, but still none of the sites are opening from the clients. Then I tried
Now time and auth_IP rule is not applied and everyone including auth_IP is able to download upto only 100 MB at anytime.
So please help me to add 2 rules that I have requested in the beginning.

for business hours, users will have 100 MB download limit and important users will have full access to download

^^^^^if the given syntax doesn't works or returns with error then try 100 MB instead of 104857600

for non business hours no download limit

^^^^^if the given syntax doesn't works or returns with error then try 0 instead of none
users having access

Thanks for the reply deepak,
The above rule are not applying and I am getting the error as below
The problem is, none of the rule is applying with reply_body_max_size line. If we add as only
then the rule can apply but it is affecting to all including important users for all time.
So I also tried by putting "!imp_users", 100 MB instead of 104857600, 0 instead of none. but none of the rule is applying. I request you to check it once with squid-3.1.11 and please let me know if those two rules are applying in your machine.

sorry for replying late, I was on leave from office

You can try the following syntax as the mistake is again mine
I never checked your distro as the syntax which I was using works on RHEL

In ubuntu allow syntax is not recognized as you can see the error by yourself
try this

go through this tutorial for squid download size limiting...
http://servercomputing.blogspot.com/...xy-server.html

Hi..Deepak,
Thanks a lot. The above rules are working fine. I tried also with a file and mentioned imp_users IPs. Now those imp_users IPs which are listed in /etc/squid3/.imp_users file can download unlimited size at any time while others can only upto 100 MB during office hours. After office hours others also can download unlimited size. This is what I had expected from Linux guru's. Thanks Deepak.

But still others can download using https while getting error for http using same url even it is more than 100 MB and also even I have prevented some suffixes in a file like this in squid.conf.
and so on
For example others are prevented from download with "http://ftp-stud.hs-esslingen.de/pub/Mirrors/ftp.openoffice.org/stable/3.3.0/OOo_3.3.0_Linux_x86_install-rpm-wJRE_en-US.tar.gz"
but they can download with "https://ftp-stud.hs-esslingen.de/pub/Mirrors/ftp.openoffice.org/stable/3.3.0/OOo_3.3.0_Linux_x86_install-rpm-wJRE_en-US.tar.gz"
So it would be much better if you could post a rule to prevent downloads using https which is more than 100 MB and prevented during office hours.
I will be waiting for your kind reply

Once again thank you very much.:)

Hi..Thank you very much linuxmen.
This site is very useful. I could prevent youtube videos for unauthorized users during office hours. But not with metacafe.com. Could you please guide me or send me an url by which I will be able to prevent other site's flash videos.

I added rule to block https://facebook.com using
But only windows machines never get connects to https://facebook.com while linux machine can, amazing....!!!?
I also added
But still it has blocked for only window machines, not to linux machines.
So could you please help me in this to block https://facebook.com

Even I was new to this problem which you mentioned.

I never noticed that squid was only blocking http and allowing https

I don't know if this would be helpful as it works in my machine
you can block the access to port 443 which is for ssl during office hours.
i.e give the access to http and https only to important users and deny to all others and after office hours everyone will have full access

don't forget to comment this line in squid.conf
to block downloads with following extensions you can also try this

Hi..Deepak, Thanks for the reply
Now the above rules are working fine and no one can download the file which is more than 100 mb apart from imp_users, but only if the users goes with browser settings and none of the https sites will open in browser settings with above rule. Fine, but I am using transparent mode with squid3.*, so still the users can download the files using https. Anyway at last you helped me for those two rules that I had requested in the beginning. Thank you very much Deepak.

hey really glad to help

can you help me with configuring squid as transparent proxy because sometimes I face problem with that in my machine RHEL 5.2

what are the steps needed to be followed for transparent proxy?

Hi..Deepak me too glad to help.
I followed this link. I just copied the script and executed.
Here is the my configuration
I hope, I don't want to explain with configuration files under /etc/bind directory. Because I know that you are already an expert in DNS configuration.
I just changed the server IP in script as 192.168.0.1 because I have given in squid.conf file as
acl my_lan src 192.168.0.1/24. I executed the script now everything ftp, mail clients and all working fine. I went for transparent mode because I struggled a lot to enable mail client access with IPTable rules. If the mail clients are working fine for you please help me how to with IPTable rules in non transparent mode.
In RedHat based O/S for transparent mode you have to put these 4 lines
I have tried in ubuntu-11.04/11.10 without above 4 rules, the users are able to access internet without browser settings. I think in centO/S-6 also you are not required above 4 rules. I am not sure in this. But make sure the line as below in squid.conf file
Please find my squid.conf file which is in attachment which is working fine including mail client, ftp access. This attachment from ubuntu-11.10. And please let me know if it is possible to enable access to mail clients with non transparent mode.

Thanks for your help I will try your suggestion, as these for my personal practice so once I am through with my work I'll give a update
:)

I am quite confused with the term mail client+squid

by mail client do you mean outlook, Thunderbird ?

do you face problem using these mail clients with non transparent squid ?
if you can tell me where you face errors or what sort of errors as I had connected thunderbird with my sendmail and was working fine but no idea about using squid and mail clients

If you can be little more specific I might help:)

Yes, mail client is nothing but thunderbird and outlook only. This will be working fine because of nat configuration for transparent mode. For example if I configure my gmail account with tunderbird/outlook while I am on transparent mode, I will be able to send/receive mails.
But I am not able send/recieve while I am on non transparent mode. Just think, for non transparent I'll just install squid and configure the squid.conf file and doing nothing with IPTable rules and the client machine can access internet only then if they configure browser settings. But in this condition the mail client does not work. I request you to check it once by configuring your gmail/yahoomail account with thunderbir/outlook without trasparent mode. If you are able send/receive mails then please let me know that how you could do it.
As I found in the google search there is nothing to do with squid.conf for mail client access since squid does not proxy pop3, imap and smtp. So I think these protocol should masquerade in the nat table. But I dont have much experience with IPTable rules. I need such setup that the client machine can access internet only then if they configure browser settings, and also mail client should works fine. I will be waiting for your kind reply.